One eight ways to secure your m365 email system. I am super excited about this one michael im, sure you are too. I really am Laughter all right uh for those who dont know. My name is brian ardando, with empowering technology solutions uh, we are a managed it and security provider. Uh with us is our co host mike urich, also known as big mike. He is the service manager for ets. Yes, sir cool before we get started. This is the first episode. Well just do a quick backstory, so everybody knows why were doing this um. We started this podcast to give back to the it community. You know our team has been focusing on expanding our i.t security posture and feel the community as a whole can benefit uh from what weve learned and continue to learn for sure and to that end again, as our topic uh titles there today, we are looking into Eight ways that you can secure your microsoft 365 email system, uh emails – are the number one ways that companies are targeted for phishing and we want to do what we can to. You know help everybody secure those tenants and make sure all of our customers are taken. Care of yeah agreed im excited about this one, because this is like a never ending threat, thats just going to keep getting worse. It seems like every day we see a ticket of some kind of somebody. You know either seeing a ticket that or an email that looks like phishing or something is suspected of being malware or something coming through email, so yeah we want to do what we can to make sure that those environments are protected right, cool yeah, you know, would Be interesting too, before we jump in is uh im curious how many efficient emails our systems are detecting every day, thats a be an interesting stat, its actually quite a few uh ive been looking into it with some of the team recently over the past couple weeks.
With the inclusions of iron scales, with some of our clients and uh, we see you know at least a couple dozen a day and thats just from you know the 50 or 60 clients that we have. You know faced with so its pretty common wow cool. Okay. So i guess jumping right in um. You want me to start off with this. First one yeah go right ahead: cool, okay, so uh one way to increase the security of the 365 tenant is avoid setting up common department mailboxes. So things like accounting accounts payable ap by doing that, youve made it too easy for people just just literally mass email, those type of mailboxes and the moment they know that its a real mailbox, its youre, going to start getting attacked at that level. Exactly and it may not seem like a lot at first, you know its just a couple spam messages, maybe some marketing stuff, but with those generalized mailboxes its its easy bait. You know you just have to know a domain and you throw accounting on there and you know theyre getting stuff in their inbox its that easy right. What would you suggest they do instead, michael so, instead of accounting at you know, company.com whats, a better way to do that. So a couple things that i would probably think of first and foremost, would be something like an abbreviation of some sort, something thats only known by the internal team. Uh, you know include initials of you know things that arent part of the team uh include numbers uh things like that, just something that isnt easily identifiable as being a repository of information for a specific department, yeah, no thats, a thats, a great idea, um.
We wanted to just share a story on this, so in the last six months, two companies who werent clients of ours were recently hit by very sophisticated fishing attacks. The first one was a two hundred thousand dollar loss and the second one was a seventy. Seven thousand dollar loss thats a lot yeah, so the first one that got hit. They actually had an external tag. In the you know, security going so anytime, an external vendor emails in it has external. The problem is, the entire email thread was already flooded with external because they were speaking to somebody external right and once everything was approved, then it came time to wire the money. The hacker changed one letter on the email and said: okay, can you please wire the money here and then the customer did not know and then wired the 200 grand to them, not realizing. It was off by one letter, man, something so simple, caused such a big backlash right. Do you know, michael how that happened like how the hacker knew to do that? Well, my initial guess would be some sort of phishing campaign that got him to this point. They likely sent something to someone within one of these email chains and was able to get their credentials, got a back door into the account found out some information about the domain spun up a cheap one on you know a website thats readily available online and made These emails that looked very much like the ones these people were communicating with literally it took them less than an hour like once they saw the opportunity.
The new domain was spun up when they attacked its tragic, its very tragic heres, the crazy part. This all could have been avoided and this kind of goes into our second part. The way that hack unfolded was the account payable team. There was a rule in their outlook that anytime, they received an email. It was auto forwarding a copy of that message to a gmail account. The hackers gmail account yeah, and so the second big thing you can do in microsoft, 365 is you can actually create a mail flow rule that says if the recipient is external and the message property type is auto forward, reject the message that way you just stop. Those from going out all together that is such a powerful rule, and it immediately makes me think of all the times in the past, where ive worked with customers on compromised emails and the the go to things that we want to check for. Are rules being created to forward emails externally, so thats great, that theyve already built a specific rule in to combat that thats, good right right and so for those who want to check if you potentially have this problem, what you want to do is head to protection.office.com And go to mail flow and dashboard and then theres an actual box there that microsoft populates. That shows messages auto forwarded this week and go look at that and see if theres things being autoforwarded, because if there, if there is its probably malicious and uh its something to investigate, and then you can, you can put this this band aid in by um, not Letting that happen anymore with the mail flow rule 100 and just as an overarching rule of thumb for 365 tenants forwarding to external emails that you cannot manage and govern is should typically be a no no dont.
