Exchange Online Hardening | Security & Privacy Best Practices

As soon as the first mailbox is set up in the Microsoft Cloud, it is accessible worldwide. But be careful: Microsoft’s default settings are primarily designed for maximum compatibility, not maximum security. Before you migrate the bulk of your users, work through this guide to harden your environment against data leakage and attacks.

Here are the most important configurations for a secure Exchange Online tenant.

1. Limit automatic redirects

By default, Exchange Online often allows users to automatically forward their work email to any external address (such as personal Gmail or GMX accounts). From the point of view of data protection and information security, this is a critical gateway for data exfiltration, as company data leaves the secured tenant uncontrolled and often unencrypted.

Recommendation: Microsoft now primarily recommends control via the anti-spam policies in the Defender Portal, as they are more effective and provide better reports. We rely on “Defense in Depth” here and configure both levels.

A. The modern standard: Outbound Spam Policy (Defender)

This is the preferred method, as it specifically regulates the sender and allows granular exceptions.

1. Navigate to the Microsoft Defender portal (security.microsoft.com).
2. Go to Email Collaboration > Policies Rules > Threat Policies > Anti-Spam.
3. Select the Anti-spam outbound policy / Default.
4. Click Edit protection settings.
5. In the Forwarding Rules section, set Automatic Forwarding Rules to: Off – Forwarding is disabled.
   • Note: The “System controlled” setting is often too tolerant. “Off” is the safest choice.

B. The classic basic protection: Remote Domains (Exchange)

This setting acts as a global “emergency stop switch” at the transport level and should also be configured as a second line of defense.

1. In the Exchange admin center , navigate to Mail flow > remote domains.
2. Select the Default entry.
3. Click Edit Response Types.
4. Uncheck Allow automatic forwarding.

Granular Control (Exceptions) | If you need to allow automatic redirects for specific partner companies or departments, don’t create a global gap.

• In Defender: Create a new outbound spam policy (e.g., “Allow Forwarding for HR”), set the redirect to “On,” and assign it only to the specific user group.
• In Exchange: Create a new remote domain for the destination address (e.g *partnerfirma.de. ) and explicitly allow forwarding only for that destination.

2. Minimize External Calendar Sharing Policies

The default sharing policy in Exchange Online is often configured to allow users to share their calendar details with external people. From a data protection perspective, this is problematic because movement data and meeting content (subject, location, participants) are sensitive personal data. In addition, attackers like to use such information for targeted social engineering (e.g. CEO fraud, if it is known that the management is on vacation).

• Recommendation: Limit external sharing to the bare minimum in the default policy. By default, users should never be allowed to view details (subject/location) to external partners, but at most their availability.
• Configuration:
  1. In the Exchange admin center , navigate to Organisation > Freigabe (Sharing).
  2. In the Individual Sharing section, select .Default Sharing Policy
  3. Edit the rule for Sharing with all domains (often shown as * shown) or specific domains.
  4. Set the permission level to Calendar free /busy information with time only.

• Differentiation: If certain departments (e.g. sales or board secretariat) need more detailed approvals for close partners, create an additional sharing policy for this and assign it specifically only to the corresponding user mailboxes instead of lowering the protection for the entire organization.

3. Restrict user self-management (Default Role Assignment Policy)

The Default Role Assignment Policy controls which administrative tasks end users are allowed to perform independently in their own options (Outlook on the web).

In the standard configuration, the rights are often very broad. A classic problem is the role MyDistributionGroups: it allows each employee to create and manage their own distribution groups .

This inevitably leads to a proliferation of the Global Address List (GAL), violations of naming conventions, and potential data leaks if external recipients are included in such groups unnoticed.

• Recommendation: Revoke the right for users to create distribution groups themselves. Distributors should be managed centrally by IT or via controlled self-service portals (e.g. in identity management).
• Configuration:
  1. In the Exchange admin center , navigate to Rollen > Benutzerrollen.
  2. Select the Default Role Assignment Policy .
  3. Click Manage permissions.
  4. Uncheck the box at MyDistributionGroups.

