Category Archives: Email Security

4 tried-and-true prevention strategies for enterprise-level security

Why is it that dentists advise people over and over to floss, yet so few do it? It only takes a minute of your time, yet if you’re running late or feeling tired, you may be tempted to skip it. That is until you remember your upcoming teeth cleaning appointment. There is nothing like the memory of a long and painful visit to the dentist to motivate good dental hygiene. Smart habits today can save you time and money later.

Good habits are also important in cybersecurity. It is typically much cheaper to prevent an attack than to respond to one already in motion. A great example is the WannaCry ransomware attack. Attackers exploited a vulnerability, which resulted in as much as $4 billion worth of damage around the world. The vulnerability had been patched in a security update released by Microsoft one month prior to the attack, so organizations who had installed the latest updates were spared.

Sometimes cyber hygiene advice is ignored because it’s not the new, shiny whiz-bang solution du jour. It’s easier to get attention for a sparkly light-up electric toothbrush than for a plain old piece of dental floss, but that “plain old” floss is key to keeping your choppers cavity free.

With this in mind, we broke out the four best practices of cyber hygiene, outlined in 24th edition of the Microsoft Security Intelligence Report (SIR), to help reduce your risk of attack:

  1. Practice good security hygiene.
  2. Implement access tiers among employees.
  3. Always back up important data.
  4. Teach employees how to spot and report suspicious activity.

Practice good security hygiene

Good security hygiene includes routine policies and procedures to maintain and protect your IT systems and devices:

  • Use only trusted software—If you can’t validate the credibility of the vendor or supplier, don’t use it. Avoid free software from an unknown source.
  • Deploy software updates—Keep your software and operating systems up to date. Vendors regularly release security updates to their applications, and the only way you can take advantage of this is if you deploy the updates. You should also be sure to apply the security configuration baselines provided by your software vendors.
  • Protect email and browsers—Attackers frequently conduct social engineering attacks through email and browsers, so it’s important to deploy security updates as soon as they are available. And deploy advanced threat protection capabilities for your email, browser, and email gateway to help safeguard your organization from modern phishing variants.

Implement access tiers among employees

The principle of least privilege should guide your access control policies. Malicious actors want to take control of the most privileged accounts in your organization, so the fewer people that have them the better. You also should be mindful that even though your company may have a “trusted software only” mandate, employees may unwittingly download unsafe software that can spread “malcode” throughout your organization.

  • Give system access on a need-to-know basis—Set up role-based access to easily onboard users to the systems they need to do their jobs and nothing more. Keep administrative accounts separate from information worker accounts, so that users only sign in to administrative accounts when they need them. Set up just-in-time privileges that give users with administrative accounts access to systems only when they need them and for a limited time.
  • Don’t allow users to download applications from anywhere but an app store—Deploy strong code integrity policies, including restricting the applications that users can run with whitelisting. If possible, adopt a security solution to restrict the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code.

Always back up important data

Your organization’s data is often its most valuable asset. If you suffer a security breach or a ransomware attack, a good backup process can save you if your data is destroyed or removed.

  • Back up data online—Use cloud storage services for automatic backup of data online.
  • Use the 3-2-1 method for your most important data—For on-premises data, keep three backups of your data, on two different storage types, and at least one backup offsite.

Teach employees how to spot and report suspicious activity

Your employees are a constant target of attackers, and many are tricked into downloading malicious software or sharing their credentials. They can also be your first line of defense. A strong cybersecurity education program can turn employees from targets to first responders.

  • Recognize social engineering and spear-phishing attacks—Attackers continuously update the methods they use to gain employee trust and access. Provide context about how these attacks work, including the latest techniques and relevant examples.
  • Use your web browser safely—Educate employees about the dangers of unsafe websites, such as cryptocurrency mining. Ensure they keep their browsers up to date with the latest security features and solutions that provide warnings about unsafe sites.
  • Identify suspicious file types—Teach employees to look for suspicious files if a computer is running exceptionally slow and encourage them to submit a sample to the operating system vendor.
  • Engage IT if you’re not sure about something—Make sure that employees know how to report suspicious communications or get advice from IT on what to do about it.

Learn more

There’s probably nothing that surprised you on this list, but can you confirm with 100 percent certainty that your company is practicing and enforcing all of these cyber hygiene recommendations? Instituting security preventative practices may not be as easy as flossing your teeth, but there are resources that can help.

