Posts

Email Security/Exchange Online - Ensure That DKIM Is Enabled For All Exchange Online Domains

Image
  Summary DKIM should be used along with SPF and DMARC to prevent spoofers from sending messages that look like they are coming from your domain. Reason If DKIM is enabled with Office 365, then, the messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages are generated by a server authorized by the organization and not being spoofed. What If? Although, setting up DKIM will not affect anything, but, the organizations must ensure appropriate setup to ensure continuous mail-flow. How to? To setup DKIM records, first add the records to the DNS system, for each domain in Exchange Online that you plan to use to send email with: After creating the DNS records, enable DKIM signing in the Office 365 Admin Portal. Launch the Security Admin Center. Under  E-mail & Collaboration  navigate to  Policies & rules > Threat policies. Now, under Rules pick DKIM. After that, click on each domain and cl

Email Security/Exchange Online - Ensure That an Anti-Phishing Policy Has Been Created

Image
  Summary Office 365 generally includes all the built-in features that can help in protecting the users from phishing attacks, by default. However, Anti-Phishing Policies can also be set up in order to increase the protection level, for example, by refining settings to better detect as well as prevent impersonation and spoofing attacks. The default policy will apply to all users within an organization, and is a single view where you can fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users. Reason This policy can protect the users from phishing attacks (like impersonation and spoofing), while also using safety tips simultaneously, to warn the users about the potentiality of harmful messages. What If? Turning on Anti-Phishing policy, does not cause any impact, the messages can be displayed when applicable. How to? To set the Anti

Email Security/Exchange Online - Ensure Safe Attachments Policy Is Enabled

Image
  Summary This policy, if enabled, can extend the malware protection to include the routing of all the messages and attachments without an known malware signature to a special hypervisor environment. In that environment, a behavior analysis is performed with the help of a variety of machine learning and analysis techniques to detect malicious intent. Reason This policy helps in identifying and stopping previously unknown malwares more accurately. What If? During scanning, the delivery of emails with attachments may suffer some delay. How to? To enable the Safe Attachments policy,  use the Microsoft 365 Admin Center: Select  Security in order to open the Microsoft 365 Defender portal.  Under E-mail & Collaboration navigate to Policies & rules > Threat policies. Now, under Policies select Safe Attachments. Click + Create. After that, enter Policy Name and Description. Pick Block, Monitor, Replace or Dynamic Delivery. Select Save. Monitor: To verify the  Safe Attachments policy

Email Security/Exchange Online - Ensure Mail Transport Rules Do Not Whitelist Specific Domains

Image
  Summary The Exchange Online Mail Transport rules should be set, so that, they do not whitelist any specific domains. Reason If certain domains are whitelisted in the transport rules, they can bypass the regular malware and phishing scanning, which in turn allows an attacker to launch attacks against any user from a safe haven domain. What If? One should be careful while implementing to make sure that there is no business need for case-by-case whitelisting. However, if all the whitelisted domains are removed, then, it will surely affect the incoming mail flow to an organization although modern systems sending legitimate mails should have no issues with it. How to? To alter the mail transport rules so they do not whitelist any specific domain,  use the Microsoft 365 Admin Center: Select Exchange. Go for Mail Flow and Rules. Now, for each rule that whitelists specific domains, select the rule and click the 'Delete' icon. To remove mail transport rules, you may also  use the Exch

Email Security/Exchange Online - Ensure All Forms of Mail Forwarding Are Blocked And/Or Disabled

Image
  Summary The Exchange Online mail transport rules should be set such that, the emails cannot be forwarded to the domains outside of an organization. Automatic forwarding to prevent the users from auto-forwarding mail via Outlook or Outlook on the web should also be disabled, and the Client Rules Forwarding Block, which does not allow the use of any client-side rules that forward email to an external domain, should also be enabled. Note- Any exclusions should be implemented according to an organizational policy. Reason Generally, attackers create these rules to exfiltrate data from a tenancy which could be accomplished via access to an end-user account or otherwise. What If? Before implementing the set up, it should be ensured that there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented according to the organizational policy. How to? Note- It is a three ste

Email Security/Exchange Online - Ensure Exchange Online Spam Policies are Set to Notify Administrators

Image
  Summary The organizations having Microsoft 365 with mailboxes in Exchange Online or standalone Exchange Online protection (EOP) organizations without the Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Exchange Online Spam Policies can be configured to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails.  Reason If an account is blocked, that means, it has been breached and an attacker has been using it to send spam emails to other people. Note- Audit and Remediation guidance may focus on the Default policy, but, if a Custom Policy exists in the organization's tenant then, it should be ensured that the setting is set as outlined in the highest priority policy listed. What If? The blocked notifications does not affect the users.  How to? To set the Exchange Online Spam Policies correctly,  use the Microsoft 365 Admin Center: Go to the Microsoft Admin Center and click  Security.

Email Security/Exchange Online - Ensure the Common Attachment Types Filter is Enabled

Image
  Summary Users can easily block known and custom malicious file types from being attached to emails via the Common Attachment Types Filter. Reason If the known malicious files are blocked, then, it will obviously help in preventing malware-infested files from infecting a host. What If? The blocking of common malicious file types does not affect the modern computing environments. How to? To enable the Common Attachment Types Filter,  use the Microsoft 365 Admin Center: Go to the Microsoft Admin Center and click Security. Under Email & collaboration > Policies & rules > Threat policies. Now, select Anti-malware and pick the highest priority policy. In the Edit tab under at the bottom click on Edit protection settings, check the Enable the common attachments filter.  To enable the Common Attachment Types Filter,  use the Exchange Online PowerShell Module: Connect to Exchange Online using Connect-ExchangeOnline. Now, run the following Exchange Online PowerShell command:   Se