Stop Phishing Emails Before They Hit Your Inbox
Cybercriminals still rely on phishing more than any other tactic to trick employees and gain access to business systems. If you're running a business with Microsoft 365, your inbox is the front line. Here's how to harden your anti-phishing posture.
According to the FBI's IC3 report, phishing remains the most common cybercrime by volume - and business email compromise (BEC) accounts for billions in annual losses. For Microsoft 365 users, the good news is that Microsoft provides robust, layered defenses. The bad news? Most organizations never configure them beyond the defaults.
This guide walks through the layers of anti-phishing protection available in Microsoft 365 and what you should configure today - not eventually.
Layer 1: Email Authentication (SPF, DKIM, DMARC)
Before a phishing email even reaches a filter, proper email authentication tells receiving servers whether a message actually came from where it claims. These three records work together:
Publishes a list of IP addresses authorized to send email on behalf of your domain. If an attacker tries to spoof your domain from an unauthorized server, receiving mail servers can reject or flag it.
Create a TXT record at your domain: v=spf1 include:spf.protection.outlook.com -all
Adds a cryptographic signature to outgoing emails. Receiving servers verify the signature against a public key in your DNS. Tampered or forged emails fail verification.
Enable in Microsoft 365 Defender → Email & Collaboration → Policies → DKIM
Ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication - nothing, quarantine, or reject. Also sends you reports of who is sending on your behalf.
Start with p=none for monitoring, then move to p=quarantine and ultimately p=reject
Layer 2: Microsoft Defender Anti-Phishing Policies
Microsoft 365 Defender (formerly ATP) includes dedicated anti-phishing policies that go beyond basic spam filtering. These are found under Security.microsoft.com → Email & Collaboration → Policies & Rules → Threat Policies → Anti-phishing.
Critical Settings to Configure
Impersonation Protection
Specify key users (executives, finance, IT) and domains that should never be spoofed. Defender will flag or quarantine emails impersonating these identities.
Mailbox Intelligence
Enables AI-based analysis of user communication patterns. Emails from contacts you've never interacted with, or that deviate from established patterns, receive elevated scrutiny.
Spoof Intelligence
Identifies when external senders are spoofing your domain or partner domains. Review the spoof intelligence insight report weekly and configure your allow/block list.
First Contact Safety Tips
Adds a visible banner to emails from senders your users have never received email from before. Simple but effective at creating a moment of pause.
Phishing Email Threshold
Set to 2 (Aggressive) or 3 (More Aggressive) for sensitive environments. The default of 1 (Standard) misses more sophisticated campaigns.
Layer 3: Safe Links & Safe Attachments
Safe Links
Rewrites URLs in emails and Teams messages through Microsoft's threat intelligence service. Malicious links are blocked at click-time, even if the URL was benign when delivered.
- Enable real-time URL scanning
- Apply to email, Teams, and Office apps
- Do not allow users to click through warnings
- Enable "Do not track when users click safe links"
Safe Attachments
Opens email attachments in an isolated virtual environment (detonation chamber) before delivery. Malware that evades signature-based detection is caught by behavioral analysis.
- Set action to "Block" (not "Monitor")
- Enable "Dynamic Delivery" to reduce delays
- Apply to SharePoint, OneDrive, and Teams
- Block malicious files on detection
Layer 4: Mail Flow Rules That Actually Help
Exchange Online mail flow rules (transport rules) let you add tags, warnings, or blocks based on message properties. Several are critical for phishing defense:
External Email Warning Banner
Prepend a visible HTML banner to all emails originating from outside your organization. This is one of the highest-ROI phishing defenses available.
Block Executable Attachments
Create a rule to block or quarantine emails with .exe, .bat, .ps1, .vbs, .js, .msi, .iso, and .lnk attachments. Legitimate business email rarely needs these.
High-Risk Sender Quarantine
Route emails containing password reset links, invoice keywords, or wire transfer language to a moderated quarantine for review before delivery.
Layer 5: Attack Simulation & User Training
Technical controls alone are not enough. The most sophisticated phishing emails are crafted to pass every filter and still fool a human. Microsoft 365 Defender includes Attack Simulation Training - use it.
- Run simulated phishing campaigns quarterly - use credential harvest, link-in-attachment, and spear-phishing templates
- Assign training modules automatically to users who click simulated phishing links
- Track click rates and training completion in the Simulation Reports dashboard
- Pair simulations with a clear, no-blame reporting culture so employees report real suspicious email
- Use the "Report Message" add-in so employees can report phishing with one click
Your Anti-Phishing Hardening Checklist
- Publish SPF record and enforce with -all (hard fail)
- Enable DKIM signing for all sending domains in Microsoft 365
- Deploy DMARC with p=quarantine or p=reject policy
- Configure Defender anti-phishing policy with impersonation protection and aggressive threshold
- Enable Safe Links for email, Teams, and Office apps
- Enable Safe Attachments with Block action and Dynamic Delivery
- Create an external email warning banner rule in Exchange Admin Center
- Block executable and high-risk attachment types via transport rules
- Run quarterly phishing simulations with automatic training assignment
- Deploy the "Report Message" or "Report Phishing" add-in to all users
- Review the spoof intelligence report weekly
Related from SOClogix
About SOClogix
SOClogix provides Microsoft 365 security hardening, managed detection and response, and 24/7 SOC monitoring for SMBs. Our team can audit your M365 tenant, implement these controls, and monitor your environment for the threats that still slip through.