Do that right right. If you found yourself in a scenario, though, where that needs to happen lets say you have a board member or for some reason somebody needs something. What wed recommend doing is you create a mail enabled security group? Call it allow external remote forwarding and then on that mail flow rule same thing right: if its external and its message type auto forwarding dont, let it go except if the user is part of that group, that is one way you can securely bypass that its perfect. Its a good rule, yep: do you want to touch on number three, the anti phishing, so something that we offer most of our clients and something that could have protected these couple. Businesses when they were targeted is a program and a software platform that we use called iron scales. Iron scales is a email security platform that sits between microsoft, 365 and your end user. So, whenever mail is sent to specific users ion scale scans, that they look for scores related to phishing, they look for impersonation attempts and whats. More important is when it sees those within users actual outlook when they open that email, if its something other than a user. That theyve previously corresponded with, or if its from a domain that has a high phishing rating, it will put a bright red banner right across the top of that email, its impossible to ignore. So if this had happened in this one of these companies that had iron scales as soon as that impersonation attempt happened, they would have seen a big bright banner and would have been able to stop it right there and there would have been no harm done right.
Iron scales is an incredibly powerful tool that will protect your entire organization, in addition to all the things that were recommending through 365. right right, not to mention this training yeah, the fishing training is huge too, so they allow you to do full full on fishing campaigns. Uh, its not real, which is great um, but it looks very real. The the thing that we want to do with those campaigns is a empower users to identify when phishing attacks are attempted and b find those those weak points within an organization and help those users to know what to look for as well, so that you dont have Those holes in your companys organizations and these things are taken care of before they ever become problematic. Now i literally think you hit the nail on the head, you know, and some people listening might say. Well, you know theres a lot of programs out there right theres, something called no before which they do a bunch of email, fishing, theres, a lot of companies. We looked at all of them and the reason why we selected iron scales, uh no plugged iron scales. Here, honestly, they just do a great job theyve, like so heres. What happens lets say you have a company with a hundred users and a fishing attack happens and it hits your accounts payable team and lets say your ap person reports it as fishing iron skills are smart enough to go. Okay, we were 60 confident it was fishing.
This person just reported his phishing and then we get an alert and we confirm its fishing that user. That reported that email now has whats called like a gamification score. So lets say then we do a phishing test and this person always passes they report it. They now have a high score. Four months go by and a new attack comes in the organization and this person reports it. The system goes okay, i was pretty confident, theyre, always correct or usually correct, and it completely eliminates that threat across the entire company accountability. Man, its a big deal, its good to have it all that powerful right in the past, theres a phishing campaign, and what do people do hr sends out an email that says: hey everybody, please dont click on that email because it was a bad email and its Not us yeah, you sit around, you hope its like now, that does not happen anymore. Another thing that i really enjoyed finding out about iron scales is how involved the community is so its not just your organizations that youre relying on to identify these spam and fishing attempts the community as a whole influences what gets you know flagged and isolated in your Organization, so its hugely powerful when you say community, who is that so the community is other users who have iron scales, enabled on their mailboxes when they report those phishing rights that then gets uploaded to a centralized database and is shared with other users of iron scales.
Right, i see what youre saying yeah: that is a really good feature of it. Yeah awesome, uh next one. You want to jump right into that. I want me to no for sure another thing that we found that is hugely hugely strong in combating uh. Phishing is having a branded page for your organizations that when a user is prompted via email, hey, we need your credentials to download this file or for you to access this document, whatever it may be, if youre accessing a 365 account or tenant, it will give them A splash page with their companys image on there if youve trained your employees and end users well enough to know dont log in unless you see our companys logo somewhere its a given. If they dont see that back away, stop what youre doing its not legitimate right! Thats no thats perfect, i mean theres operational value. There theres security value there theres a lot of value there for sure, gotcha, okay, yeah and ill jump on this next one. I think this is huge. You know enabling two factor authentication guys. It has to be a standard now, if you know, microsoft is not the greatest. I shouldnt say theyre, not the greatest anymore, because now brand new 365 tenants have these security features enabled by default. But all the ones before two factor authentication was not a standard and once someones emails compromised theres very little. You can do at this point to know its just better.
