Introducing the Microsoft Office 365 Email Security Checklist
Update March 2023: This project morphed into the Microsoft 365 Best Practices Checklists, which includes a checklist and guide for each of the major services in Microsoft 365. You can get the product here.
Okay. I think I have had enough. Enough of what? Enough of reports like this one. And since email is still the number one attack vector in use by the bad guys, it’s time we step up our game–I’m looking at you, IT pros (especially consultants). Of note, from the article:
The conclusion, however, was stark. “The organizations that used a third party have had a mix of configurations that lowered their overall security posture (e.g., mailbox auditing disabled, unified audit log disabled, multi-factor authentication disabled on admin accounts),” the report said. “In addition, the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities.”
If you are an IT provider or otherwise in charge of any Office 365 subscriptions, then you NEED to be implementing a baseline level of security in your tenants. Microsoft does NOT take care of security “for you” contrary to popular belief. You are responsible for your own security boundary and settings within the Microsoft cloud.
So today I’m happy to announce that I’m releasing an Office 365 Email Security Checklist along with a couple of scripts! Help put these ridiculous reports and security incidents to rest once and for all.
- Here is a link to the guide
- Here is a link to the checklist, summarized in an Excel spreadsheet
- Here is a link to the scripts on GitHub
Some prefer to own downloadable copies, which you can obtain on GumRoad.
Summary of Checklist items
I have written about all of these things on this website before (which is why assembling a guide wasn’t that difficult). But the links contained here on this page go to the source, MS docs and blogs.
This first section requires no additional licensing beyond any of the Exchange Online plans (this is a recommended baseline that EVERYONE should be adopting) :
- Enable mailbox auditing and unified audit log search
- Email authentication: SPF, DKIM and DMARC
- Eliminate legacy protocols and disable basic authentication
- Enable multi-factor authentication (admins and users alike)
- Disable mailbox auto-forwarding to remote domains
- Block sign-in for all shared mailboxes
- Adjust anti-spam, anti-malware and outbound spam policies
- Configure mobile device policies (ActiveSync or Office 365 MDM)
- Configure the default Alert policies
And while these additional items are highly recommended, they will require licensing beyond just a simple mailbox plan:
- Turn on Office 365 Advanced Threat Protection: Safe Links, Safe Attachments, Anti-Phish policy
- Protect mailboxes with a retention policy or litigation hold
- Configure modern device management & conditional access
- Block downloads from Outlook web on unmanaged devices
- Start using Office 365 message encryption features
- Configure Data Loss Prevention policy
- Configure Advanced alert policies in Cloud App Security
- OAuth notifications and review (or disable OAuth apps)
If you follow the checklist completely, you should be able to achieve a Secure Score between 400 and 500 points (most tenants aren’t even pushing 100 yet). While I think you should take the Secure Score tool with a grain of salt, more people should be using it as a starting point at least.
If you see anything in here that you’d do differently, please, do let me know. I’d like to improve and advance this project over time.
Comments (21)
Amazing Resoure – will share the link around
Great read, Alex! I’ve been working through your archive for a couple of weeks now but after this I am most definitely subscribing!
We’re one of those companies that the CISA report was talking about, where we were sold on a migration into the Enterprise environment and some minor tenant configuration and then told we were completely safe…except we discovered ourselves months ago that there were gaping holes in our security. To beat all, when we reached out to our migration “experts”, they basically told us x, y, and z were out of scope for their work and we would have to pay extra to have those features added/configured. It’s taken me a couple of days, but I’ve just finished reading the guide and checking to see which items we already have implemented, either from our migration team or our patching of their work afterwards and I have to say that we still have some work to do.
A couple things I might recommend to add to the guide would be the expected delay for changes made and the immediate/delayed user impact. You mention both in the text of quite a few items, but having these items up with the Secure Score impact would help us IT folks with rather…overbearing management provide a short summary of the expected impacts and time windows.
That is an excellent idea. I will work on some updates.
Thank you so much for this! Very helpful! Are there any other areas in Office 365 that can increase security such as in Teams, Yammer, SharePoint, etc. that should be configured? Is a Secure Score between 400 and 500 the highest a tenant can get that has Office 365 Business Premium with Azure Information Protection add-on?
You will do much better with Secure Score if you have EM+S subscription. Yes, there are a few things I could, and will, be recommending for other areas, but Exchange online has to be the most targeted service on the planet. Or at least, it’s up there.
Very nice. Thank you.
Does the “Anti-Phish Rule” require ATP? When I run it I get errors in Exchange Powershell.
A parameter cannot be found that matches parameter name ‘PhishThresholdLevel’.
+ CategoryInfo : InvalidArgument: (:) [New-AntiPhishPolicy], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,New-AntiPhishPolicy
+ PSComputerName : outlook.office365.com
Policy “Anti-Phish Baseline Policy” not found.
+ CategoryInfo : ObjectNotFound: (Anti-Phish Baseline Policy:AntiPhishPolicyIdParameter) [New-AntiPhishRu
le], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=DM5PR2001MB0908,RequestId=1dc06dd6-e024-4d11-a319-b8ad9a9f994a,TimeStamp=5/16/20
19 4:48:49 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 403AA2DC,Microsoft.Exchange.Management.S
ystemConfigurationTasks.NewAntiPhishRule
+ PSComputerName : outlook.office365.com
Yes it requires Office 365 ATP Plan 1.
Thank You!
Alex,
Thanks, a very timely and useful contribution.
For Alex and anyone else out there, can you shed some light on the default status of DKIM in Office 365 Exchange Email domains? I have 3 custom (vanity) installed on top of the stanadrad onmicrosoft initial domain. None of these custom domains are shown as being set up for DKIM and yet emails from those domains have a “DKIM=Pass” entry in the headers of the emails they are sending.
Microsoft’s own documentation mentions a default behaviour for DKIM setup which applies their own policy. To quote Micorosfts own documentation at:
https://docs.microsoft.com/en-us/office365/securitycompliance/use-dkim-to-validate-outbound-email#default-behavior-for-dkim-and-office-365
“You can choose to do nothing about DKIM for your custom domain too. If you do not set up DKIM for your custom domain, Office 365 creates a private and public key pair, enables DKIM signing, and then configures the Office 365 default policy for your custom domain. While this is sufficient coverage for most Office 365 customers….”
So my question is what advantage am I creating for my install by overriding the default DKIM installation? It just doesn’t seem clear to me.
A little bit of further research on my behalf seems to suggest that the answer to my “why do DKIM if its already done?” question is that it appears that if you go onto implement DMARC a properly configured DKIM install is required.
I would still appreciate it if someone else could clarify that observation as my source is a little vague on the details,
David, the reason it is important to enable DKIM yourself is because the DKIM signature will then match your vanity domain. From the article that you sent: “If you enable DKIM yourself, the domain will be the same as the domain in the From: address, in this case fabrikam.com. If you don’t, it will not align and instead will use your organization’s initial domain.” It is best practice to enable the DKIM signing for your custom domain, so that the CNAME is present, and the domain in the “From:” field will match the “real” domain name rather than the onmicrosoft domain. It is similar if you have email from like a bulk provider, you can actually publish CNAME’s in your DNS that prove you, the owner of that domain, actually has authorized this third party to sign mail on your behalf. Anyone can sign email, that doesn’t mean you allowed them to.
Hello, the guide looks very useful but, is there any way to download or print it? I’d rather have it on paper to work with it.
Thanks!
Yes, I will have it up on GumRoad soon. Making some updates to it before it’s up there but will have it up by the weekend!
Hi Alex, have you put the documents up on GumRoad yet? And thank you for the work you put into this and making it available to the public!
Yep, they are all available at gumroad.com/vanvfields. And more coming soon…
Alex
Can I get a copy of the spreadsheet somewhere?
Here is a link to the checklist, summarized in an Excel spreadsheet
The link opens the sheet, but permissions block download or print.
Correct, the downloable version of PDF and spreadsheet are included in the purchase on GumRoad.
Hello Sr.
¿What are the differences between download the guide and buy the material in GumRoad site?.
Thanks.
Downloadable written guide (pdf) with more detail, versus just an excel spreadsheet.
Great publications Alex and what an incredible piece of work!