• Additional tip (data quality): In the same menu, also check the role MyContactInformation or MyProfileInformation. It is often desirable that users cannot change their master data (such as display name or phone number) themselves so that it remains consistent with the data from the HR system or Active Directory.

4. Disable SMTP AUTH and Legacy TLS Globally

Although Microsoft has now largely switched off “Basic Authentication” (login only with username and password without MFA), it is worth taking a look at the mail flow settings to close two remaining security gaps with just a few clicks.

• SMTP-AUTH: The “SMTP Authentication” protocol is often misused by attackers for brute force attacks or to send spam via hijacked accounts. Unless you have old multifunction devices (scanners/printers) that absolutely need SMTP sending, this protocol should be globally disabled .
  • Scenario Scanner: If you need to allow SMTP AUTH for a scanner, you can enable global blocking here and then use PowerShell (Set-CASMailbox -SmtpClientAuthenticationDisabled $false) to unlock the protocol only for the specific scanner mailbox. That’s safer than leaving it open to everyone.
• Legacy TLS: Outdated encryption standards (TLS 1.0/1.1) are insecure. Make sure that the option to use legacy TLS clients is not enabled to enforce modern encryption (TLS 1.2).

Configuration:

1. In the Exchange admin center , navigate to Einstellungen > Nachrichtenfluss.
2. In the Security section, check the box: Deaktivieren des SMTP-AUTH-Protokolls für Ihre Organisation.
3. Make sure that the checkbox remains uncheckedAktivieren Sie die Verwendung von Legacy-TLS-Clients.

5. Encryption: TLS 1.2 is mandatory

The outdated encryption protocols TLS 1.0 and 1.1 are considered insecure and have now been deactivated by Microsoft in Microsoft 365. Communication is now mandatory via TLS 1.2 or higher.

To-Do for admins: This is not so much a setting in the admin center as an infrastructure task. Check your environment for “contaminated sites”:

• Printers Scanners: Check firmware updates. Old devices can often no longer send e-mails (scan-to-mail) if they do not support TLS 1.2.
• Scripts Servers: Check . NET applications or PowerShell scripts on servers that send mail. They must explicitly use TLS 1.2.
• Load balancer: Make sure hardware before Exchange Hybrid Servers uses up-to-date cipher suites.

6. Phishing Protection: Native “External” Flag

Help your users detect phishing and CEO fraud faster by enabling native tagging for external emails. This is the modern successor to the old method, in which the subject was manipulated by transport rule (e.g. [EXT] Betreff).

Advantage: Outlook (web, mobile, desktop, and Mac) displays a prominent but not distracting “External” notice in the header of the email. The subject remains clean and legible.

Activation: This feature is often disabled by default and must be turned on via PowerShell:

Set-ExternalInOutlook -Enabled $true

Important (keep patience): Once enabled, it can take 24 to 48 hours for the alert to actually appear in all of your users’ Outlook clients.

Optional (exceptions): You can exclude specific domains or email addresses from this flag if they are closely trusted (AllowList) so that the warning message does not become dull:

Set-ExternalInOutlook -AllowList "partnerfirma.de", "tochterfirma.com"

7. Reject Invalid Recipients Immediately (DBEB)

Directory Based Edge Blocking (DBEB) is an often overlooked but important security mechanism. It ensures that emails to recipients that don’t exist in your Azure AD are already rejected at the Microsoft gateway (error code: 550 5.4.1 Recipient address rejected: Access denied).

Safety Advantage:

• Protection against directory harvesting: Attackers cannot simply “guess” thousands of email addresses to check which of them exist (user enumeration).
• Avoiding backscatter: Your tenant doesn’t send bounce messages (NDRs) to fake sender addresses, which protects your own spam reputation.

Prerequisite: Your domain must be configured as Authoritative in Exchange Online.

Caution (hybrid trap): Are you running a hybrid environment where mailboxes are still on an on-premises Exchange Server? Then your domain is usually set to “Internal Relay”.

• In this mode, Exchange Online accepts any mail and tries to forward unknown recipients to your local server.
• Consequence: DBEB is not technically possible in this scenario. Never set the domain to “Authoritative” as long as mailboxes still exist on-premises, otherwise no more mails will arrive there!

