Decreasing online phishing threat and handling lost credentials
A lot of organizations, when they move to Microsoft 365 (Exchange Online), start noticing an increase flow of phishing emails. Phishing emails are emails which resemble a "Please reset your expired Microsoft 365 password" with a link and then send the user to a page which seems to be a normal office 365 login but isn't
The user inputs the credentials, and it either redirects him/her to the actual office portal or says wrong password or username while saving the compromised credentials for a later hack
The reason why this starts happening when you move to Exchange Online is because it's a lot easier to check a user stolen credentials against well-known endpoints instead of having to tailor made a solution for a specific organization/domain
So How do I stop phishing emails?, the answer is that it's not possible to do it 100%.
There are 3 main steps which will decrease considerably your risk of having compromised credentials and even if that happens it won't be danger
- Configure a TXT SPF record. This basically tells the recipient email server which servers are authorized to send messages from a domain. You can check step by step tutorial here but if you'd like the TLDR version: Add a TXT entry to your DNS with host=@ and value=v=spf1 include:spf.protection.outlook.com -all
- Activate Multi-factor authentication.This one has user experience impact because if you require them to always put a mobile code or use authenticator app they might start complaining. But if you have Multi factor authentication as required for condition access then you have a really good solution
- Activate Conditional Access.Conditional access is actually great when paired with Sign In Risk. Sign In Risk calculates a score for each sign in attempt to caracterize how risky it is. For instance, if the credentials are sent from a country the user rarely or never visits then the Risk Will be High and multi factor authentication would be triggered.
What licenses are required to activate Conditional Access + Multi Factor Authentication ? To activate Mutli Factor authentication for the tenant's users, the administrator who is activating the feature needs a Microsoft 365 F1 license. For the Conditional Access based on Sign In Risk the administrator needs a Azure Active Directory Premium 2 plan
We recommend doing a quick check on our License Optimizer to get the best price
A step by step tutorial on how to activate Conditional Access can be found here a summary of the steps is:
- Make sure the administrator user has a Microsoft 365 F1 and Azure Activie Directory Premium 2 licenses active
- Go to portal.azure.com and open Active Directory
- Click Security under the left sub menu entry
- Select Conditional Access and create a new Policy
- Under Users or Workloads entities make sure to put a small group for testing
- Under Conditions select "Sign in risk" Medium / High
- On Grant check "Grant access" - "Require multi-factor authentication"
- Save it and test it (use a vpn to make multiple logins for different countries). It should request a second method of identity verification
- Apply to all users
Last important note, if you decide that all users should have multi-factor authentication always on please consider that flows connected to those users might start failing.