For more details about these and other security recommendations:

The post 4 tried-and-true prevention strategies for enterprise-level security appeared first on Microsoft Security.

Step 8. Protect your documents and email: top 10 actions to secure your environment

The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In “Step 8. Protect your documents and email,” you’ll learn how to deploy Azure Information Protection and use Office 365 Advanced Threat Protection (ATP) and Exchange Online Protection to help secure your documents and emails.

There are two types of risks to plan for when it comes to documents and emails. The first risk is that sensitive information will be distributed, often unintentionally, to others that should not have access to it inside or outside of your company. The second is that users in your organization will click links in phishing emails that trick them into giving up their credentials or open attachments that unleash malware. This blog will address ways to protect your company against both.

Azure Information Protection, which is part of Microsoft Information Protection, helps protect your sensitive information wherever it lives or travels. To set up Azure Information Protection, you need to discover where your sensitive information resides, classify and label the information based on its sensitivity, apply policy-based protection settings to control information access and sharing, and continuously monitor your sensitive data landscape. Then Office 365 Advanced Threat Protection (ATP) and Exchange Online Protection can help you protect your mailboxes, files, online storage, and applications against sophisticated attacks in real-time by setting up anti-phishing policies, enabling Safe Links, and setting up Safe Attachments.

Deploy Azure Information Protection to protect your sensitive documents and emails

You may have hundreds or thousands of users creating and sharing documents and sending emails every day. Many files may not contain sensitive information, but the ones that have personal identifiable information, financial data, health-related information, or confidential company information could cause you serious reputational, financial, or legal harm if it gets into the wrong hands.

You can protect your critical documents and emails by implementing the right policies and controls across the information protection lifecycle:

  • Discover: Identify sensitive data in apps and repositories.
  • Classify and label: Classify data and apply labels based on sensitivity level.
  • Protect: Apply policy-based protection actions including encryption and access restrictions.
  • Monitor and remediate: Receive alerts flagging potential issues or risky behavior and take action.

You can download the Azure Information Protection—Deployment Acceleration Guide for a deeper overview of these phases and learnings from our engineering team. Read on for a high-level overview of the core concepts and resources.


The first phase in the approach is the discovery phase. In the discovery process, you gain visibility into the data that currently exists across your environment. To discover data in your on-premises file servers, run the Azure Information Protection scanner in discover mode. It will generate a report that catalogs data that has already been labeled, and the sensitive information types that Azure Information Protection has detected (Figure 1).

Figure 1. Azure Information Protection scanner report allows you to view overall volume and distribution of labeled files, and the types of sensitive data detected.

As discussed in Step 7. Discover shadow IT and take control of your cloud apps, you can use Microsoft Cloud App Security to scan files in cloud repositories to discover sensitive information. Once you’ve inspected data across your cloud repositories and on-premises repositories, you will move on to the classify and label phase.

Classify and label

Classification is determining the sensitivity of a document or email based on its content, and labeling is the application (either automatically or manually) of a sensitivity label, such as “Highly Confidential.” Azure Information Protection provides a recommended default label taxonomy in new tenants that can be modified for use by your organization. We also provide an online example of our current taxonomy that was developed by Microsoft over years of testing. We recommend using this taxonomy if your organization does not already have one established. If your organization has its own taxonomy or you plan to create one, the default label names in Azure Information Protection are easy to change or modify. It’s important not to overcomplicate your taxonomy, so review the Azure Information Protection—Deployment Acceleration Guide for guidance on how to develop your taxonomy.

Labels persist with files even when the files are shared or moved, ensuring that protection travels with the document. There are four options for applying labels:

  • Apply manually by users.
  • Apply a default label automatically to all new documents.
  • Recommend labels based on the data detected.
  • Apply labels automatically based on pre-defined classification and policies.

If you want users to apply labels manually, you can make it easy for them by automatically applying a default label to all new documents. In our default taxonomy, this would be the “General” label. A default label of “General,” which doesn’t apply encryption, allows anyone to view and edit the document, which may be a reasonable baseline for many documents in your organization. Users will need to think about applying a higher sensitivity label, such as “Confidential,” when they’re dealing with more sensitive data. We recommend that you enable the Azure Information Protection policy setting, which requires users to justify and explain why they lowered a classification level or removed a label (Figure 2).

Figure 2. You can require that users supply a justification if they lower the classification label.