Testing: In the Exchange admin center , navigate to Mail flow > Accepted domains and check the domain type.

Strengthen your reputation: Standard domain postmaster

Each tenant starts with an tenantname.onmicrosoft.comaddress (MOERA). This technical address is subject to strict throttling at Microsoft (often a maximum of 100 mails/day to external recipients) to prevent abuse by test tenants. In addition, it appears unprofessional in error messages and is often evaluated more critically by external spam filters.

• To-Do 1 (default domain): Make sure your own custom domain (e.g firma.de., ) is set up as the default domain so that new users automatically receive the correct sender address.
• To-Do 2 (Postmaster Address): If an email is undeliverable, Exchange sends an NDR. By default, this comes from postmaster@tenant.onmicrosoft.com. Change this to your reputable domain to increase trust with recipient systems.

Set-TransportConfig -ExternalPostmasterAddress postmaster@deine-domain.de

Note: Make sure that the email address postmaster@deine-domain.de also exists or points to an admin mailbox as an alias in case there are any queries.

Controlling Mobile Devices (ActiveSync Outlook App)

Without further configuration, any smartphone or tablet that has credentials can sync with your Exchange Online. This means that company data ends up uncontrolled on private devices, which may not be encrypted or protected by a PIN.

• Recommendation (quarantine): Toggle the default access for Exchange ActiveSync to Quarantine.
  • Effect: New devices can connect, but they won’t receive any data until an administrator explicitly releases the device. You retain full control over who accesses with which device.
• Best Practice (Outlook Only): Explicitly only allow the Outlook app for iOS and Android.
  • Reason: Native mail apps (Apple Mail, Samsung Mail) often cache data insecurely locally, do not fully support modern protection features (such as Intune App Protection), or partially bypass MFA requirements. The Outlook app keeps data in a secure container.
• Basic protection without Intune: If you’re not already using full-fledged MDM (like Microsoft Intune), use native mailbox policies for mobile devices. Here you can enforce minimum standards, such as a 6-digit PIN or device encryption, before syncing is allowed.

10. Hardening Browser Security (OWA Policies)

Access via “Outlook on the Web” (OWA) is convenient, but it carries risks – especially when users log on to public computers (kiosk PCs, hotel lobby). An attachment is quickly downloaded and accidentally left on the desktop.

• Recommendation: Use Outlook Web App mailbox policies to restrict functionality at a granular level.
• Important settings:
  1. File Access: Disable “Direct File Access” (Download) on private/public computers. Instead, only allow the “WebReady Document Viewer”. This allows users to read attachments, but not download them.
  2. Offline Mode: Turn off offline mode. This stores mails locally in the browser cache, which poses a data protection risk on third-party PCs.
• Configuration:
  1. Navigate to Rollen > Outlook Web App-Richtlinien.
  2. Edit the OwaMailboxPolicy-Default.
  3. Adjust the File Access and Offline Access settings.

Microsoft Defender: Malware, Spam Zero-Day Protection

Moving from the Exchange admin center to the Microsoft Defender portal (security.microsoft.com) is critical for security. Here you configure not only static filters, but behavior-based analyses. Navigate to E-Mail und Zusammenarbeit Bedrohungsrichtlinien> Richtlinien und Regeln > .

A. Anti-Malware

Standard protection scans for known virus signatures. We harden it against dangerous file types.

• Common Attachment Filter: In the default policy, turn on the “Filter for common attachment types”. Microsoft recommends not only scanning potentially dangerous file extensions (such as .exe, .vbs, .ps1, .scr, ), but blocking them directly. This stops ransomware droppers before they can be executed.
• Zero-hour Auto Purge (ZAP): Make sure ZAP is enabled for malware. If Microsoft recognizes a signature only after the mail has been delivered, ZAP subsequently removes the malicious message from the mailbox before the user opens it.

B. Anti-Spam

The default spam filters are often too tolerant.

