Five Tips to Secure M365 Business Standard

Five Security Measures you can put in place to improve the security of M365 Business Standard

How to improve security in M365

Microsoft has added a lot of security features to the M365 platform, but not all of them are available to all license levels. If you are licensed for M365 Business Standard you won’t have access to all the security features in the platform, so let’s focus on what is available to your tenant and review the Top 5.

1. Setup multi-factor authentication for all users
2. Create dedicated admin accounts
3. Filter out commonly malicious attachments from email
4. Use mail flow rules to warn users about potentially dangerous attachments
5. Use mail flow rules to prevent auto-forwarding of email

How do these improve security?

1. Multi-factor Authentication

Enabling multi-factor authentication (MFA) for all users adds an additional layer of security when your users login. Since all M365 is hosted in the cloud, the only way to verify access is by username and password - unless you also have MFA enabled. Before organizations moved to M365, they would often have a server in their office, with a firewall protecting the office network from the outside. Limiting who was able to talk to the server. Since M365 is on the internet, everyone has access. If an attacker can guess your users’ usernames and passwords then they can get in.
Enabling MFA greatly complicates things for an attacker.

2. Dedicated Admin Accounts

Admin accounts have extra permissions and privileges, so if an admin user is tricked into opening a malicious email or clicking on a malicious link it can have serious consequences for the business. One of the best ways to avoid this is to not have an email account for your admin accounts. The same person opening a malicious email, but logged in as a regular user has a much smaller impact on the business - as this user shouldn’t have the full system administration power of a Global Admin account.

3. Filter out commonly malicious attachments

Preventing a malicious email from getting to your users will save them from having to identify that the email is malicious. Otherwise, it’s up to the user to figure out that the email is malicious. Ransomware gangs and Virus writers are constantly trying to improve their emails, to make them look more legitimate, so that they get opened more often. Having rules filter out potentially malicious email attachments takes some of the burden off your users.

4. Use mail flow rules to warn about potentially dangerous attachments

Office Macros are very powerful. Viruses and ransomware can be spread by macros in office documents. Using mail flow rules in M365 you can add a warning to messages that have attachments with macros. This warning will tell users that they need to be careful before they open the attachment.

5. Use mail flow rules to prevent auto-forwarding email

Business Email Compromise (BEC) attacks will often use auto-forwarding of emails to trick accounting staff into updating the payment information for legitimate invoices, so that the attacker gets paid instead of the vendor. (If you are interested in seeing more on this, I’ve written up a detailed post on BEC.) The mail flow rule will prevent this auto-forwarded email from going out, making this attack much harder.

Which should you do?

I recommend all of these.
Items 1, 2 and 3 would be my minimum recommendation. Items 3 and 4 might need a bit more investigation and discussion with users, to make sure the changes aren’t going to impact operations, but this is generally not too disruptive. Item 5 could be an issue if your business has a legitimate reason to use this feature, if that’s the case I’d suggest discussing with the user(s) that have auto-forward setup and see if there is another way to solve the business need or replace the process, because reducing the risk of BEC attacks is certainly worth the conversation. (The median BEC incident lead to a loss of $30,000 USD in 2021, it’s worth talking to your users about preventing this.)

Next Steps

Microsoft has written up the steps for implementing these but their numbering is a bit different from mine. I’ve skipped over their #2, because, while certainly valid, it doesn’t make use of M365 technology or features. So, their #3, is my #2. Their #4 is my #3, etc. Their list also covers M365 Business Premium, but the features only available to the Premium license start at #7, so just stop at 6 if you are using Business Standard licensing.

If you need help with any of this drop a comment or look me up on LinkedIn