Enable recommended labels in Azure Information Protection to provide guidance for users on how to label a document based on its content (Figure 3). This recommendation is based on the conditions that you define. For example, if Azure Information Protection detects credit card numbers in a document, you could define policies that recommend that the user label it as “Confidential.”

Figure 3. Azure Information Protection can be configured to recommend labels based on the information detected in the document.

You can also define conditions that, if matched, will apply the corresponding label automatically with no user involvement, and you can configure the Azure Information Protection scanner and Microsoft Cloud App Security to scan, classify, and label documents already saved on-premises and in cloud repositories, respectively.


Several protection actions can be applied to documents and emails based on sensitivity label, including applying encryption, rights restrictions, or visual markings (such as headers or footers). To encrypt files based on classification label, you will need to set up usage rights based on role. Azure Information Protection includes the following predefined roles:

  • Viewer: Allows users to view the data and nothing else.
  • Reviewer: Allows users to edit the data but NOT copy information out or change the protection applied.
  • Co-Author: Allows users to edit the data AND copy information out but NOT change the protection applied.
  • Co-Owner: Allows users to have Full Control that also allows users to copy and change/remove protection and change the Azure Information Protection label.

You’ll need to determine the type of protection that will be applied and the users that can access specific types of content. We recommend using sub-labels to define the audience of the content and the usage rights available to that audience. The Azure Information Protection—Deployment Acceleration Guide describes this concept in more detail with tips on how to apply it to your organization.

Monitor and remediate

Azure Information Protection Analytics gives you tools to view the state of your sensitive information, including the volume of labeled and protected files and emails, the application used to apply the label, the location of sensitive files, and the type of data that was detected (Figure 4). We recommend using the Azure Information Protection Analytics dashboards to see detailed information on information protection activities. This provides rich usage and activity data but requires consumption on an Azure subscription that incurs an additional cost based on usage.

Reporting data can help you refine the policies that you’ve established for labeling and protecting documents and identify potential risky behavior or over-sharing. Plan to regularly revisit your Azure Information Protection policies to optimize for your users and data needs.

Deploying Office 365 ATP

Bad actors continue to use email as a primary method for gaining initial access to your organization. Phishing and malware campaigns have increased in sophistication, increasing the chances that one or more of your users will accidentally provide their credentials or open an attachment that gives hackers access. Set up Office 365 ATP to protect against advanced attacks such as phishing and zero-day malware.

Figure 4: The Data discovery dashboard provides information on the location of sensitive data within your organization.

To get started, you’ll need to set up policies for the following:

  • Anti-phishing
  • Safe Links
  • Safe Attachments

Anti-phishing policies

When you enable anti-phishing in Office 365 ATP, machine learning models trained to detect phishing messages are applied to every incoming message. Anti-phishing polices are designed to protect against email spoofing, impersonation, and compromised email accounts. Additionally, Office 365 ATP learns how each individual user communicates with other users inside and outside the organization and builds a map of these relationships. This map allows Office 365 ATP to understand more details about how to ensure the right messages are identified as impersonation. Anti-phishing policies can be added, edited, and deleted in the Office 365 Security & Compliance Center. Each organization in Office 365 has a default anti-phishing policy that applies to all users. You can create custom anti-phishing policies that you can scope to specific users, groups, or domains within your organization.

Safe Links policies

When a user clicks a link in an email or document, Office 365 ATP Safe Links scans the website or the reputation of the link and determines if it is safe or malicious. Based on the ATP Safe Links policies configured, users will either be able to open the link, receive a warning, or be blocked from accessing it.

Safe Attachments policies

The Office 365 ATP Safe Attachments scans email attachments and files in SharePoint Online, OneDrive for Business, and Microsoft Teams to determine if they are malicious. Once identified as malicious, the file is blocked, replaced, or delivered based on the ATP Safe Attachments policies configured.

ATP Safe Attachments policies can be configured to:

  • Block emails with malicious attachments from proceeding.
  • Deliver messages immediately while the attachment is scanned in the background.
  • Remove detected malware from emails and notify the user.

Take a look at our best practices for configuring Exchange Online Protection for more tips on blocking unwanted emails from reaching your users.

Learn more

Check back in a few weeks for our next blog post, “Step 9: Protect your OS,” which will give you tips for configuring Windows Defender Advanced Threat Protection to block new and emerging threats on Windows 10.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.


