Security in Exchange Online

 Jan Čížek

Exchange Online, as part of the entire Microsoft 365 ecosystem, offers many security solutions even in basic licensing plans. Customers are offered scaled computing power and the strength of Microsoft's best security teams, which have an enormous amount of information about attacks worldwide. Various types of encryption are deployed in the basic version of the product, and Exchange Online Protection monitors the flow of mail in both input and output. These security measures are already implemented in the basic version of the product and customers have little opportunity to influence their settings, either because they are not applicable for organizations or because they are nowadays managed with advanced artificial intelligence and there is no reason to modify them.

But what we will focus on today are the possibilities that are in the hands of tenant administrators and which are sometimes difficult to comprehend. It is ideal to layer the security measures and not to rely on the effectiveness of a single solution. Firstly, a bit of theory, according to which we will subsequently assess individual solutions and options. According to statistics, the most common reasons for breaching the security of environment and data leakage are the following:

  • Weak passwords and stolen login details
  • Unpatched vulnerabilities in applications and operating systems
  • Malware
  • Internal violation
  • Human error

Second point - Exchange Online does not deal with the unpatched vulnerabilities - this is in the hands of Microsoft, and Microsoft takes great care of it. But it is concerned with client applications and the OS. Let's leave this in the hands of Desktop Administrators – otherwise we would have enough material to publish a separate series of articles.

So, let's see what we can influence and what usually concerns the whole Microsoft 365, and sometimes purely Exchange Online.

1. Weak passwords and stolen login details

There used to be times when it was recommended to change passwords every 30 to 90 days and people would be reminded to change passwords frequently. However, this system led to one thing - users began to choose simple passwords, where they altered some numerical value, for example, according to the month, etc. It is true that there were ways how to prevent the users from doing so - by verifying password similarity, password history, etc. It is still a suboptimal solution. In addition, the users then tend to enter the passwords everywhere, because once we have persuaded them to use a secure password, they will repeatedly use it wherever possible. Subsequently, the whole system collapses at the moment when more than one system in the same vertical is cracked.

Due to the fact that the username and password are the only means of authentication for most people, it is crucial to ensure the best security. It is, however, better to deploy the following precautions and let the users use a password with an unlimited or long enough validity than to rely on frequent changes – as concerning Microsoft 365 – cancellation of a password expiration and implementing other precautions is one of the recommendations you will receive when checking your "Secure score" "- Obviously, provided that you will read the rest and implement the measures suggested in the following paragraphs of this article.

  • Multi Factor Authentication

The solution, which certainly can be read everywhere, and I feel compelled to mention it too, is Multi Factor Authentication (MFA). This is probably the easiest and most effective way to protect your entire Microsoft 365 account and, of course, your data in Exchange Online. MFA is available in Microsoft 365 E3 and E5 plans, in Enterprise Mobility + Security 3 and 5 subscriptions within Azure AD Premium P1 and P2, and now also in Microsoft 365 Business Premium, which is bringing MFA into plans for small and medium-sized enterprises. In the absolutely basic version, you will find it in lower plans as well.

MFA combines a login name and password with another factor – which could be a code from a text message sent to an authorized number, a fingerprint, a confirmation in the application, or entering an OTP password. This prevents cracking, as an attacker can crack the password, but Azure AD will never verify it without the second factor. If I say MFA, it is also necessary to add "Basic Authentication, App Passwords and Conditional Access" in just one breath.

  • Basic Authentication

A possibility of a classic authentication only with the name and password, which is sent on each request. This should definitely be forbidden in a well-secured environment. Microsoft is not only calling for this, but also intends to implement it and completely remove the option to enable Basic Authentication. This should happen at the end of the year – on October 13, 2020 exactly. So, if your organization uses applications that cannot handle modern authentication methods, well, then it's time to start looking for a replacement. This type of authentication is mainly used by older protocols such as IMAP4 or SMTP, but also by older versions of Exchange ActiveSync intended for clients with mobile devices.

  • App Password

Application Password in conjunction with a basic authentication enables you to use applications that cannot comply with modern methods. For example, this could be the case of native email clients in mobile phones. The application password allows you to bypass the necessity of a modern authentication - this clearly creates room for attack, although passwords are managed relatively safely. If possible, there should be no application in the environment where the application password would be required. On mobile devices, it is more than recommended to use Outlook for iOS / Android, which is free of charge, for both the security and the features that no other client offers (opening shared mailboxes / calendars, "Focused Inbox", calendar integration, etc. .)

