5 ways to prevent a phishing attack in Microsoft 365

Data breaches can have severe consequences for organisations, including financial losses and reputational damage. A phishing attack is the most common type of business breach, accounting for a staggering 84% of cyber security incidents in the UK.

What is a phishing attack?

A phishing attack is a way for hackers or cyber criminals to use deceptive emails or messages to trick users into revealing sensitive information, or inadvertently installing malware by clicking on malicious links.

These emails may try to impersonate a particular colleague or supplier, including IT providers such as Microsoft or Google.

For this reason, it’s vital to implement the correct policies and procedures in your platforms (such as Exchange Online) so that company data does not get into the wrong hands. A simple phishing attack could grant a hacker access to various company systems like your CRM or SharePoint environment.

5 ways to prevent a phishing attack in Microsoft 365

1. Enable Multi-Factor Authentication (MFA)

Implement MFA for all user accounts. This adds an additional layer of security by requiring users to enter a second form of authentication in addition to their password. Security Defaults will enable MFA for your users and has been rolled out to all tenants automatically. There are multiple methods in which you can setup MFA within Microsoft 365, with a few listed below:

  • Microsoft Authenticator
  • FIDO2 security key
  • SMS
  • Hardware OATH token (Preview)
  • Third-party software OATH tokens
  • Voice Call
  • Email (OTP) One Time Passcode

If your organisation is looking to implement a phishing resistant method of multi-factor authentication, then FIDO2 is available within Entra. Microsoft Entra, houses all of the identity and network solutions from Microsoft, including the likes of Entra ID formerly known as Azure Active Directory. FIDO2 security keys are a phishing-resistant, standards-based passwordless authentication method, that allow users and organisations to apply a sign in process that doesn’t require a username or password. Instead, users use an external security key, or a platform key built into a device. Please note that this method of MFA requires further configuration in order to enable it.

At the time of writing this Microsoft Authenticator App is deemed the most secure method from Microsoft from the out of the box methods available.

MFA Methods can be enabled via the Microsoft 365 admin enter or within Entra if you have already migrated to the new authentication methods before the September 2025 deadline.

2. User Education

User education is proven to have helped reduce data breaches from 60% to 10%. I recommend adding training and support information to your intranet, because this will reduce the risk of falling foul to a phishing attack. Here are a few examples when a training session could be highly beneficial:

  • When you have a new staff member joining the business
  • An employee returns from a period of extended leave
  • An employee changes department
  • Every 12 months as a refresher course

With threat investigation and response capabilities in Microsoft Defender, you can use attack simulation training to run realistic attack scenarios in your organisation. These simulated attacks can help you find vulnerable users before a real phishing or ransomware attack happens.

*Available with the following licences: Microsoft 365 E5 and Microsoft Defender XDR for Office 365 Plan 2.

3. Set up Anti-Phishing Policies

Exchange Online can provide protection from phishing attack with the utilisation of anti-phishing policies. When configured correctly , these policies can help detect and block phishing emails based on various criteria, such as suspicious sender domains, known phishing URLs, and impersonation attempts. If you can reduce the number of emails your staff receive which could lead to data breach, you’re minimising the risk in which an employee could mistake this for a genuine email.

Examples of what an anti-phishing policy can protect:

  • User impersonation (email address): Instead of the legitimate <michelle@contoso.com>, the impersonator uses <rnichell@contoso.com>.
  • User impersonation (display name): Instead of the legitimate Joe CEO <joe.ceo@contoso.com>, the impersonator sends as Joe CEO <fake@fabrikam.com>.

How to set up an anti-phishing policy in Microsoft 365?

Note: While the guide below provides a basic foundation for setting up an anti-phishing policy in Microsoft 365, every organisation is different and has unique factors to consider. Why not have a chat with our security experts before you proceed?

