19 Best Practices for Securing Microsoft Office 365

Microsoft Office 365 is a massive platform that many businesses use. It is considered the world’s most popular office suite of productivity tools. Unfortunately, this means it is a hugely popular target for cyber-attackers as well. 

Microsoft Office 365 has a variety of effective built-in security features but it often needs specialized add-ons to address sophisticated threats like business email compromise and targeted phishing. It’s important to learn how to configure and deploy these security features, and train employees, so you can protect your sensitive business data. 

Let’s take a look at the features you can enable, and steps you can take to make sure your Office 365 is secure.

1. Utilize Multi-Factor Authentication

Utilizing multifactor authentication is the easiest, most effective way to rapidly improve your organization’s security. When you log in, you’ll need to type a code from your mobile device in order to access Microsoft Office 365. Adding this step helps prevent hackers from taking over an account if they discover the password or trick a user with a phishing attack. This can also be called 2-step verification. 

2. Use Separate Admin Accounts

The admin accounts you use for your Office 365 environment include elevated privileges, making them valuable targets for cybercriminals. Admins need to have separate user accounts for regular, everyday use – only using their admin account as necessary to complete tasks associated with job functions. Creating an emergency access admin account can also be helpful in case a problem arises. Additionally, assign Role-Based Access Control (RBAC) for admins can be helpful.

3. Train Your Employees

While Office 365 has so many features which help improve overall security and compliance, these controls do not necessarily address the most dangerous threats that face every organization, which is human error. In a report done by Stanford, they found that approximately 88 percent of all data breaches are caused by an employee mistake. To address the severity of human error, organizations have made investments in Office 365 security and awareness training. However, to err is human so organizations need to plan for the failure and not expect them to detect all attacks, all the time.

4. Protect Against Ransomware Attacks

A ransomware attack acts to restrict access to your company’s data by encrypting files or even locking computer screens. Ransomware will then attempt to extort money from the victims by asking for “ransom”. This is typically in the form of cryptocurrencies such as Bitcoin, in exchange for data access. The Safe Attachments feature of Microsoft 365 Defender can catch advanced ransomware but it comes at the cost of delayed delivery of attachments and user experience.

5. Raise the Level of Malware Protection

The Office 365 environment includes malware protection, however, you can increase this protection when blocking attachments with commonly used malware file types. It’s important to note that the most common malware file types are PDF and Office Documents.

6. Stop Email Auto-Forwarding

Attackers gaining access to a user’s mailbox might exfiltrate mail by configuring a mailbox that automatically forwards emails. This can occur without the user’s awareness. This can be prevented by configuring mail flow rules instead.


Osterman whitepaper

  Spend less time investigating suspicious messages and remediating threats.

  Download the Report



7. Use Office 365 Message Encryption

Office 365 Message Encryption is an included feature with Microsoft 365 that’s already fully set up. With this feature, your business can send and receive encrypted emails. Office 365 message encryption allows you to ensure only intended recipients can view the message content.

8. Protect Email Accounts from Phishing Attacks

If you have configured custom domains for your Microsoft Office 365 environment, you can also configure targeted anti-phishing protection. Anti-phishing solutions can help protect your business from any malicious phishing attack. If you have not configured custom domains, you will not need to do this.

9. Protect from Malicious Attachments & Files with O365 Safe Attachments

People often send, receive, and share attachments, like documents, presentations, and sheets. It can be difficult to tell if an attachment is safe or malicious. Office 365 Safe Attachments protection is not turned on by default, but it should be because this protection extends to all files in SharePoint, OneDrive, and Microsoft Teams.

10. Protect Against Phishing Attacks by Using Safe Links

Attackers can use malicious websites links in email or other files. Safe Links for Office 365 helps protect your business – providing time-of-clickverification of web URLs within email messages and Office documents. Safe Links cannot protect against zero-day phishing threats.

Items to Enable

There are multiple different features in O365 that can be enabled in order to make your organization more secure. These include: 

  • 11. Unified Audit Log: The unified audit log holds all user, group, application, domain, and directory activities that are performed in the Microsoft 365 admin center.
  • 12. Alert Policies: An alert policy contains a set of rules defining the user activity generating alerts, as well as a list of users who triggered the alert if the activity is performed.
  • 13. Azure Portal Inactivity Timeout: This etting protects resources from unauthorized access when you forget to secure your workstation. 
  • 14. External Email Tagging: This feature clearly marks all external emails as “External” in order to alert mail users to be cautious with the attachments and contents of the message.

Items to Block

In addition to the items that should be enabled in O365, there are items you should pay attention to blocking in order to keep your email secure. These may include:

  • 15. Legacy Authentication Protocols: Legacy authentication protocols can’t enforce certain rules, making them a preferred entry points for hackers attacking your organization.
  • 16. User Consent to Apps: Giving consent to unmanaged apps can pose a threat to your organization.
  • 17. User access to Azure Portal: You will only want admins to have access the Azure portal. It’s not relevant for regular users to have access, and could pose a threat.
  • 18. Guest can invite access: Similarly to the items above, this could pose a threat if there was a hacked account in your organization or another that you work with.

19. Check Out the O365 Security and Compliance Center

The Security and Compliance Center for O365 has many different tools to help you keep your sensitive data secure. When you wonder what else you can do to protect your business, this is always a great option to check in on new opportunities.

Final Thoughts

A crucial part of keeping Microsoft Office 365 secure is regularly checking the audit logs and keeping up with security recommendations in the Microsoft 365 Security Center. These layers help protect individuals leveraging O365, however, it is also the responsibility of each organization using 365 to make sure their implementation and configuration is configured securely. All organizations should review, configure and tune the appropriate security settings in various areas of Microsoft Office 365’s services to make sure the proper risk tolerance levels are met.

Ready to learn more about how you can protect your business from O365 attacks? Get a demo with the Cyren team today.


Osterman whitepaper

 Discover phishing, BEC, and ransomware threats for Microsoft 365 users.

 Download the Report