• Bulk Email Threshold (BCL): In this Anti-Spam-Richtlinie für eingehenden Datenverkehr section, you should check the threshold for bulk emails (Bulk Compliant Level). A value of 6 or 7 is a good starting point. The default value of 7 often still allows too much advertising garbage to pass through, a value below 5 often generates false positives.
• Safety Tips: Turn on Safety Tips to visually alert users about suspicious emails (such as first contact) in the Outlook header.

C. Safe Attachments

Note: Requires Defender for Office 365 Plan 1 license (e.g. in Business Premium). Here, attachments are detonated in a virtual sandbox to detect unknown threats (zero-day exploits).

• Configuration: Create a policy that applies to the entire domain.
• Mode: Select Block (the email will not be delivered until the attachment is checked and secure) or Dynamic Delivery (the email will arrive immediately, the attachment will be delivered as soon as the scan is complete). The latter is more user-friendly, but often leads to questions (“Where is my attachment?”).

D. Safe Links

Note: Requires Defender for Office 365 Plan 1 license (e.g. in Business Premium). Protects against phishing links that looked harmless at the time of delivery, but were later “activated”.

• How it works: Links are checked by Microsoft servers at the click (“time-of-click”).
• Scope of protection: Enable protection not only for email, but also for Microsoft Teams and Office apps (Word, Excel, PowerPoint).
• Data protection tip (works council): You can configure user clicks not to be tracked (“Do Not Track User Click”). This increases acceptance by data protection officers, as there is no behavioral monitoring, but the protection remains active.

12. Transport Rules

Mail flow rules (formerly transport rules) are the most powerful tool in Exchange. They intervene deeply in the e-mail traffic and process messages even before they land in the inbox. From a privacy perspective, they’re your first line for “DLP Light” and advanced security logic.

• Areas of application for more safety:
  1. DLP Light / Compliance: Create rules that prevent sensitive data (such as credit card numbers or documents with the keyword “Strictly Confidential”) from leaving the tenant. You can block the sending and notify the sender with an explanatory text (“Policy Tip”).
  2. To block dangerous content: Block emails with password-protected (encrypted) ZIP attachments. These are often not penetrated by virus scanners and are a popular hiding place for malware such as Emotet.
  3. Extended Warnings: If the native “external tagging” (see point 6) is not enough for you, you can create rules here that insert warnings into the message body for mails from certain critical senders or with certain keywords (caution: changes the DKIM signature).
  4. Forensics (BCC): Silently forward copies of suspicious emails (e.g. from certain IP ranges) to a security mailbox for analysis.
  5. Legal Notices: Enforce central disclaimers or imprint information for outgoing mails to minimize the risk of warnings.

Close Secure Interfaces “Side Entrances”

Connectors regulate the special mail flow beyond the standard. However, there is often a double risk lurking here: open relays and bypassed security filters.

• Secure interfaces (relay encryption):
  • Inbound: If internal scanners or ERP systems need to send emails via Exchange, the connector must never be open. Strictly restrict access to fixed IP addresses or certificates to prevent your tenant from becoming a spam slinger (Open Relay).
  • Outbound: Use connectors to enforce TLS encryption for sensitive partners (e.g. banks) or to route emails via special encryption gateways (smart hosts).

• Lock the “side entrance” (Connector Lockdown):
  • The risk: If you use external spam filters (e.g. NoSpamProxy, Hornetsecurity), your MX record will point to these service providers, but Exchange Online will still accept emails from any sender by default..onmicrosoft.com
  • The solution: Create a partner connector that only accepts emails if they come from your filtering provider’s IP addresses . Ideally, combine this with a message flow rule that blocks all other direct submissions. Thus, Exchange becomes a fortress and no longer accepts mails past the filter.

SPF, DKIM DMARC (The Basis of Email Hygiene)

Security starts in the DNS. Without these three records, your domain is defenseless against identity theft (spoofing) and your emails will inevitably end up in the spam folder of recipients like Gmail, Yahoo or T-Online. Since February 2024, these standards have even been mandatory for mass shipping.

A. SPF (Sender Policy Framework) – The Bouncer

SPF is a DNS record that works like a guest list. It determines which IP addresses or service providers are allowed to send emails on behalf of your domain.

