As an IT administrator, have you ever thought about Outlook security vulnerabilities?

Did you know that 1 million companies across the world use Office 365? Of these organizations, the US alone accounts for 600,000. As businesses and institutions are adapting to the new normal of working remotely due to the recent pandemic, Outlook email security vulnerabilities can pose a major challenge for IT administrators.

In fact, the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to deal with COVID-19 cyber security challenges.

Data from an AI endpoint security provider SentinelOne has revealed that there was over a 300% spike in  attempted attacks on user accounts between February 23 and March 16!

Microsoft 365 Admin Center Outlook Security Settings to Prevent Phishing Attacks

Here are some common phishing attacks, explained in detail along with Outlook security configurations and best practices to help you shield against such attacks.

Exchange Admin Center Settings

Stop Voicemail Phishing Attacks Using Mail Flow Rule Setting

 In October 2019, security firm McAfee observed a new phishing trend where hackers used fake voicemail messages to trick users into giving out their Office 365 account credentials. The attack was targeted on users ranging from middle management to executive levels working in various industries such as finance, IT, retail, insurance, manufacturing, infrastructure, energy, government, legal, education, healthcare, and transportation.

How does it work?

Hackers send out malicious emails containing Microsoft’s logo to users informing that they have a missed call from a particular phone number.

Here is an example of one such email:

These emails contain HTML attachments which, when opened, redirects users to a phishing page. This page plays a short audio recording of someone talking which increases the legitimacy of the page. According to a McAfee researcher, “What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link.”

Once the recording is played, users are redirected to a fake Office 365 login page that prompts the users to login to hear the full recording. The email address is pre-populated in this fake login page to increase the credibility of the website. Upon entering the password, users receive a successful login message and are redirected to the original Office 365 login page.

The main objective of this attack is to trick as many users as possible into giving out their account credentials. This eventually will help the cybercriminals in accessing organization-related sensitive information and will increase the possibility of name impersonation attacks, damaging the company’s reputation.



Microsoft 365 has an in-built option for Outlook security which will inspect email attachments by setting up mail flow rules (known as transport rules). Mail flow rules examine email attachments as a part of security and compliance needs.

If an email attachment is found to be suspicious, the admin can either add a disclaimer to the message, block the message from getting delivered, or notify the sender of the issue – if the admin decides to prevent the message from being delivered.


setting 1


How to Set up Mail Flow Rule to Stop Attacks?

To filter the emails with .html attachment and add an action item on such emails, follow these steps to create a rule:

Step 1: Under  the “Apps” section, select “Admin.”

step 1-select admin

Step 2: Click “show all” to view the hidden options.

Step 2 - Show all

Step 3: Under the “Admin centers” section, select “Exchange.”

Step 3- Select Exchange

Step 4: Click “mail flow.

Step 4- select mail flow

Step 5: Create a new rule by clicking the “+” icon and selecting “Create new rule…”

Step 5- create new rule

Step 6: Enter a name for the rule and click “More options…”

Step 6- click more options

Step 7: Under the “Apply this rule if…” section, choose “Any attachment…” and select “file extension includes these words.”

Step 7- Apply rule conditions

Step 8: Enter the type of file extension (ie., html) that you want to track/filter by selecting the “+” icon and clicking “OK.”

Step 8- enter type of file extension

Note: There are many other executable file types you can include based on your requirement:


Recommended harmful extensions to include in mail flow rule trigger

1. Executables: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif

2. Office files that support macros: doc, xls, docm, xlsm, pptm

Step 9: Click “Add condition.” Under “Do the following…” section, choose “Notify the recipient with a message…”

step 9- notify recipient with msg

Step 10: Add a message (for reference) and click “OK.”

Step 10- add msg

Step 11: If you want to add any exception for the above defined rule, select the “Except if…” section and click on “add exception.” Skip steps 12–14 if exceptions are not required.

Step 11- add exception

Step 12: Select “The sender…” and click “is this person.”

Step 12- sender exception

Step 13: Choose the “sender” (for whom you want to except the rule) and click “add->.”

step 13- choose sender

Step 14: Click on “OK.”

step 14

Step 15: Click “Save.”

step15- save

Step 16: The “Rule” has been successfully created. You can verify this in the “Create rule” section under “Rules.”

step 16


Stop Pay raise phishing scan using dkim setting

Confense Phishing Defense Centre recently discovered a new phishing scam targeting Office 365 users. The objective of this scam was to collect Office 365 account credentials of employees who were expecting a salary rise.

How does it work?

