1. Create Safe Links Policies for Email Messages

Impact: Safe Links helps protect users from malicious URLs in email messages and Office documents. It works by scanning links in real time to ensure they don’t lead to phishing or malware sites.

Example: A user receives a phishing email with a malicious link. Safe Links rewrites the URL and checks it upon clicking. If found malicious, the user is prevented from accessing the site, reducing the risk of data theft.

2. Turn on Safe Attachments in Block Mode

Impact: Safe Attachments scans email attachments in a sandboxed environment to detect malware before delivering them to recipients.

Example: If an attacker sends a malware-infected PDF, Safe Attachments detects it and blocks the email from reaching the inbox, protecting users from downloading harmful content.

3. Start Your Defender for Identity Deployment, Installing Sensors on Domain Controllers

Impact: Defender for Identity uses sensors on Domain Controllers to detect abnormal behavior and potential identity-related attacks, like lateral movement or privilege escalation.

Example: If an attacker attempts to elevate privileges or access sensitive accounts, the sensor detects and raises alerts about unusual patterns, preventing credential theft or privilege abuse.

4. Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams

Impact: This protects files shared through SharePoint, OneDrive, and Teams by scanning for malware and unsafe content.

Example: If an employee uploads a malicious document to a SharePoint library, Defender for Office 365 scans the file and blocks access to it, preventing malware spread in collaborative environments.

5. Ensure DLP Policies Are Enabled

Impact: Data Loss Prevention (DLP) helps prevent sensitive information from leaving the organization by monitoring and blocking content that violates policies.

Example: DLP policies can block employees from sending confidential data, like credit card numbers, through email or cloud services, ensuring compliance with data protection regulations.

6. Ensure ‘External Sharing’ of Calendars Is Not Available

Impact: Disabling external calendar sharing prevents external users from viewing employee availability, reducing the risk of unauthorized access to schedule details.

Example: This helps prevent sensitive meeting details, such as high-level strategy sessions, from being visible to outsiders, reducing the risk of espionage or data leaks.

7. Turn on Safe Documents for Office Clients

Impact: Safe Documents ensures documents are opened in a secure and isolated environment (sandbox) before being accessed, reducing risks from malicious files.

Example: A user downloading a document from an unknown source will have it opened in a sandbox, preventing any malware within the document from affecting the host machine.

8. Ensure Additional Storage Providers Are Restricted in Outlook on the Web

Impact: By restricting additional storage providers, you prevent users from integrating unauthorized or unsecured cloud storage services with Outlook.

Example: If users cannot integrate personal Dropbox or Google Drive accounts, sensitive company information is not exposed to unmanaged and insecure environments.

9. Ensure Safe Attachments Policy Is Enabled

Impact: Safe Attachments policies scan attachments in real-time to detect malware and block suspicious content before it reaches the recipient.

Example: A phishing email with a malicious attachment is intercepted and quarantined, preventing it from reaching the end-user and reducing infection risk.

10. Ensure All Forms of Mail Forwarding Are Blocked and/or Disabled

Impact: Blocking mail forwarding prevents sensitive company emails from being automatically forwarded to external accounts, reducing data leakage risks.

Example: An employee’s inbox is compromised, but because forwarding is disabled, the attacker cannot automatically send sensitive emails to an external address.

11. Ensure User Consent to Apps Accessing Company Data on Their Behalf Is Not Allowed

Impact: Blocking user consent for third-party apps to access company data prevents unauthorized access to corporate data by malicious apps.

Example: A malicious app requests access to employee data during installation. Without user consent enabled, the app is blocked, securing company data from unintended exposure.

12. Ensure MailTips Are Enabled for End Users

Impact: MailTips provide users with contextual information when sending emails, such as warnings about external recipients or large groups, reducing risks of accidental data exposure.

Example: A user accidentally tries to send sensitive information to an external email address but is alerted by a MailTip, preventing accidental data leaks.

13. Ensure Microsoft 365 Audit Log Search Is Enabled

Impact: Audit log search allows administrators to track user and admin activities across Microsoft 365, helping in investigations of suspicious activities.