  • Conditional Access

Conditional Access (CA) gives administrators a wide range of options and settings to determine by whom, when, how, and from where the specific Microsoft 365 sources and services may be accessed. And now it is about time to mention licencing. CA requires an Azure AD Premium P1 license - which can be purchased either separately or as part of Microsoft 365 E3 or Enterprise Mobility + Security E3 subscriptions.

With CA, people can be guaranteed access to Exchange Online from corporate computers and corporate offices, or VPNs without a password. If an access is made from another computer or site, the use of MFA may be enforced, or the access may be completely denied. Here I will allow myself an experience-based remark – although this is one of the options offered, do not bother to block the login according to the country / state. When blocked, CA displays a specific message that is distinguishable from a bad login message, so it is usually one of the first steps of an attacker to dial a VPN according to the country where the company operates. Therefore, if you use CA only by the location and leave out other conditions, the attacker will be made to take only one or two extra steps.

  • Client Access Rules

The last option to control access similarly to CA are Client Access Rules – these can be used to control the settings of some protocols at the level of allowing or denying certain IP ranges, etc. There is more about the options in the attached article (, but the choices are limited and administration can only be performed via Exchange PowerShell. Additionally, some protocols do not support all authentication methods. Even so, it is still an interesting alternative.

  • Disabling unused protocols

The last option, which is free of charge and only requires a good knowledge of your own environment, is to turn off everything unnecessary. If you know that all of the users in your organization use mobile devices with Outlook for Android / iOS, and you handle sending mail from applications and servers using anonymous relay or applications that can perform advanced authentication, then it is appropriate to turn off POP, IMAP, and Exchange ActiveSync. This will reduce the vulnerability to attack.

2. Malware

Malware is a big topic and shows how simple cybercrime can be. It doesn't have to be a targeted attack, but a simple exploitation of a known vulnerability, where an attacker simply releases a of piece of malicious code into the world and lets it work for him. The volume of malware attacks is huge, and although most incidents are minor, there are still many serious ones in the total volume. Larger organizations should be wary of targeted attacks, where attackers will either try to harm the company, obtain information that may be worth selling on the "Dark Web", or simply come to the money in some fraudulent way – this could be a "hijacking" of the account and sending a message requesting payment that the user in the organization simply does not detect, or sending a "begging" message to clients or business partners. Damage is caused not only to the clients, but also to the reputation of the company that was the source of such an attack.

  • Exchange Online protection against Malware

So how does Exchange Online protect itself against malware then? The service that is the gateway to Exchange Online is the already mentioned Exchange Online Protection. It focuses on spam evaluation, malware, phishing attacks… EOP uses inputs from leading companies in the field of Internet protection. The whole EOP heuristic is beyond description, but there are a few interesting things that can provide a little peace of mind and, of course, things that can be set up by administrators. Details related to setting up Anti Malware policies are observed in some depth here (

Regarding the settings, it's definitely appropriate to check the Malware filter settings in Exchange Online and add known extensions. If the company doesn't handle really specific matters, then files such as: .js, .cmd, .com and so on simply have no place in the e-mails. Setting up the processing of detected emails is also a good idea – whether you require the sender to be notified (it is worth notifying the internal users), where and how the detected email should be delivered (quarantine / spam without attachment), etc.

I definitely recommend checking if Zero-Hour Auto Purge (ZAP), a relatively new feature in the policy, is switched on. This technology continuously monitors already received emails and it can move such emails to spam or quarantine should the definitions be updated on the malware / spam side. This happens, for example, if the links in the email are "armed" and turn out dangerous only after the message has been delivered and passed through EOP and Safe Links, or when a new virus is detected the definition of which was not available at the time of delivery.

  • Advanced Threat Protection

Azure ATP (more here ) is a technology that steps over the boundaries of Exchange Online again and intersects the most of the available services, including Office 365 applications (Word, Excel…), where it detects code execution in the files that have been opened in them, as well as the files on OneDrive and SharePoint. There are two parts of ATP that are absolutely relevant to Exchange Online - Safe Links and Safe Attachments.

