If you find that a spoofed email is reaching users inboxes in Microsoft 365 (say something like firstname.lastname@example.org pretending to be email@example.com) then here are some initial suggestions and things to check.
Firstly, ensure you have SPF, DKIM DMARC configured for your domain. They all help reduce spoofed emails getting to the inbox.
Next, run the analyzer that is built into the Microsoft 365 Security Center to see where your policies may deviate from best practices.
and you’ll find those best practice settings here:
I’d be checking against the strict rather than the standard settings if it was me.
In the settings for your spam policy in Exchange Online there are a few additional settings you can enable as shown above. Even though the Microsoft best practices doesn’t recommend it, I still have most of these set and at a minimum recommend that the SPF hard fail option be enabled.
In your Anti-phishing policies ensure the option for Show first contact safety tip is enabled as shown above. Microsoft Best Practice policies don’t set this. In general make sure all the above settings are all enabled as shown.
Another good indicator to configure is
Set-ExternalInOutlook -Enabled $true
using PowerShell, that will let you know about
Another custom adjustment you can consider is changing the Spam Confidence Level (SCL)
A further option you may wish to tweak beyond Microsoft’s recommended best practices is the phishing thresholds in anti-phishing policies:
When you get emails that are confirmed as trying to trick users, make sure you report them to Microsoft
Probably the best way to do that is to use the free add-in that works with Outlook.
doing so helps build the intelligence for Exchange Online as well as helping others who may see similar insecure emails.
The final option available to you is always to reach out to Microsoft for assistance.
I would also suggest you check any white listing options you may have in Exchange Online as these are easily forgotten over time. Best practice is not to white list any domain or specific email address but always check when you see repeated emails get through filtering. I can’t tell you how many times I find this as the cause of any issue. Keep in mind, there are few places that you can white list emails:
You can of course also block the insecure sender:
Remember that if you tighten your email security the result will probably be an increase in false positives, at least initially, as Exchange Online learns to evaluate the changes and user behaviours based on the updated settings. Email security is not an exact science. The bad operators are working just as hard to bypass all these settings so it is always going to be a game of cat and mouse. However, hopefully, using the Microsoft recommended best practices and some additional tweaks as suggested above, you can prevent the vast majority of insecure emails out of your users email boxes.