Cybercriminals send out malicious emails by manipulating the “from address” to trick the recipients into believing that the email came from their HR department. The email came with an embedded link to what it claimed was a spreadsheet detailing employee’s salary raises, named as “salary-increase-sheet-November2019.xls.” This link redirects users to a fake Microsoft 365 login page. In order to view the spreadsheet, users are forced to log in to their Office 365 account. The email id is pre-populated in this fake login page to increase the legitimacy of the website.

Here is how the email looks like:

outlook scam

According to Confense Phishing Defense Center, “The idea is to make recipients believe they are being linked to a document hosted on SharePoint. However, they are being linked to an external website hosted on hxxps://salary365[.]web[.]app/#/auth-pass-form/. One can assume from the context of this malicious URL that it was specifically chosen and hosted for this phishing attempt.



To prevent such spoofing attacks, admins should configure DKIM (DomainKeys Identified Mail) for their hosted domains. DKIM is a form of email verification that allows an organization to claim responsibility for a message. DKIM is an Outlook security feature that works by adding a digital signature (private key) to the header of an email message. This signature can be verified by a public cryptographic key in the organization’s Domain Name System (DNS) records. Email servers that receive messages from your domain use the public key to decrypt the message header and verify the message source.


solution for pay raise scam
How to setup dkim for your domain?

Step 1: Under the “Apps” section, click “Admin.”

step 1-select admin (1)

Step 2: Click “show all.”

Step 2 - Show all (1)Step 3: Under the “Admin centers” section, click “Exchange.”

Step 3- Select Exchange (1)

Step 4: Click “protection.”

step 4- click protectionStep 5: Select “DKIM” and choose the domain for enabling the DKIM.

step 5- dkim and choose domainStep 6: Click “Enable.”

step 6- click enableStep 7: Add the displayed “CNAME” records to the domain from the Registrar site to protect the domain against spoofing.

step 7 _ add displayed cname to domain



Stop Microsoft Azure Custom Domain Attacks Using DKIM Setting

Zscaler ThreatLabZ detected a phishing attack that used Microsoft Azure custom domains. Cybercriminals hosted their phishing sites with Microsoft SSL certificates in order to make the website appear legitimate.

outlook: Phishing Attack via Microsoft Azure Custom Domains

How does it work?

The attackers sent out spam emails, informing users that some of their emails have been quarantined. In order to view the email, users are prompted to click on the “View Emails” button, which redirects them to a fake Outlook login page that attackers had created using Microsoft SSL certificates.


Outlook security _ssl certificate



Configuring DKIM can prevent such attacks.


Outlook security_solution for outlook security compromise 3_azure custom domain attack




How to Set up dkim to stop azure custom domain attacks

Services & Add-ins Settings

Stop Google Redirect Phishing Attacks Using MFA Setting

Bleeping Computer reported a phishing campaign in which Google search query redirected users to a fake Microsoft Office login page via encoded URLs. URL encoding – also known as percentage encoding – is a mechanism by which unprintable or special characters are translated to a universally-accepted format by web servers or browsers. This allows the cybercriminals to hide the URL of their phishing page from secure email gateways (SEGs) that blocks malicious emails.

How does it work?

Researchers at the Cofense Phishing Defense Center found out that the phishing emails came from a compromised email account of a well-known American brand, informing the users about a new invoice awaiting payment.

Microsoft Phishing Attack Using Google Redirects

The “View Invoice” button was embedded with a URL build comprising two parts. The first part of the URL began with “”,  notifying the browser to use Google to question a specific URL. The second part of the URL was encoded with basic URL encoding. It replaces ASCII characters with a “%” followed by two hexadecimal digits.

On clicking the button, users were shown a Google redirect notice informing that they were being sent to the decoded phishing domain and that they can return to the previous page if they don’t want to proceed further. “This is enough to fool basic URL and domain checks by perimeter devices, a simple yet effective way for threat actors to ensure delivery of malicious payloads,” adds Cofense. The malicious URL takes the user to a fake Microsoft login page aimed to collect Office 365 credentials.

Why is it important to set up mfa for your domain?

In order to prevent such attacks, it is recommended to enable the Multi-Factor Authentication (MFA) in the Outlook security settings for all users in your domain. Enabling MFA will provide an extra layer of security to your user accounts even when their account credentials are compromised.


solution for google redirects


How can you set up mfa for your domain?

Step 1: Under the “Apps” section, select “Admin.”

step 1-select admin (2)

Step 2: Click “Show all.” 

Step 2 - Show all (2)

Step 3: 
Under the “Settings” section, select “Add-ins.”

step 3- click add ins

Step 4: Click “Azure multi-factor authentication.” 

Azure mfa
Step 5: 
Click “Manage Multi-factor Authentication.”

Step 6: Click the drop-down menu next to the “View” option.


Step 7: Select the required group or individual users for enabling the MFA.

select group

Step 8: Click “Enable.”

