Securing Exchange Online: Anti-Phishing, Safe Links, and Mail Flow Rules

The Email Threat Landscape

Email continues to be the primary attack vector in cyberattacks. The numbers have been stable for years: over 90 percent of all successful attacks begin with a phishing email. The reason is simple: email reaches every employee directly, bypasses firewalls and network security, and exploits humans as the weak link.

The attacks are becoming increasingly sophisticated. Classic spam with obvious spelling errors and Nigerian princes accounts for only a small fraction of total volume today. The truly dangerous attacks are targeted, personalized, and technically polished:

Business Email Compromise (BEC): The attacker impersonates the CEO, CFO, or a business partner and instructs an employee to execute a wire transfer or hand over confidential data. The email contains no malware and no link—just a credible message from a seemingly trustworthy sender.

Credential phishing: An email with a link to a near-perfect replica of the Microsoft 365 sign-in page. The employee enters their credentials, and the attacker now has an active account on the corporate network.

Malware delivery: Emails with malicious attachments (Office documents with macros, encrypted ZIP files, HTML smuggling) or links to drive-by download sites.

Thread hijacking: The attacker compromises an email account and replies to existing email threads with a malicious message. Because the message appears in a familiar context, the click-through rate is significantly higher than for an unexpected email.

The Three Protection Layers

Exchange Online offers a three-layered protection model:

Layer 1: Exchange Online Protection (EOP)

EOP is the baseline protection included in every Exchange Online license:

• Anti-spam: Filters spam messages based on sender reputation, content analysis, and machine learning
• Anti-malware: Scans attachments with multiple anti-malware engines
• Connection filter: Blocks emails from known spam IP addresses (IP Block List, IP Allow List)
• Spoofing protection: Detects and blocks emails that claim to originate from your domain (Spoof Intelligence)

EOP is sufficient for baseline protection but has limits: it does not detect impersonation attempts (when someone poses as your CEO but uses a different domain), only scans URLs at the time of delivery (not at click time), and only analyzes attachments with signature-based scanners (no sandbox analysis).

Layer 2: Microsoft Defender for Office 365 Plan 1

Defender for Office 365 Plan 1 (included in Business Premium and E3/E5 with add-on) extends EOP with:

Anti-phishing with Impersonation Protection:

• Detection of emails that impersonate specific internal people (User Impersonation)
• Detection of emails that impersonate specific external domains (Domain Impersonation)
• Mailbox Intelligence: The system learns each user's normal communication patterns and detects deviations

Safe Links:

• URLs in emails are scanned at the time of the click, not just at delivery
• Protection against time-of-click attacks (URL is harmless at delivery, turns malicious hours later)
• URL detonation: Suspicious URLs are opened in a sandbox and checked for malicious behavior

Safe Attachments:

• Attachments are executed in a sandbox environment (Detonation Chamber) and analyzed for malicious behavior
• Protection against zero-day malware not yet detected by signature-based scanners
• Dynamic Delivery: The email is delivered immediately (with a placeholder for the attachment); the attachment is provided after analysis

Layer 3: Microsoft Defender for Office 365 Plan 2

Plan 2 (included in E5 or as add-on) adds to Plan 1:

• Threat Explorer: Interactive investigation of email threats (which phishing emails passed the filter?)
• Automated Investigation and Response (AIR): Automated investigation and remediation of detected threats
• Attack Simulation Training: Simulated phishing campaigns for employee training
• Threat Trackers: Dashboards for current threat campaigns

For most mid-market companies, Plan 1 is sufficient. Plan 2 is worthwhile if you want to use Attack Simulation Training or need advanced threat-hunting capabilities.

Configuring Anti-Phishing Policies

Adjusting the Default Policy

Exchange Online has a default anti-phishing policy that applies to all users. Adjust it as follows:

Phishing threshold: The phishing threshold determines detection aggressiveness. Level 1 (default) is the least aggressive; Level 4 is the most aggressive. Recommendation: Start with Level 2 (Aggressive) and increase to Level 3 (More aggressive) if the false positive rate is acceptable.

Impersonation Protection (Defender for Office 365):

User Impersonation: Add the email addresses of the people most commonly impersonated: executives, finance managers, IT leadership, HR leadership. On detected impersonation: move message to quarantine.

Domain Impersonation: Add the domains most commonly mimicked: your own domains, domains of banks, tax advisors, lawyers, and key business partners. On detected impersonation: move message to quarantine.

Mailbox Intelligence: Enable Mailbox Intelligence and its associated Impersonation Protection. The system learns who each user normally communicates with and flags emails from similar-looking but unknown addresses as suspicious.

First Contact Safety Tip: Enable the First Contact Safety Tip. When a user receives an email from a particular sender for the first time, a yellow notice is displayed: "You don't often get email from this sender. Be careful with links and attachments." This is particularly effective against impersonation and thread hijacking.

Spoof Intelligence: Regularly review the Spoof Intelligence Insight in the Security Center. Here you can see which external senders are sending emails on behalf of your domain (e.g., marketing platforms, CRM systems, newsletter services). Allow legitimate senders and block the rest.

Safe Links in Detail

Configuration

Global settings:

• Enable URL tracking (which links are clicked by users?)
• "Do not rewrite URLs, do check via Safe Links API": Recommended if URL rewriting causes issues with certain applications
• Block list: URLs that should always be blocked (e.g., known phishing domains)

Safe Links Policy:

• Apply to all users
• Scan URLs in email messages: Yes
• Apply Safe Links to URLs in Microsoft Teams messages: Yes
• Apply Safe Links to URLs in Office documents: Yes (protects against phishing links in Word/Excel/PowerPoint)
• Do not let users click through to the original address: Yes (prevents users from bypassing Safe Links)
• Scan URLs against known malicious links in real time: Yes
• Fully scan suspicious URLs and links pointing to files before delivering: Yes

Minimizing Exceptions

A common trap: users complain that Safe Links delays or blocks access to certain URLs, and IT adds the domain to the exception list. Every exception is a gap in the protection. Critically evaluate every exception and look for alternative solutions before adding a domain to the exception list.

Legitimate reasons for exceptions:

• Internal applications that do not correctly handle Safe Links (e.g., certain ticketing systems)
• Domains of security tools that interfere with URL rewriting (e.g., phishing simulation platforms)

Not legitimate reasons:

• "The user finds it annoying" (security over convenience)
• "The domain is trustworthy" (even trustworthy domains can be compromised)

Safe Attachments in Detail

Configuration

Safe Attachments Policy:

• Apply to all users
• Action on detected malware: Block (block message and attachment) or Dynamic Delivery (deliver message immediately, provide attachment after scan)
• Recommendation: Dynamic Delivery for most communication, Block for high-risk groups (executives, finance department)
• Redirect: Forward detected malicious attachments to a monitoring mailbox (for analysis by IT security)

Safe Attachments for SharePoint, OneDrive, and Teams: Also enable Safe Attachments for files uploaded to SharePoint, OneDrive, and Teams. This protects against malware that enters the organization via file upload rather than email.

Performance Considerations

Safe Attachments causes a delay in email delivery because the attachment must be analyzed in the sandbox. Duration varies by file type and complexity between 30 seconds and a few minutes. Dynamic Delivery minimizes the perceived delay because the message is delivered immediately and only the attachment has a wait.

Proactively communicate the delay to employees so they do not become impatient and pressure IT to disable the protection.

Mail Flow Rules for Additional Protection

Mail flow rules (Transport Rules) in Exchange Online enable additional protection measures beyond the capabilities of EOP and Defender for Office 365.

External Sender Warning

One of the most effective and simplest measures: add a clearly visible warning notice to all incoming emails from external senders.

Configuration:

• Condition: Sender is outside the organization
• Action: Prepend message with HTML disclaimer
• HTML disclaimer: A yellow or orange banner with the text "EXTERNAL: This message originates from outside your organization. Be cautious with links and attachments."

This simple measure significantly reduces the success rate of phishing attacks because employees can immediately see that an email does not come from an internal colleague—even if the display name suggests otherwise.

Blocking Auto-Forwards to External Addresses

When an attacker compromises an email account—for example through stolen credentials without MFA—they often set up an automatic forward to an external address to continuously read all emails without needing to sign in again. This forward remains active even after the password is changed.

Configuration:

• Condition: Message type = Auto-forward
• Condition: Sender is inside the organization
• Condition: Recipient is outside the organization
• Action: Reject message with error notification
• Alternative: In the anti-spam policy under "Automatic forwarding," select "Off - Forwarding is disabled"

Blocking Dangerous File Types

Block the receipt of file types commonly used for malware delivery:

File types to block:

• Executable files: .exe, .com, .scr, .pif, .bat, .cmd, .ps1, .vbs, .vbe, .js, .jse, .wsf, .wsh
• Script files: .hta, .msi, .msp, .mst
• Macro-enabled Office files (optional): .docm, .xlsm, .pptm
• Compressed archives with password-protected content (cannot be scanned by Safe Attachments)

Configuration:

• Condition: Attachment has a file extension from the block list
• Action: Move message to quarantine with notification to recipient

Enforcing TLS for Specific Partners

For communication with specific partners (tax advisors, lawyers, banks), you can enforce TLS encryption:

Configuration:

• Condition: Recipient domain = partner-domain.de
• Action: Enforce TLS encryption (Require TLS; opportunistic TLS is the default)
• Fallback: Convert message to NDR (Non-Delivery Report) if TLS is not possible

Email Authentication: SPF, DKIM, and DMARC

SPF, DKIM, and DMARC are three interrelated technologies that protect your domain from abuse by third parties. They prevent attackers from sending emails that appear to originate from your domain. At the same time, they improve the deliverability of your own emails because receiving servers can verify that the email actually comes from you.

SPF (Sender Policy Framework)

SPF defines which mail servers are authorized to send emails on behalf of your domain. The SPF record is a DNS TXT entry that lists the IP addresses and hostnames of authorized mail servers.