To get 365 two factor turned on otherwise someones going to get in there theyre going to see all the past email theyll try to create weird rules and two factors the best way to make sure nobody is logging into those mailboxes, but the user who owns that Mailbox its an instant deterrent as soon as you see, please enter the code that weve sent to your phone. Most people will stop at that point its pointless to continue trying to get into that account right. The other thing you can train your users on is, if theyre randomly getting text messages to their phone, saying heres the code for the login and theyre not doing that its like okay, you need to let it know, so we can figure out whats going on for Sure yeah theres tons of stuff within 365.. You can look in login attempt blogs. You can see where those attempts are coming from. Obviously reset passwords and re secure that account, so the user doesnt have anything to worry about right, cool uh. Next one spf record and dkim signatures. You want me to jump on that. One or you want to feel like this. Is your wheelhouse man, sean okay, so inherently when email is sent between two systems, you, the spam filters job is to determine if this is a good email or not, and the main thing the spam filter can do is see. If i get email from michael is mike, did it come from michaels approved, email server? The only way that that spam filter knows if this is legit or not is if we hard coded the spf record to say yes, so, for example, if you have microsoft 365, your spf record should say only allow email from 365 and then hard fail it.
If its, not from that, what that means is any email sent to the world not from 365 on behalf of michael consider, it spam smart yep. The second thing is dkim signatures, thats called domain signing. What that does. Is that really helps your emails from a deliverability standpoint, so when youre sending email to a third party domain itll look to see if the spf record is correct, but the second data point its going to look at is the dkim record, and so, if that is Set up properly, the email that youre sending out to third parties has a much higher chance of hitting the inbox something really great to have on hand and make sure its set up properly to protect your organization right right, cool and number eight michael. You want to take that one. I will discuss this one yeah. So excuse me, so microsoft has a predefined set of security settings that by default are enabled whenever you spin up a new tenant. However, the settings on that filter and those rules are not as hard as they should be to really protect your organization as much as you can and should with that being said, theres just a couple specific settings that we wanted to make sure to touch on uh. As you admins out, there are setting up these tenants. These are go tos to make sure that these are getting set up with these correct settings. Um, all of these will be within the exchange admin center of 365.
, once youre in the admin center, firstly, would be under the protection setting over on the left from there youd go into the malware filter and make sure that that is firstly on and then additionally Make sure that the enable common attachment types filter and the enable malware zero hour out auto purge are both enabled as well. Those are going to make sure that, as those emails are coming in through 365, if you dont have something like iron skills. Protecting the inbox before it gets there, then 365 itself can do scans on those emails. Looking for specific signatures that have been determined by microsoft and default just flag, those and quarantine them before they ever reach end users inboxes right, agreed yeah. The other thing you can do too is just change the general bulk level from default to seven. We drop ours down to two for almost every customer, and that seems to be the sweet spot where it stops most of the junk from coming through yeah. A lot of that bulk mail is mostly marketing ads things just to clutter up your inbox and its just unnecessary right, agreed uh. The other thing is under the spam filter in their advanced settings. Uh theres an ndr backscatter as well as that spf hard fail that brian had discussed previously. In addition to some conditional sender, id filtering, all of those should definitely be set and have some pretty high settings in order to keep yourself protected green cool.
So when it generally comes to like email security like if we did a quick wrap up, what would you say like if, if customers didnt know where to start – and they just wanted to pick a couple things on this list? What do you thinks, like the most important thing, to do to to protect your email security system without a doubt, two factor authentication is the big thing, um anytime, that you can enable users to have that extra layer of security protecting their account, especially with something as Foolproof as two factor, its its got to be done by default out of the gate right, the the next best thing would be some kind of additional email filter that has some form of a community support or ongoing support. Thats constantly updated so that, in addition to you know as great as 365 is theres, never any problem with having an extra set of eyes on things, especially someone that specializes, specifically in looking for things like fishing and malware and spam. You literally took the words out of my mouth. I was going to say after tfa its going to be anti phishing security and you literally went right there and i i couldnt agree more for sure. Awesome uh looks like we have a few people in the audience. Does anybody in the audience want to ask any questions before before we head out give them a couple seconds in case theyre thinking on it in case theyre thinking, yeah, yeah doesnt, look like theres any questions cool so yeah.
This is our first episode, im really happy to get it get it done, and a little bit learning experience here, but im excited for the next episode and well post an update shortly had a great time with you, brian look forward to it cool. Thank you.