Outlook security setting 4_enable

Admin Center- Security & Compliance Settings

Stop Fake Admin Alerts Using Enhanced Filtering Setting

Cybercriminals use every possible method to trick users into giving out their account credentials. This will allow the attacker to access the victim’s sensitive data. However, in  this type of phishing attack, it has been identified that instead of targeting employees, cybercriminals were focusing on Microsoft 365 administrators. Gaining access to an admin account will allow attackers to gain control over the Organization’s domain and all other user accounts.

Office 365 admin attack

How does it work?

The attack begins by sending out fake Office 365 alerts to domain administrators, addressing time-sensitive issues like expired licenses or Outlook security issues like unauthorized access alerts.

Office 365 admin attack example

Clicking on these links redirects the user to a fake Microsoft 365 login page. This page is hosted on domain on Azure and is secured using a certificate from Microsoft. These factors add to the credibility of the alerts received and will prompt the users to enter their account credentials.

As you can imagine, if an admin falls for this scam and enters their credentials in the page they will be stolen by the attackers. Unless that account has some sort of two-factor authentication enabled on it, the attacker would be able to gain access to the Office 365 admin portal.” – Bleeping Computer.

What is enhanced filtering setting

Other than enabling MFA, Microsoft 365 also suggests admins to configure the “Enhanced Filtering” option in the Outlook security settings. Enhanced Filtering allows you to filter emails based on their actual source of messages.
For advanced protection, businesses using Business Premium, E1, and E3 subscriptions can also choose ATP (Advanced Threat Protection) Safe Links add-on. This Outlook security add-on scans and automatically blocks all malicious links from being accessed by the users.


How to set up enhanced filtering setting for your domain?

Step 1: Under the “Apps” section, select “Admin.”

step 1-select admin (3)




Step 2: Click “show all” to view the hidden options.
Step 2 - Show all (3)
Step 3: Under the “Admin centers” section, select “Security.”

step 3-select security

Step 4:
 Click “Threat Management” and select “Policy.”

step 4- select threat management-policy

Step 5: Click “Enhanced Filtering.”

step 5- enhanced filtering

Step 6:
 Choose the Connector for configuration.


Step 7: 
Select “Automatically detect and skip the last IP address.”

automatically detect

Step 8: 
Choose “Apply to entire organization” and click “Save.”

apply to the entire organization

Step 9: 
“Enhanced Filtering” will be enabled.

enhanced filtering enabled

In addition to changing these Outlook security settings, you can also follow the best practices listed below to strengthen your network for remote work.

COVid-19-Themed Phishing Attacks

Here are some of the COVID-19-themed cyber attacks that can impact your Office 365 and Outlook users:

1. Phishing emails: Attackers are taking advantage of the COVID-19 situation by sending an email with either a malware attachment or a URL link to a malicious website. Without proper antivirus software or web filters in place, these attacks could compromise user accounts resulting in ransomware attacks, and/or exposure of critical data.

Here are some of the recent attacks reported by Threatpost:

Remcos RAT malware and malicious payloads were spread via phished emails about the Coronavirus.

Microsoft email attachments were used to create a backdoor into the devices of users that downloaded them

Emails with malicious attachments claiming to have information about COVID–19 sent from the WHO or Center for Public Health in Ukraine

2. Malicious sites: According to a recent article by Forbes, there are 2,500 COVID-19 sites that target users with their phishing emails and harmful links to steal people’s credentials with a fake login page and/or download malware onto their systems to launch further attacks.

3. VPN Security issues: Using only a VPN can no longer guarantee security for your business. You need to combine it with antivirus software and other security best practices. According to Dark Reading, there have been instances where the malware that gained entry into systems – via phishing emails and malicious sites – had launched attacks via the compromised user’s  VPN account. Employees sometimes fall prey to malware (advertised as a VPN software) when they try to set up a VPN on their own to access business applications from home.


Outlook Security best practices

USE vpn

Whenever you access the internet, make sure that you turn on VPN – A VPN would provide a secure connection through an encrypted tunnel that keeps your data safe whenever you use the internet.

permit and check work devices

Ask employees to use only the organization-provided laptop/system for work. If they use a personal laptop, then ensure that antivirus and VPN are installed on the machine.

restrict downloads and installations

Restrict the users from downloading and installing applications without the admin’s permission. Monitor the applications for suspicious activity.

INstall anti-virus software

Protect your computer from cyberattacks by using an antivirus to scan attachments and prevent unauthorized access to your system and/or data and also protect against harmful malware installations.

backup data

Back up critical data regularly to avoid loss of data due to accidental deletions or ransomware attacks.

SysCloud office 365 backup

Use SysCloud to automatically back up data from OutlookOneDrive, People, Calendar, and SharePoint sites.