Effective Strategies for Safeguarding Against Phishing Attacks
Written on
Chapter 1 Understanding Phishing Threats
Has your organization faced phishing threats? It's crucial to safeguard both yourself and your team.
Phishing is defined as "A method used to obtain sensitive information, such as bank account numbers, through deceptive emails or websites, where the attacker pretends to be a legitimate entity." — Computer Security Resource Center
Defending against phishing is a comprehensive process. Let’s dive into the configurations and options available to establish robust protection.
Section 1.1 Identifying Anti-Phishing Configurations
To access the anti-phishing settings, follow these steps:
- Navigate to Microsoft 365 Defender > Policies & rules > Threat policies > Anti-phishing.
- Select the Office365 AntiPhish Default policy.
- Click on Edit protection settings.
Here, you'll find various anti-phishing options tailored for your organization.
Subsection 1.1.1 Phishing Email Sensitivity Levels
The phishing email sensitivity threshold dictates how machine learning evaluates messages to identify phishing attempts. The default level is the least restrictive, resulting in minimal blocking of phishing emails. Conversely, the most aggressive setting blocks a higher number of phishing attempts but might also inadvertently filter out legitimate emails.
Section 1.2 Enhancing User Protections
This section allows you to activate anti-impersonation measures. For example, if your CEO, Ben Franklin, uses the email [email protected], you can enter both details into the "Enable users to protect" field. Consequently, any emails originating from [email protected] will be automatically barred from your organization.
Subsection 1.2.1 Adding Trusted Senders and Domains
You’ve successfully configured certain users to thwart impersonation attacks, but what if the CEO (Ben Franklin) tries to send emails from his Gmail account (Ben.F*******@gmail.com) and encounters blocks? Fear not; you can whitelist this email through the Add trusted senders and domains feature.
Section 1.3 Utilizing Mailbox Intelligence
Mailbox intelligence plays a pivotal role in identifying acceptable impersonation attempts. It scans users' mailboxes to check if they've previously communicated with the sender. If they have, the email won’t trigger an impersonation alert.
Note: Mailbox intelligence requires the mailbox to be hosted on Microsoft 365. If you have on-premises mailboxes, they need to be migrated to Exchange Online for this feature to function.
Chapter 2 Implementing Protection Techniques
The first video, Protecting Employees from Phishing Emails, discusses essential strategies for creating awareness among employees about phishing threats. It emphasizes the importance of training and the role of security settings in defending against phishing attacks.
Section 2.1 Addressing Spoofing
Spoofing involves creating emails with an incorrect sender address. For instance, sending an email as yourself from Microsoft 365 is legitimate. However, if someone impersonates you using a different sending environment, those emails are classified as spoofed. Activate spoof intelligence to block such unauthorized emails.
Subsection 2.1.1 Allowing Necessary Spoofs
In some cases, spoofing is permissible. For instance, receiving a newsletter from an external email environment may not align with the sender's authorized server. To permit such spoofing:
- Visit the Tenant Allow/Block List Spoofing page.
- Click Add, input the spoofed user and their sending infrastructure, set the spoof type, and then click Allow/Block.
Section 2.2 Configuring Anti-Phishing Actions
To determine the response when a phishing attempt is detected, follow these steps:
- Open Microsoft 365 Defender > Policies & rules > Threat policies.
- Select the Office365 AntiPhish Default policy.
- Scroll down and click Edit actions.
You can set specific actions for various scenarios, including messages from impersonated users or domains.
The second video, Avoiding Phishing Scams: How to Spot and Prevent Email Phishing Attacks, provides invaluable insights into recognizing phishing attempts and employing preventative measures to protect your organization.
The Safety tips & indicators section will display alerts in Outlook for potentially unsafe emails. Here are some recommended settings:
- The Show first contact safety tip setting will notify you when you receive an email from a user for the first time.
- The Show user impersonation safety tip checkbox will alert you if the sender's name closely resembles someone you've previously communicated with.
- The Show domain impersonation safety tip will notify you if an external domain closely resembles one of your organization's domains.
- The Show user impersonation unusual characters safety tip will flag emails with unexpected characters in the sender's address.
- The Show (?) for unauthenticated senders for spoof checkbox will add a question mark to the sender's profile if their email fails SPF or DKIM checks.
By implementing these strategies, you can significantly enhance your organization’s defense against phishing attacks and safeguard sensitive information.