Have you secured your Office 365 email?

I’ve been migrating on-premises business email systems to Office 365 for the past few years. Email is often seen as the first logical step into the cloud, a low risk move. Outlook performs well due to caching, even over slow links, so you get an up to date, feature rich environment with little risk of negatively impacting users. As someone that started out managing Exchange email environments, I would certainly have welcomed Office 365 twenty years ago and perhaps would have been spared a few grey hairs. From a management and update perspective, on-premises email systems can be difficult. Email is never a critical system until it’s offline, and I’m sure most IT admins have experienced the panic when a stubborn mailbox database won’t come online.

What’s often not considered in a move to Office 365 and Exchange Online is environment security. In my experience, this is much more likely to be a consideration for an on-premises system. Office 365 is simple to get up and running and is online from day one, this is very convenient, but it can put critical business data at risk. The assumption in many cases is that everything is done, and it’s simply a matter of a few clicks and off you go.

Email account compromise is now very common, so ensuring suitable safeguards are in place is critical. These breaches often start with the attacker obtaining credentials to an account via a phishing scam. Once the account is breached, email forwarding is configured to send all messages from the account onto the attackers. This information is often used to create scam invoices with new bank account details, in the hope that someone will pay an invoice into the bank account of the attacker. The advantage of the forwarding is that the attackers will continue to receive email messages even if the person changes their password. Imagine all your email being forwarded, without your knowledge, it’s a scary thought.

What can you do to protect your email data?

At a minimum this involves configuring core safeguards and establishing a security baseline. This doesn’t always mean turning on security features, it might mean disabling a default feature. We talked about email forwarding being commonly used to exfiltrate data, Exchange Online is in fact configured by default to allow email forwarding to external recipients. There could be a valid business reason for requiring this functionality and it is probably enabled by default for convenience, but it does create a security hole.

Configuring your core safeguards may mean enabling a built-in feature. Office 365 has some great built in functionality, one of these is multi factor authentication (MFA). MFA adds an extra layer of security to the login process by linking your Office 365 account to another device, normally a phone by way of an app or code sent via SMS. If your password is compromised, an attacker would also need the phone to log in to Office 365.

MFA should always be enabled for internet facing services and it’s often not straightforward to implement on-premises. MFA alone might be a reason to move to Office 365. The same might be said for other security features built into the platform such as Data Leak Prevention functionality or the ability to easily encrypt email messages and attachments.

Visibility is critical, and auditing and alerting should also form part of your security baseline. I’ve seen companies that have only discovered an email account breach by accident, and email has been forwarding out for a number of months. Office 365 has some great auditing features and tools, but they need to be configured and managed. Tools are even available to automatically lock out accounts if unusual activity or a breach is suspected.

It’s unlikely that many companies are not concerned about the confidentiality of the data in their email. If you’re using Office 365, invest the time in securing the platform and mitigate the risk of a breach.

Where are you at now? If you’re an administrator Office 365 Secure Score will help you understand your current security position.


Colin has over 20 years consulting experience working with organisations ranging from small business to large enterprises. He has consulted in the United Kingdom, Canada and Australia. He specialises in Microsoft based technology solutions, disaster recovery implementations and information security.