The post Step 8. Protect your documents and email: top 10 actions to secure your environment appeared first on Microsoft Security.

Steer clear of tax scams

In the month of February, we saw an average of 300,000 phishing attempts across Microsoft’s browsing platforms daily. Our security experts expect these attempted scams to become increasingly more prevalent through the April 15 Tax Day, especially in the two weeks leading up to it, when about 25 percent of people file their taxes. The phishing campaigns we’ve seen aren’t just in the U.S., though; we’ve also recently uncovered similar tactics in Canada, Brazil and India. It’s important for users across the globe to follow best practices and stay vigilant.

With less than a month until the filing deadline in the U.S., we are urging the public to take the following simple steps to avoid tax scams – especially during the last-minute rush to file taxes.

  • Watch for suspicious emails. Be suspicious of all links and attachments, especially when the email seems “off” or unexpected – like an unexpected email from your credit card company, or financial institution. Phish-y emails often include spelling and grammatical errors, or will ask you to send personal information. In these cases, you can apply additional scrutiny on the sender, the content, and any links and attachments. If you know the sender, for example, you can double-check with them before opening or downloading the file.
  • Carefully inspect URLs. Hover over links to verify that the URL goes to the website where it’s supposed to direct you. Is it pointing to the site you expected? URL shorteners provide a lot of convenience, but can make this inspection difficult. If you’re unsure, rather than clicking a link, use search engines like Bing to get to the tax-related website you’re looking for and log in from there.
We recently discovered a phishing campaign targeting Canadian Tax payers where scammers were pretending to help Canadian taxpayers get their refunds, but really aimed to steal banking credentials. We’ve also seen old phishing documents resurface – these claim to be from the Canada Revenue Agency (CRA), inform victims that they have a refund via e-transfer from the CRA, and ask them to divulge their bank details where the funds will be “deposited”. We’ve also seen similar campaigns in Brazil and India.
  • Be wary of any attachments. If you haven’t just made a purchase for tax software, don’t be tricked by getting an email with an invoice from a tax preparation company. Sending fake invoices for services is one of the top methods attackers use to trick people into opening a malicious attachment that could automatically execute malware on your computer. Malicious attachments could also contain links that download and execute malicious programs. We’ve seen PDFs that contain innocuous-looking links that lead to people accidentally downloading malicious software designed to steal credentials, like usernames and passwords.
  • Don’t rely on passwords alone. Scammers take advantage of weak or stolen passwords used across multiple websites, so don’t just rely on your password to keep you safe. When possible, always use multi-factor authentication like the Microsoft Authenticator app for managing your sign-ins for Microsoft accounts and others, and Windows Hello for easy and secure sign-in to your Windows 10 device. These solutions enable biometric authentications like your face or fingerprint to quickly and safely sign in across devices, apps and browsers without you having to remember passwords. Did you know that with a Microsoft Account, you can securely and automatically sign-in to other Microsoft cloud-based applications including Bing, MSN, Cortana,, Xbox Live (PC only), Microsoft Store and Office?
  • Keep software current. Run a modern operating system, like Windows 10 or Windows 10 in S mode, with the latest security and feature updates, in tandem with next-generation anti-malware protection, such as Windows Defender Antivirus.

Microsoft security solutions can proactively inspect links and attachments, as well as block phishing documents and other malicious downloads to help protect users, even if they accidentally click a phishing link or open a malicious attachment. We expect tax scams to be on the rise in the next several months as global tax deadlines approach so our experts will be on the lookout for new campaigns.

Here’s a couple of examples of what we’ve seen just in the last few weeks: two documents named irs_scanned_551712.doc and Tax(IP.PIN).doc. You’ll notice that the security tools built into Microsoft Office caught these and displayed a warning at the top. Before enabling content like these, ensure that the sender is a trusted source, and notice things like missing or misspelled words.

tax-related phishing document with malicious macro code

tax-related phishing document with malicious macro code

Be on the lookout for scams like we’ve described here. There will undoubtedly be more schemes that crop up. Stay vigilant! Learn how to report phishing scam websites through Microsoft Edge or Internet Explorer and suspicious email messages through, Outlook 2016, or Office 365.

Keep these tips and tricks handy, and share with your networks so we can increase awareness of and stop the spread of Tax Day scams! For more information about Microsoft Security, please visit

The post Steer clear of tax scams appeared first on Microsoft Security.