Decreasing online phishing threat and handling lost credentials

A lot of organizations, when they move to Microsoft 365 (Exchange Online), start noticing an increase flow of phishing emails. Phishing emails are emails which resemble a "Please reset your expired Microsoft 365 password" with a link and then send the user to a page which seems to be a normal office 365 login but isn't

The user inputs the credentials, and it either redirects him/her to the actual office portal or says wrong password or username while saving the compromised credentials for a later hack

The reason why this starts happening when you move to Exchange Online is because it's a lot easier to check a user stolen credentials against well-known endpoints instead of having to tailor made a solution for a specific organization/domain

So How do I stop phishing emails?, the answer is that it's not possible to do it 100%.

There are 3 main steps which will decrease considerably your risk of having compromised credentials and even if that happens it won't be danger

  • Configure a TXT SPF record. This basically tells the recipient email server which servers are authorized to send messages from a domain. You can check step by step tutorial here but if you'd like the TLDR version: Add a TXT entry to your DNS with host=@ and value=v=spf1 -all
  • Activate Multi-factor authentication.This one has user experience impact because if you require them to always put a mobile code or use authenticator app they might start complaining. But if you have Multi factor authentication as required for condition access then you have a really good solution
  • Activate Conditional Access.Conditional access is actually great when paired with Sign In Risk. Sign In Risk calculates a score for each sign in attempt to caracterize how risky it is. For instance, if the credentials are sent from a country the user rarely or never visits then the Risk Will be High and multi factor authentication would be triggered.

What licenses are required to activate Conditional Access + Multi Factor Authentication ? To activate Mutli Factor authentication for the tenant's users, the administrator who is activating the feature needs a Microsoft 365 F1 license. For the Conditional Access based on Sign In Risk the administrator needs a Azure Active Directory Premium 2 plan

We recommend doing a quick check on our License Optimizer to get the best price

A step by step tutorial on how to activate Conditional Access can be found here a summary of the steps is:

  • Make sure the administrator user has a Microsoft 365 F1 and Azure Activie Directory Premium 2 licenses active
  • Go to and open Active Directory
  • Click Security under the left sub menu entry
  • Select Conditional Access and create a new Policy
  • Under Users or Workloads entities make sure to put a small group for testing
  • Under Conditions select "Sign in risk" Medium / High
  • On Grant check "Grant access" - "Require multi-factor authentication"
  • Save it and test it (use a vpn to make multiple logins for different countries). It should request a second method of identity verification
  • Apply to all users

Last important note, if you decide that all users should have multi-factor authentication always on please consider that flows connected to those users might start failing.