How to Protect Microsoft 365 Accounts From Phishing Attacks

Phishing defence is not one toggle in Microsoft 365. Small-business tenants hold up best when awareness, identity, email controls, and response discipline all reinforce each other.

Use this lightweight checklist as a quick SMB baseline. Your progress is saved locally in this browser.

Use this example to show staff what a typical Microsoft 365 phishing email feels like. Click the numbered markers to reveal why each detail matters.

Technical controls can be bypassed when users act under social pressure. A convincing invoice email, a spoofed CEO message, or a fake Microsoft login page are designed to move faster than caution. Awareness training does not eliminate that risk — but it measurably reduces it, and it makes your other controls more effective by ensuring staff actually use the Report Message button.

Modern phishing attempts are highly targeted. Attackers research your business, reference real supplier names, and send from spoofed or compromised accounts your staff already trust. Training your team to slow down and verify before clicking — especially for unexpected requests involving payments, credentials, or urgency — addresses the most exploited vulnerability in any small business: human reflex.

• Install the Microsoft Report Message add-in for all users — one click to flag suspicious email and feed data to Defender
• Run quarterly simulated phishing using Microsoft Attack Simulator (included in Business Premium) — frequency beats length
• Teach staff the three red flags: unexpected urgency, requests involving credentials or payments, and sender addresses that do not match the display name
• Make it socially safe to report a suspicious click — staff who report quickly limit damage significantly

Microsoft Defender includes a dedicated anti-phishing policy that catches impersonation attacks, spoofed senders, and domain lookalikes. Out of the box, basic protection is on — but the controls that catch targeted attacks against your specific business are off by default and require manual configuration.

Navigate to the Microsoft Defender portal → Email & Collaboration → Policies & Rules → Threat Policies → Anti-phishing. On the default policy, configure:

• Impersonation protection — add your CEO, finance lead, and any frequently impersonated domain partners as protected users and domains
• Mailbox intelligence — enable this to flag messages from senders your users have not previously corresponded with
• Spoof intelligence — review the spoof intelligence report weekly until you understand your legitimate mail sources
• Actions — set impersonated sender detection to Quarantine rather than Junk; it gives you a review queue instead of hoping staff notice

Business Standard includes basic anti-phishing. Business Premium (or the Defender for Office 365 Plan 1 add-on) unlocks the full impersonation and intelligence features. For admin accounts, apply the Strict preset security policy — it is the most conservative configuration Microsoft offers and should be the baseline for anyone with elevated privileges.

MFA is the single most effective control against credential-based phishing. A stolen password alone is not enough to access an account when MFA is enforced — which is why Microsoft's own data puts MFA at blocking over 99% of automated account takeover attempts.

The fastest path for most small businesses: enable Security Defaults in Microsoft Entra admin centre (formerly Azure AD). This enforces MFA registration for all users and blocks legacy authentication in one setting — no licence upgrade required.

• Prefer Microsoft Authenticator push approval or passkeys over SMS codes — SMS is vulnerable to SIM swapping
• Enforce MFA on every account, including service accounts and shared mailboxes — these are common gaps that attackers specifically target
• Register two break-glass admin accounts with physical FIDO2 security keys and store them in a documented, secure location
• Document your MFA enforcement as evidence — Canadian cyber insurers verify this at renewal

Conditional Access moves beyond password-and-MFA by evaluating the context of each sign-in — location, device compliance, sign-in risk — and enforcing policies based on that context. It requires Microsoft 365 Business Premium or a Microsoft Entra ID P1 licence.

For a 5–50 employee business, four policies cover most of your exposure:

• Require MFA for all users — even if Security Defaults is on, an explicit Conditional Access policy gives you more control over exceptions
• Block legacy authentication — create an explicit policy targeting legacy auth clients as a belt-and-suspenders measure
• Require compliant device for admin access — admins should only manage the tenant from a known, managed device
• Block sign-ins from countries you do not operate in — most Canadian small businesses have no legitimate sign-in traffic from Eastern Europe, Southeast Asia, or West Africa

Start every policy in report-only mode for two weeks before enforcing. You will catch shared mailboxes, line-of-business apps, and device exceptions that would otherwise trigger a support call on day one.

Legacy protocols — IMAP, POP3, basic SMTP auth, Exchange ActiveSync with basic auth — cannot enforce MFA. No matter how strong your MFA rollout is, a single legacy-auth endpoint leaves a side door open that attackers specifically scan for. A stolen password is all they need.

Blocking legacy auth is one of the highest-impact, lowest-effort changes in this guide — and it is now flagged as a gap by most Canadian cyber insurance underwriters.

• If using Security Defaults: legacy auth is blocked automatically — confirm it is enabled in Entra admin centre → Properties
• If using Conditional Access: create an explicit block policy targeting legacy auth clients for belt-and-suspenders coverage
• Before enforcing: audit for any line-of-business apps using basic SMTP auth to send mail — printers, scanners, CRMs, and older helpdesk tools are the most common gotchas
• Migrate any app still using basic auth to OAuth or modern auth before blocking

These three DNS records work together to tell receiving mail servers whether email claiming to come from your domain is actually from you. Without them, an attacker can send a phishing email that appears — to the recipient and their spam filter — to come from your own domain. This is how supplier fraud and CEO impersonation attacks are executed at scale.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists the mail servers authorized to send on behalf of your domain. For Microsoft 365, add include:spf.protection.outlook.com to your SPF record. If you also send from a marketing platform or third-party system, include those as well.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outbound email that receiving servers verify against a public key in your DNS. Enable it in the Defender portal under Email & Collaboration → Policies → Email Authentication Settings → DKIM. Microsoft generates the keys; you add two CNAME records to your DNS.