To create an anti-phishing policy, start in the Microsoft Defender portal. By default, Microsoft already enables an in-built policy. However, these settings are very basic and don’t offer much in terms of protection. For full details regarding the possible settings for an anti-phishing policy. Visit Microsoft’s Learn article here – Anti-phishing policies – Microsoft Defender for Office 365 | Microsoft Learn

Firstly, give your policy a name.

Create a new anti-phishing policy

Then decide who this policy applies to within the tenant. Due to your organisational requirements, there may be a need to have multiple policies and have each one assigned to different users. Potentially different departments.

Here’s how to apply a policy per domain.

Create a new anti-phishing policy - domains

Below are my recommended settings for a custom anti-phishing policy for impersonation protection.

I have enabled the ‘users to protect’ – Underneath this option, you have ‘manage senders’, here you need to add the relevant users you wish this policy to protect; there is a limit however (350 internal and external users). Microsoft recommends adding people in key roles, but why not just protect everyone? I would recommend protecting all company employee mailboxes. If you have more than 350 employees, then you will need to utilise more than one policy to bypass the 350 user limit. The option to protect domains is also ticked, with the sub-option telling the policy to protect all the domains I own. This setting takes information from the Microsoft 365 admin center and confirms the domains that are verified from within your tenant.

I have not added any trusted senders or domains to help bypass this policy. However, this is where they can be added in case of any false positives.
You can also see that both mailbox intelligence and intelligence for impersonation protection are enabled too, this allows the system to work with your mailbox activity to assist in finding potential threats.

Phishing threshold and protection

Once we have enabled the user/domain impersonation settings within the anti-phishing policy. We can decide on how to deal with a suspicious message. I find its always best to move the message to the quarantine, with a policy to notify end users. This informs users that a message has been sent however Exchange Online Protection (EOP) has stopped it from being delivered to their mailbox due to company policy.

When the message has been reviewed, if deemed safe, it can be delivered to the user’s mailbox or deleted if deemed unsafe.

message actions

4. Implement Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC helps prevent email spoofing by verifying the authenticity of the sender’s domain. Set up DMARC policies to enforce strict alignment checks and specify actions (such as quarantining or rejecting) for failed messages.

You must first set up a DMARC TXT record within your domains DNS. Please follow the guidance from Microsoft on how to setup DMARC for your custom domain in Microsoft 365

Use DMARC to validate email, setup steps – Microsoft Defender for Office 365 | Microsoft Learn

This policy will help spot the real vs the fake. If the sender’s domain is protected with a DMARC record any receiving email server can verify the incoming email based on the published data. If the email passes verification, it will be delivered and can be trusted. If the email fails, depending on your policy configuration held within the DMARC record, the email could still be delivered. However, it might be better to have the email quarantined or rejected. In the screenshot below you can see my recommended settings from within the anti-phishing policy This way, if any legitimate email gets caught, it can be reviewed and released.

5. Regularly Update Security Software

Keep your security software, including Windows, Office applications, Exchange Online Protection and Microsoft Defender for Office 365, up to date. Regular updates ensure that your defences are equipped to handle new phishing threats.

It is often not as simple as implementing one of these measures to reduce the risk of a phishing attack – a combination of these technical policies, user education, and proactive monitoring is the best way to protect your organisation.

If you’ve got a project in mind or you’re interested in an end-to-end transformation for your identity and access management strategy, we’d love to hear your plans and discuss how your vision can become a reality. Visit our offering here: https://www.intelogy.co.uk/digital-workplace/microsoft-365-security/identity-access-management-services-with-microsoft-entra/

Receive more blogs like this straight into your inbox

Sign up to receive our latest blogs and stay up to date with our latest news, Microsoft 365 updates, events, webinars and workshops.

Share This Article

Scott Coates
I am a skilled and experienced technical support engineer with an extensive background within the MSP sector with a passion for providing excellent service.
Published On: July 10th, 2024 Categories: Modern IT

Subscribe for updates

Follow Us: