⏱️ Stop account takeovers in 60 minutes: your email security tune‐up

🛡️ Email Security Tune‑Up for Microsoft 365 (SMB Edition)

✉️ A practical, cloud‑first checklist to harden Outlook and Exchange Online fast—no jargon, no drama.

TL;DR

• 🔒 Turn on MFA for everyone, kill legacy logins, and enforce Conditional Access basics.

• 🧪 Enable Safe Links/Safe Attachments and block auto‑forwarding outside your domain.

• 🛡️ Close the loop with SPF, DKIM, DMARC and a “report phish” button + monthly review.

Why It Matters (Proof in 60 seconds)

• Risk: ⚠️ Most breaches start in email via phishing, malware, or credential stuffing.

• Cost: 💸 A single compromised mailbox can expose client data and trigger notification requirements and fraud losses.

• Pressure: 📣 Clients and auditors increasingly expect MFA, DMARC, and user reporting as table‑stakes.

What “Good” Looks Like (KPIs you can measure)

• ✅ MFA coverage: 100% of users and admins; 0 breakglass used in last 30 days.

• ⛔ Legacy auth: 0 successful legacy protocol logins.

• 🛡️ Safe Links/Attachments: On for all users.

• 🚫 External forwarding: Blocked tenant‑wide; monitored exceptions.

• 🌐 Domain protection: SPF pass; DKIM aligned; DMARC policy at quarantine or reject with <1% aligned‑fail.

• 📬 User behavior: ≥3 phish reported per 25 users/month; <1 click‑through in simulations.

• 🔔 Alerts: High‑risk sign‑in and impossible travel alerts reviewed weekly.

The 80/20 Plan (60‑Minute Checklist)

1. 🔒 MFA for everyone

   • Admin Center → Users → Per‑user MFA or Conditional Access policies. Use Microsoft Authenticator + number match; enable trusted device sign‑in.

2. ⛔ Kill legacy authentication

   • Entra ID → Protection → Security defaults (on) or Conditional Access → Block legacy auth.

3. 🧱 Baseline Conditional Access

   • Require MFA for all users; require compliant or hybrid‑joined device for admins; block from countries you don’t operate in; session sign‑in frequency 12–24h.

4. 🧪 Safe Links & Safe Attachments

   • Defender for Office 365 → Policies → Threat policies: turn on Safe Links for email + Office apps; enable Safe Attachments with Dynamic Delivery.

5. 📤🚫 Block auto‑forwarding to external

   • Exchange Admin Center → Mail flow → Remote domains/Transport rules: disable automatic forwarding; create exception for approved shared services if needed.

6. 🧾 SPF, DKIM, DMARC

   • Publish SPF for your sending services; enable DKIM in M365; add a DMARC record at p=quarantine (start at p=none if monitoring first). Review reports weekly and move to p=reject.

7. 📣 User reporting + training

   • Deploy “Report Phishing” add‑in; enable Microsoft Attack Simulation monthly; 5‑minute micro‑training with two real examples from your org.

How To (Microsoft 365)

• 🔒 MFA & Conditional Access

  • Entra ID → Protection → Conditional Access: Policy 1 – All users: require MFA; Policy 2 – Admin roles: require compliant device; Policy 3 – Block legacy auth; Policy 4 – Location: block countries not used.

• ⛔ Disable legacy protocols

  • Exchange Admin Center → Settings → Authentication: Disable IMAP, POP, SMTP AUTH for users by default; enable only per‑user if required.

• 🧪 Safe Links

  • Defender → Policies → Safe Links: On for email and Office apps; URL click protection; tame rewrites for internal domains if needed.

• 📎🛡️ Safe Attachments

  • Defender → Policies → Safe Attachments: Dynamic Delivery; Enable “block” action; Monitor verdicts for false positives.

• 📤🚫 External forwarding

  • Exchange → Mail flow → Rules: “Block auto‑forward outside the organization” with exceptions for specific mailboxes/services.

• 🧾 SPF/DKIM/DMARC

  • M365 Defender → Email & collaboration → DKIM: Enable for primary and custom domains.

  • DNS examples:

    • SPF: v=spf1 include:spf.protection.outlook.com include:{{other-senders}} -all

    • DKIM: Two CNAMEs per domain as provided by M365.

    • DMARC (start): _dmarc TXT "v=DMARC1; p=none; rua=mailto:dmarc@{{domain}}; fo=1" → move to p=quarantine then p=reject as alignment improves.

• 🔔 Reporting/Alerts

  • Defender → Incidents & alerts; Entra ID → Risky sign‑ins; subscribe to weekly digest.

Copy/Paste for Your Team (Internal Comms)

AI Prompts To Try (Self‑Service)

• “Analyze these email headers and tell me if SPF, DKIM, and DMARC aligned and what that means: {{paste headers}}.”

• “Draft a plain‑English note to staff explaining why we’ve blocked external auto‑forwarding and how to report suspicious emails.”

• “Summarize the last 30 days of Defender alerts and suggest which 3 policies to tighten first.”

Compliance Mapping

• NIST CSF: PR.AC‑1/7 (authN/MFA), PR.DS‑1 (data at rest), DE.CM‑7 (monitor for unauthorized activity), RS.AN‑1 (notifications).

• CIS v8 (IG1/IG2): 4.1/4.2 (Secure email), 5.2 (MFA), 6.7 (Block legacy auth), 9.1 (Email web browser protections), 12.3 (Network monitoring & alerts).

FAQ

Q: Will Safe Links break our tools?
A: Most modern apps work fine. Add exceptions for known internal domains if you see issues.
Q: Why block external forwarding?
A: It’s a common data‑exfiltration path. Use approved shared mailboxes or integrations instead.
Q: Do we need DMARC at reject?
A: Aim for quarantine quickly; move to reject once reports show legitimate senders are aligned.

Next Steps

• 🧰 DIY: Use the checklist above and review DMARC reports weekly for a month.

• 🤝 Get help: Athencia can implement the tune‑up and monitor the first 30 days, then hand it back with a 1‑page runbook.

• 📅 Book time: Schedule a 30‑minute working session at https://athencia.com/contact