[This is a guest post by Chris Lehr, Patriot’s top email security expert]
1) Configuration of Allow Lists in an insecure manner
If you have usage of an Antispam Allowed Senders or Allowed Domains, if you are using an Antispam IP Allow List, or if you made an Exchange Online Transport Rule setting the SCL (Spam Confidence Level) to -1 to bypass Microsoft Antispam you might have inadvertently written too large of an allowance! I rely HEAVILY on Microsoft’s Create Safe Sender lists article to document the risks and help customers change their mind about how to allow emails into their organization in a more secure manner. If you are allowing any emails in using these methods, I recommend auditing the emails that were allowed in from that configuration and determining the appropriate Zero trust methodology for allowing them so you can remove them from less secure allowance methods!
2) Lack of use or misconfiguration in Impersonation
It’s really simple to turn all of the Impersonation settings on but many customers hesitate to lean into the configuration more or lack the understanding to do so. Here are the three things I speak to often in conversation about Impersonation
a. Insufficient population of the TargetedUserstoProtect
This should be company leadership, executives, board members and other corporate influencers for your organization. The people that if you yourself got an email from saying “Do this for me now” you’d drop your current task to address their needs.b. Infrequent review of the TargetedUserstoProtect
I commonly find customers cull this list live in our sessions to remove departed folks – this should be a regular and routine review – especially if you are finding the limitation of 350 users to be challenging. The bigger the organization, the more frequently this should be reviewed!c. Stuck at threshold of a 1
It generates too many false positives is a common ailment when I see customers stuck at a 1. This is commonly associated with not adding the FPs to the Trusted Senders and Domains in the AntiPhish policy and becoming frustrated (as a user and/or as an administrator) We recommend getting to a Threshold of a 2 or a 3, but its best to grow to this gradually as you learn and handle the FPs that the jumps in threshold are likely to generated. Stuck at allowing the users to access the emails
When I see customers utilizing Impersonation and still only Junk Mailing as an action, it’s usually also because of the FP rate and wanting the users to self resolve. If we really want to stop impersonation from happening, we need to keep these emails out of user’s accessibility and move to a more stringent action!e. The common name issue
Lots of organizations have a CEO named James Smith (Thomson Reuters and First Health Group’s CEO share that name) – and that makes their inclusion on TargetedUserstoProtect difficult. What it means is that “Any James Smith on the Internet emailing into our organization will generate a FP” – That can be a lot of FPs – or it can be a lot of actual detections with malicious intent. It’s up to the individual administrative teams to determine – is the inclusion on this list generating more FPs or more protections for our users? Also a common question around this – the Trusted Senders and Trusted Domains lists are limited to 1024 items – far more than the 350 targeted users to protect!
3) Safe Links allowing Click Through
If you are using Safe Links and the allow click through is checked, your users will click a potentially malicious link and see this on their warning pages “Continue anyway (not recommended)” – worst of all – the default Built-In SafeLinks policy allows this – thankfully the Standard and Strict Preset policies have this unchecked. The other thing that in my opinion is worth a custom policy here is that you really do want to add your organizational branding here so your users know and understand this is an IT implementation. I also highly recommend the “custom notification” in Safe Links so you can add “in the know” verbiage there like “If you feel you received this error incorrectly, contact the NSM IT Service Desk at x4444” or something like that to help hint to employees even more that this is an IT implementation and not a random internet pop up they’ve happened upon
4) Misunderstanding or misconfiguration of Tenant Allow/Block list for Spoofed Senders
This is firmly an Exchange Online Protection, but I am consistently surprised by the number of times I find this unconfigured on customers that are clearly allowing spoofing of domains in other ways (usually the ones mentioned in #1 above) frequently because “the fix we used solved the problem” but it may have inadvertantly allowed more emails in. Frequently this is evidenced by things like [email protected] in the safe senders list in Antispam and when we ask the customer says “without that, the emails from our SaaS get junked” – when what is needed is a simple entry in the Tenant Allow Block list for that email, and the sending services details. In order of preference:
a. DKIM signature – most future proof!
b. PTR DNS of connecting server
c. IP subnet in a /24 – least future proof, try to not hard code IPs!
5) A firm understanding of email message authentication
It’s really easy to glaze over when we talk SPF, DKIM, and DMARC – there is a lot to understand both from the sender and recipient point of view – the more you understand these technologies, the more you will be able to help secure your organization’s users as well as their brand integrity, helping to align all email traffic your organization sends, not just the traffic that routes through Microsoft 365. And the lessons you learn in aligning your own SPF and DKIM will help immensely in understanding how the Microsoft stack is evaluating email traffic inbound with regard to email authentication.
6) Not maximizing your usage of Microsoft Quarantine
If you are using Quarantine as an action on ANY of your emails in a user facing manner (meaning aside from the AdminOnly Quarantine policy) you really should review some of the control you can gain by utilizing custom quarantine policies. If you have not looked here in some time, you might not know there are a few options in here that have changed in recent years – allowing for a “Request Administrator to Release” an email – so for risks that we think we might not want end users making the final decision on, we can involve an administrator to make the final call before releasing an email that is potentially harmful. We also can now opt to not notify users about emails that are in quarantine because the user blocked them – I love this feature as its annoyed me personally in the past to get a quarantine notification that the person I blocked is STILL trying to contact me about my car warranty.
7) Not reviewing reporting tools frequently enough (or at all)
This ties in directly to the Impersonation and Spoofing items above, but the reports on these – the Impersonation Insight Report and The Spoof Intelligence Insight Report are both fantastic tools to see how your configuration is doing explicitly in those two areas. If you are trying to build and tune around these and not regularly reviewing the reports, you are missing out on some key data points!
8) Not utilizing or not reviewing your user submissions
This one can be tricky – LOTS of customers still use third party reporting tools – and one of the downsides of these used to be that you had to make a choice on which add in to use – Microsoft recently updated the 3rd party reporting tool section to offer up more of a “better together” solution that can allow orgs using a 3rd party tool to still maintain the benefits of seeing these reported emails in the Microsoft dashboard so you can maintain the ability to help train machine learning, use automation on phishing attempts not from a phish simulation, and the ability to convert them easily to administrative submissions as well. So, if you use a third-party tool, you may want to rereview capabilities here, this changed in 2024!
9) Build your Threat Explorer and KQL skills
There’s not an email administrator I’ve met who can’t crack a joke about the billions of junk emails we’ve seen in our career. Don’t let those numbers break you – learn how to sift and filter to show those emails and make them into actionable lists. Threat Explorer is one of my personal favorite tools and is absolutely the reason to buy into MDO plan 2. I can use this tool to very quickly review and help tune a customer environment, find examples and anomalies in configurations, and take bulk action depending on the needs (and permissions!)
Similarly, KQL (Kusto Query Language) is just another way to access that same data, albeit more programmatically rather than sorting/filtering – I urge admins to try and perform some of their Threat explorer queries in KQL just to show it’s the same data, but once you get into the language and the schema more you can do some pretty impressive things you cannot do in threat explorer, like inner and outer joins, summaries, and even graphing. KQL can also extend beyond the emailEvents schema so you can cross over into Endpoint and Identity with this skillset as well!
10) Staying up to Date
Unless you are poking around in PowerShell and the Web UI constantly in EOP and MDO, it’s simple to miss updates. Here are some places I check frequently to ensure I don’t miss any updates in these workloads!
a. Microsoft SCI blog filtered for MDO
Need help? Email us at Hello At PatriotConsultingTech.com
The Cloud Technologist 