Example: If a data breach occurs, administrators can review the audit logs to determine who accessed specific files, providing insights for remediation.

14. Ensure Mailbox Auditing for All Users Is Enabled

Impact: Mailbox auditing logs activities in mailboxes, helping detect unauthorized access or unusual activity, such as suspicious logins or changes.

Example: An attacker compromises a mailbox but is detected through audit logs showing abnormal access from a foreign IP, allowing for quick response.

15. Ensure Users Installing Outlook Add-ins Is Not Allowed

Impact: Disabling add-in installation prevents users from installing potentially malicious or unauthorized extensions that could compromise the environment.

Example: An employee installs a third-party Outlook add-in containing malware. By restricting add-ins, such risks are eliminated, keeping Outlook secure.

16. Ensure Exchange Online Spam Policies Are Set to Notify Administrators

Impact: Administrators receive alerts for spam or phishing attempts, allowing for timely responses and reducing the chances of end-users interacting with malicious content.

Example: When a phishing campaign targets multiple users, administrators are notified and can block or quarantine the emails, protecting employees.

17. Ensure Safe Links for Office Applications Is Enabled

Impact: Safe Links scans and rewrites potentially malicious URLs in Office apps, providing real-time protection when users click on links in Word, Excel, or PowerPoint files.

Example: A user receives an Excel file with a phishing link. Safe Links rewrites the URL and blocks access when clicked, protecting against credential theft.

18. Only Invited Users Should Be Automatically Admitted to Teams Meetings

Impact: Restricting automatic admission to invited users ensures that unauthorized individuals cannot join meetings, protecting sensitive conversations.

Example: A confidential meeting is scheduled, and only invitees are allowed to join, preventing uninvited individuals from gaining access.

19. Configure Which Users Are Allowed to Present in Teams Meetings

Impact: Limiting presentation permissions to specific users prevents unauthorized attendees from hijacking a meeting and presenting harmful or inappropriate content.

Example: During a company-wide meeting, only designated presenters can share content, reducing disruptions and maintaining control over meeting flow.

20. Publish M365 Sensitivity Label Data Classification Policies

Impact: Sensitivity labels classify and protect data based on its confidentiality level, ensuring sensitive information is handled appropriately.

Example: Emails containing financial data are automatically labeled “Confidential,” restricting access and preventing unauthorized sharing outside the organization.

21. Ensure the Customer Lockbox Feature Is Enabled

Impact: Customer Lockbox ensures that Microsoft support engineers require explicit permission from your organization before accessing any data during troubleshooting.

Example: When a support request requires access to customer data, Customer Lockbox ensures that Microsoft personnel can only access it after obtaining approval from the customer.

22. Restrict Anonymous Users from Joining Meetings

Impact: Blocking anonymous users from joining meetings helps prevent unwanted participants from accessing confidential meetings.

Example: In a board meeting discussing sensitive financial information, anonymous attendees are blocked from joining, ensuring that only identified participants can attend.

23. Use Least Privileged Administrative Roles

Impact: Assigning users only the minimum permissions necessary reduces the risk of misuse or exploitation of high-privileged accounts.

Example: A user who only needs access to manage email accounts is assigned the Exchange Administrator role, instead of Global Admin, reducing the risk if their account is compromised.

24. Extend M365 Sensitivity Labeling to Assets in Microsoft Purview Data Map

Impact: Extending sensitivity labels to assets in Microsoft Purview enhances governance by applying classification and protection to data across multiple environments.

Example: Sensitive documents stored in cloud environments like Azure are automatically labeled based on their contents, ensuring consistent data protection policies.

25. Ensure Auto-Labeling Data Classification Policies Are Set Up and Used

Impact: Auto-labeling applies classification and protection based on predefined rules, ensuring consistent handling of sensitive data.

Example: Any document containing social security numbers is automatically labeled and encrypted, preventing unauthorized sharing or access.

26. Block Users Who Reached the Message Limit

Impact: Limiting the number of messages a user can send within a specific period reduces the risk of compromised accounts being used for spam or phishing campaigns.

Example: A compromised account starts sending out phishing emails. Once the user reaches the message limit, their ability to send further emails is blocked, stopping the attack.