Recommended SPF record for Exchange Online:

v=spf1 include:spf.protection.outlook.com -all

If you use additional services beyond Exchange Online that send emails on your behalf (newsletter tools, CRM systems, ticketing systems), their servers must also be listed in the SPF record:

v=spf1 include:spf.protection.outlook.com include:mailservice.example.com -all

The -all at the end is important: it states that emails from unauthorized servers should be rejected (Hard Fail). A ~all (Soft Fail) is less restrictive and is ignored by many recipients.

DKIM (DomainKeys Identified Mail)

DKIM signs outgoing emails with a cryptographic key that allows the receiving server to verify the integrity of the message. If the signature does not match, the message was altered in transit.

Setup in Exchange Online:

1. In the Microsoft 365 Defender Portal under Email > Policies > DKIM
2. Select your domain and enable DKIM
3. Add the two CNAME records generated by Microsoft to your DNS
4. After DNS propagation, activate DKIM signing

DKIM is not enabled by default for Exchange Online (Microsoft signs with the default onmicrosoft.com domain, but not with your own domain). Explicitly enable DKIM for every domain you use in Exchange Online.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC builds on SPF and DKIM and defines what should happen to emails that fail SPF or DKIM. At the same time, DMARC provides reports showing who is sending emails on behalf of your domain (both legitimate and illegitimate).

Recommended DMARC rollout:

Phase 1: Monitoring (4–8 weeks)

v=DMARC1; p=none; rua=mailto:dmarc-reports@your-domain.de; ruf=mailto:dmarc-forensic@your-domain.de

The policy p=none means that failing emails are not blocked, but you receive reports. Use a DMARC analysis service (e.g., DMARC Analyzer, dmarcian, Postmark) to evaluate the reports.

Phase 2: Quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@your-domain.de

Failing emails are moved to the recipient's spam folder. Only implement this step once you are certain that all legitimate senders are captured in SPF and DKIM.

Phase 3: Reject

v=DMARC1; p=reject; rua=mailto:dmarc-reports@your-domain.de

Failing emails are completely rejected. This is the goal because it provides the strongest protection against domain spoofing.

Journaling and Archiving

For certain regulatory requirements or internal policies, it may be necessary to archive all emails:

Exchange Online Archiving: Exchange Online offers a built-in archive mailbox (In-Place Archive) that automatically moves older emails:

• Automatic archiving after 2 years (configurable via Retention Tags)
• Archive mailbox with 50 GB to unlimited storage (depending on license)
• Searchable via eDiscovery

Journaling: For industries with strict archiving obligations (financial services), Exchange Online offers Journaling rules that send a copy of all emails (internal and external) to a dedicated journal mailbox or a third-party archive service.

Exchange Online in the ISMS

The email security configuration addresses multiple ISO 27001 controls:

A.5.14 (Information transfer):

• Anti-phishing and anti-spam as protection for the email channel
• TLS enforcement for specific partners
• DLP for emails (protection against data leakage)

A.8.7 (Protection against malware):

• Safe Attachments (sandbox analysis)
• Blocking dangerous file types
• Anti-malware in EOP

A.8.23 (Web filtering):

• Safe Links (URL scanning at click time)
• Anti-phishing with Impersonation Protection

A.8.24 (Use of cryptography):

• TLS encryption in email transport
• DKIM signing of outgoing emails
• S/MIME or OME (Office Message Encryption) for confidential emails

A.5.33 (Protection of records):

• Retention Policies for email retention
• Exchange Online Archiving
• Journaling (for regulatory requirements)

Documentation in the ISMS

Create an email security policy covering the following points. In ISMS Lite, you can document anti-phishing policies, mail flow rules, and SPF/DKIM/DMARC configuration as TOMs and map them to ISO 27001 controls:

• Configured protection measures (EOP, Defender, mail flow rules) with justification
• SPF, DKIM, and DMARC configuration
• Exception lists (which domains/senders are exempted from which rules and why)
• Monitoring process (who reviews the quarantine, who evaluates DMARC reports)
• Escalation process for detected phishing (how do employees report suspicious emails, what happens next?)
• Retention periods for emails

Monitoring and Operations

Daily monitoring:

• Review quarantine: identify and release false positives
• Review automatic alerts for detected phishing campaigns

Weekly review:

• Threat Explorer (Plan 2): Which phishing emails were delivered? Which were clicked?
• Spoof Intelligence: Review and evaluate new spoofing attempts
• Quarantine statistics: How many messages were blocked? Is the trend rising or falling?

Monthly reporting:

• Evaluate DMARC reports: Is someone sending unauthorized emails on your behalf?
• Prepare email security statistics for the ISMS dashboard
• DLP reports (match rate, false positives, user overrides)

Quarterly review:

• Review anti-phishing policies and Impersonation Protection (add new executives, remove departed ones)
• Review mail flow rules for currency
• Review SPF record (new sending services added? Old ones removed?)
• Review Safe Links/Attachments exceptions

Further Reading

• Securing Microsoft 365: The 15 Most Important Security Settings
• Recognizing and Reporting Phishing: Awareness Training for Employees
• Email Security: Properly Configuring SPF, DKIM, and DMARC
• Building a Security Awareness Program: From Obligation to Culture
• Detecting and Reporting Security Incidents: Processes and Reporting Channels