DMARC (Domain-based Message Authentication)

DMARC tells receiving servers what to do when email fails SPF or DKIM alignment. Start with p=none to monitor for two to four weeks, then move to p=quarantine, then p=reject. The monitoring phase shows you all legitimate mail streams sending on your behalf — marketing tools, CRMs, and invoicing platforms that need to be in SPF before you enforce.

Check your current status with a free MXToolbox DMARC lookup. Related guide (coming soon): How to Set Up DMARC for Your Business Domain.

Safe Links rewrites URLs in incoming email and Office documents and re-checks them at the moment of the click — not just at delivery time. This matters because attackers frequently use "time-of-click" attacks: send a clean URL that passes initial scanning, then replace the destination after delivery.

Enable Safe Links in Defender portal → Threat Policies → Safe Links. Key settings:

• Enable URL scanning for email messages and Office apps (Word, Excel, PowerPoint, Teams)
• Turn on real-time URL scanning — do not rely on cached scan results
• Do not allow users to click through to the original URL when a block warning appears
• Enable tracking of user clicks — the data shows you which users are regularly clicking suspicious links before they are blocked

Safe Links requires Defender for Office 365 Plan 1 — included in Business Premium, or available as an add-on for Business Standard tenants.

Safe Attachments routes incoming email attachments through a detonation sandbox before delivering them — opening the file in a controlled environment to detect malicious behaviour that signature-based antivirus would miss. This catches zero-day malware, macro-based payloads, and weaponized Office documents.

Enable Safe Attachments in Defender portal → Threat Policies → Safe Attachments. Recommended settings:

• Set the action to Dynamic Delivery — this delivers the email body immediately and holds only the attachment during scanning, so staff are not waiting on a sandbox for every message
• Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams — this is a separate toggle in the same policy and is often overlooked
• Review quarantined attachments weekly — some legitimate attachments with unusual macro structures will be held, and you need a process for releasing them

Safe Attachments also requires Defender for Office 365 Plan 1 (Business Premium or add-on).

The practical goal is not zero clicks. It is shortening the time between a suspicious email and the response steps that limit mailbox abuse.

Fast response limits damage. The worst outcome is not the initial click — it is the 48 hours of undetected access that follow. Have this process written down before you need it, not after.

1. Isolate the device from the network — disconnect from Wi-Fi or Ethernet while you triage. Do not power it off; memory forensics may be needed.
2. Reset the user's Microsoft 365 password immediately — in Microsoft Entra admin centre, reset the password and force re-registration of MFA.
3. Revoke all active sessions — in Entra admin centre, navigate to the user → Revoke sessions. This kills any authenticated tokens the attacker may already hold.
4. Audit mail forwarding rules — attackers frequently add a silent forwarding rule as their first action after gaining access. Check Exchange admin centre → Mailboxes → the affected user → Mail Flow Settings → Message Forwarding.
5. Review sign-in logs — in Entra admin centre → Sign-in logs, filter on the compromised account and look for anomalous locations, IP ranges, or application access you do not recognize.
6. Check OAuth app consent grants — attackers sometimes trick users into granting a malicious third-party app access to the mailbox. Check Entra admin centre → Enterprise Applications for any unfamiliar apps with broad mail permissions.
7. Notify your IT provider or internal security contact before making further changes — evidence preservation matters for insurance claims and breach notification requirements.

Understanding the attack methods helps you decide which controls are worth the investment. These are the bypass techniques we see most often in small business incidents:

• AiTM (Adversary-in-the-Middle) phishing kits — rather than asking for your password directly, these kits proxy a real Microsoft login page. When you complete MFA, the kit steals your authenticated session token and uses it in real time. The attacker is logged in as you before you finish. Defence: phishing-resistant MFA (FIDO2 security keys or passkeys) for admin and finance roles; Conditional Access sign-in risk policies for everyone else.
• OAuth consent phishing — a link prompts the user to grant a malicious third-party app access to their mailbox. No credentials are stolen — the app gets a legitimate OAuth token. The mailbox is now accessible to the attacker for as long as the grant is active. Defence: restrict third-party OAuth app consent in Entra admin centre; review existing grants quarterly.
• QR code phishing — the malicious link is embedded in a QR code image rather than a clickable URL. Most email security tools scan URLs in text; they do not decode images. The attack moves to the user's personal phone, bypassing all corporate email controls. Defence: user training to never scan QR codes from unsolicited email; Safe Links cannot help here.
• Trusted sender compromise — rather than spoofing your supplier, the attacker first compromises the supplier's actual mailbox and then sends from a legitimate address. SPF, DKIM, and DMARC pass. Defence: train staff to verify unexpected payment or credential requests via phone using a known number, regardless of sender reputation.

These controls are configurable without external help — but configuration is only part of the picture. The gaps we most often find when auditing self-managed tenants are not missing settings; they are missing oversight. No one is watching the sign-in logs. Alerts are firing with no one reading them. A Conditional Access policy was set to report-only and never enforced.

Consider engaging a managed IT provider when:

• No one internally monitors sign-in logs, Defender alerts, or the quarantine queue on a documented schedule
• You are unsure whether your current Defender policies are correctly configured and tested
• You have had a suspicious incident — a password reset you did not initiate, an unexpected forwarding rule, an unfamiliar app in your Entra app list
• You are approaching a cyber insurance renewal and need documented evidence of controls
• You need Conditional Access but are not confident about testing it in report-only mode before enforcing

A managed provider should be actively monitoring your tenant for anomalous sign-ins, managing policy drift, running phishing simulations, and having a documented runbook for incident response — not just keeping the lights on.