• The syntax: A typical entry for pure Microsoft 365 environments looks like this: v=spf1 include:spf.protection.outlook.com -all
• The key difference (~all vs -all):
  • ~all (Soft Fail): Tells the recipient: “If the mail comes from somewhere else, accept it, but mark it as suspicious if necessary.” This is good for the test phase, but bad for security.
  • -all (Hard Fail): Says clearly: “If the mail doesn’t come from here, reject it.”
• To-Do: Check your SPF record. Many standard guides recommend ~all. However, your goal for maximum security must be -all . Make sure beforehand that all sending sources (newsletter tools, web servers, accounting software) are included in the SPF (limit: max. 10 DNS lookups!).

B. DKIM (DomainKeys Identified Mail) – The Digital Seal

SPF has a weakness: the check often breaks with email forwarding. This is where DKIM can help. Exchange Online adds an invisible, cryptographic signature to outgoing emails. The recipient checks it against a public key in your DNS.

• The advantage: DKIM guarantees that the email hasn’t been altered in transit and that it’s really from your domain.
• To-Do: DKIM is not enabled by default for custom domains!
  1. Navigate to the Microsoft Defender portal ( E-Mail und Zusammenarbeit > Richtlinien und Regeln > Bedrohungsrichtlinien > DKIM).
  2. Select your domain and click on “Create DKIM Key”.
  3. Publish the two CNAME records that appear to your DNS provider.
  4. Wait a moment, then turn on the “Sign DKIM signatures for messages for this domain” toggle.

C. DMARC (Domain-based Message Authentication) – The Boss

DMARC connects SPF and DKIM. It’s an instruction to the recipient on what to do if an email fails SPF or DKIM checks.

• The phases:
  1. Phase 1 (Monitoring): p=none. You only get reports, but no mail is blocked. Important to see who is sending on your behalf (legitimate or attacker).
  2. Phase 2 (quarantine): p=quarantine. Suspicious mails end up in the recipient’s spam folder.
  3. Phase 3 (Reject): p=reject. The gold standard. Fake mails are completely rejected.
• To-Do: Create a TXT record _dmarc.deinedomain.de.
  • Example of the start: v=DMARC1; p=none; rua=mailto:dmarc-reports@deinedomain.de
  • Replace the email address with a mailbox that you evaluate (or use tools like Dmarcian or Valimail to analyze the XML reports). Then work your way forward p=reject quickly.

Encryption Labeling: Control Beyond Transportation

Transport encryption (TLS) is standard today, but it has one weakness: it only encrypts the “line” from server to server. As soon as the e-mail arrives at the recipient, it is there in plain text. If you want to ensure that sensitive data (e.g. contracts, personnel data) remains protected by the recipient , you need encryption at the message level.

A. Office 365 Message Encryption (OME)

With OME, you can send encrypted emails to any recipient – whether they use Outlook, Gmail, GMX or Apple Mail.

• How it works:
  • Microsoft 365 Receiver: The mail opens seamlessly in Outlook (desktop/web/mobile).
  • Other recipients (e.g., Gmail): They receive a link to a secure OME portal, where they authenticate themselves either via one-time code (OTP) or Google login to read the message.
• The advantage: You’re in control. You can prevent the recipient from forwarding or printing the mail (“Do Not Forward” option).
• To-Do: Make sure that the Information Rights Management ( IRM) configuration is enabled in your tenant. This is a prerequisite for OME.

B. Sensitivity Labels

This is the modern way of data classification in the Microsoft Purview Portal. Instead of hoping that users will encrypt manually, you give them labels.

• Automation: Create labels like Internal, Public, and Strictly Confidential.
• Linked actions: Configure the Strictly Confidential label so that it automatically:
  1. The email is encrypted.
  2. Inserts a watermark into Word documents.
  3. Restricts access to internal employees (even if the file is accidentally leaked via USB stick, no one can open it there).
• Integration: The labels appear natively in Outlook and Office apps, which increases user adoption.

Auditing Forensics: Trust is Good, Logs Are Better

In an emergency (data breach, deleted data or sabotage), ignorance is not an excuse. You have to be able to answer: Who did what and when? Without properly configured logging, you’re in the dark.