These things do exactly what their names imply – they check the links and files on delivery. And it is extremely interesting how they do it. Files and links are thoroughly tested in the "detonation chamber" when received – each link contained in the email is opened in a virtual machine, clicked on, time is accelerated in order to prevent a malicious code from being injected after a while, etc. The files get treated the same way, they get opened, clicked on by an automated test, the robot also tries scrolling and random actions, again it waits for some time if there is no delayed attack, or alternatively the links in the file are also tested. The file or email with the links is delivered to the mailbox provided all the tests are successful.

There are two disadvantages – firstly – it slows down the file delivery. This can be solved to some extent, by enabling the "Dynamic delivery" function, i.e. the email is delivered directly, and the files and links are made available gradually with a delay.

Secondly, of course, it is the price, as these features are only available in the top plans of Office 365. Separate Office 365 ATP Plan 1 and ATP Plan 2 subscriptions are available if you only need this functionality to supplement lower subscriptions or as part of large packages. ATP Plan 2 is included in Office 365 E5, Office 365 A5, and Microsoft 365 E5, and ATP Plan 1 is available as part of Microsoft 365 Business Premium. Despite the relatively high price, in my opinion and experience, this is one of the best ways how to increase the security of your Exchange Online and the entire organization, including workstations, when deployed within Microsoft 365 Enterprise subscriptions.

3. Internal Violation and Human Error

In this section, I dared to unite these two issues – consequently, it does not matter whether the leak of information is intended, or if it was caused by the user‘s negligence or ignorance. The tools, that I am going to analyse further on, can be used to actively combat leaks, as well as to educate users. Then the difference is only in the intention, not in the technical solution. The following topics describe help both in the case of an intentional attack, as well as in the case of a simple user error.

  • Data Loss Prevention Policy

Data loss prevention (DLP) policies are a great tool for educating users and preventing them from doing something unwisely. Especially nowadays, when organizations have to meet the requirements of PCI DSS, GDPR (in the EU), or HIPAA (in the US), leakage of sensitive data needs to be paid attention to, even though it may be accidental. The DLP policies allow us to detect sensitive information across the services – in files on OneDrive, in emails, attachments, in SharePoint repositories, and at the moment they are detected, to decide on further actions. You can block such data sent outside the organization, or even within the organization, allow it if a good justification is provided, or just notify the sender that he is sending information of a certain type and only audit these actions.

The DLP policies also allow very fine settings that determine the conditions under which a policy will run. E.g. if a company deals with its customers on a regular basis and there are contracts in the attachments that contain, let‘s say, account numbers or birth identification numbers, it is inappropriate to block all such e-mails, or to require an explanation from everyone. The solution is to set limits accordingly, for example, two occurrences pass only with an entry in the audit log, four or more already trigger an alarm and ten are already automatically blocked and a notification is sent to the sender‘s superior.

The DLP policies are available for plans that include Exchange Online Plan 2, which means either a separate subscription for Exchange Online Plan 2, or Office 365 / Microsoft 365 E3 and higher.

The DLP policies are an extremely powerful tool especially in conjunction with other tools - Azure RMS / Azure AIP and Azure PIM. However, they deserve their own article as they affect data throughout the whole Microsoft 365. Additionally, their impact on Exchange is relatively small because the data processing and categorization precede its actual sending.

  • Alerting

If we deploy the DLP policies, it is recommended to supplement them by setting up additional alerts. The product has some policies already pre-set (high volume of outgoing messages and several others) and it is definitely a good idea, depending on the licenses used in the organization, to check what you have available and to go through the templates at your disposal. These are examples of rather interesting alerts: excessive flow of spam, high volume of open messages, or assignment of delegate rights and access to someone else‘s mailbox. A description of the basic alert policies can be found here (httpns://, including the subscriptions that trigger individual alerts. There are many options available and you will definitely find something extra that you would like to monitor.

4. In conclusion

I hope the article has shown that there are many ways to increase security in Exchange Online, and if you examine them, you will find out that they are relatively friendly to set up.

The usual problem is how to organize the whole environment so that some things are not done twice and something is not forgotten, and how to combine all the tools and technologies into one comprehensive ecosystem, which will bring the organization a significant increase in security.

Although Exchange Online can be viewed as a separate service which can actually be run on its own without additional components, it is definitely not worth doing so and it is better to invest. After all, security has been the No. 1 topic in IT for several years, also due to the crucial importance of IT systems to the companies.

Share on social media



Didn't find what you were looking for? Send us a message and we will stay in touch with you.

* Required field. We will only use personal data to prepare an answer to your inquiry. Privacy Terms.

* Data processing consent

map us
map eu