A. Unified Audit Log (The Central Memory)

The Unified Audit Log (in Microsoft Purview) collects activities from almost all services (Exchange, SharePoint, Teams, Entra ID).

• Check status: For new tenants, it is on by default (“On by default”), for older or migrated tenants it is often still deactivated.

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

Activation: If this is on False, you have to activate it so that data flows:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

• Important License Notice (Audit Premium): The default log shows you when a mail has been deleted or moved . To prove that an attacker has only read an email (Event: MailItemsAccessed), you need Microsoft Purview Audit (Premium) licenses (usually included in E5 or as an add-on). Without this license, read-only access is often not forensically verifiable.

B. Mailbox Auditing (Who deleted the mail?)

This is especially critical for shared mailboxes that multiple people (e.g., buchhaltung@) have access to. When an important email disappears, you need to know who it was.

• Standard vs. Reality: Microsoft uses “Default Auditing”. That’s good, but it has gaps. Often, actions of the owner – i.e. the user himself – are logged less strictly than those of delegates.
• Hardening: If you want to make sure that the “hard delete” is also logged by the owner himself (protection against sabotage by employees), you should check the settings and adjust them if necessary.
• Configuration: Force auditing for critical mailboxes and make sure it’s active:

Set-Mailbox -Identity "buchhaltung@firma.de" -AuditEnabled $true

Tip: Check regularly for shared mailboxes to see if AuditEnabled they are active, as this can sometimes be delayed when they are created.

C. Retention Policies / Data Lifecycle

A backup protects against technical failure (disaster recovery), a retention policy (retention policy) protects against legal problems and compliance violations.

• GoBD Compliance: In the Microsoft Purview Portal (Data Lifecycle Management), define how long data must be retained (e.g. 6 or 10 years for tax-relevant mails).
• How it works: A policy ensures that even if a user deletes an email from the Trash, it remains unalterable for eDiscovery in the background in the Recoverable Items folder. The user doesn’t notice anything, but the data is safe.
• Important distinction: Retention is not a substitute for a classic backup (for quick restore in the event of user errors), but it is essential for legal certainty in revisions.

17. Alert Policies: Automatic Guards for Your Environment

You can’t read 24/7 audit logs. And that’s exactly what attackers take advantage of: They operate at night or on weekends. Alert Policies are your digital alert system that notifies you immediately when suspicious activity occurs.

The configuration is done in the Microsoft Defender portal. Many basic policies are active by default, but you should review and sharpen them urgently.

The “Big Three”: These alarms are mandatory | There are hundreds of possible alerts, but these three scenarios almost always indicate a successful attack or insider incident:

1. Creating Forwarding/Redirecting Rules (The Silent Hack)
   • The scenario: An attacker cracks a user account (business email compromise). To remain undetected, he immediately creates an inbox rule: “Forward all mails with the word ‘invoice’ to hacker@evil.com and then delete them from the inbox.”
   • The measure: Configure a policy that immediately notifies admins every time a forwarding rule is created. This allows you to block the account, often before data leaks.
   • Standard Policy: “Creation of forwarding/redirect rule”.
2. Unusual mass deletion (sabotage cover-up)
   • The scenario: A frustrated employee deletes project data before leaving, or ransomware encrypts (and deletes) original files in OneDrive/SharePoint.
   • The measure: The “Unusual volume of file deletion” policy learns the normal behavior of your users. If someone deviates significantly from this (e.g. deletes 1,000 files in 5 minutes), the system sounds the alarm.
3. Granting of Admin Rights (Privilege Escalation)
   • The scenario: A normal user account is suddenly given the role of “Global Administrator” or “Exchange Administrator”. Either this was a mistake by a colleague or an attacker is escalating his rights.
   • The measure: Monitor changes to role group membership. Every admin appointment should trigger an alert that needs to be verified.

Configuration Triage

• Recipients: Make sure these alerts go to an email address that is reachable outside of your Exchange environment (or to a ticketing system) in case your tenant is compromised.
• Severity: Set critical alerts to “High” so that they appear at the top of the dashboard.

– Other sources

This post is also available in: Deutsch English