Friday Five: Email Security Improvements

In today’s Friday Five: Some thoughts for IT administrators on giving tools to their users to make security-conscious decisions

Earlier this week, I wrote about a new email phishing tactic I’ve been seeing in my environment – bad actors are trying to get users to scan a QR code on their phones in an attempt to defeat any filtering or security measures that might be on a corporate computer. That got me thinking about what are some things that we can do as IT practitioners to help our users make informed decisions?

This isn’t going to be a typical security-related essay. I’m not going to focus on five things IT administrators can do or five things for our users to do to bolster security. While implementing technical blocks and controls are certainly important, in this world where working remotely is almost expected, educating our users and giving them tools to make security-conscious decisions is going to be way more important.

One last thing: This is going to be heavily geared toward Microsoft 365. If you use other platforms for email, some of these tools may be available, but your mileage may vary.

1. Be skeptical of any communications you weren’t expecting. I can’t remember how many times I have said to people something like this: “Don’t click links, download attachments, [and now scan QR codes] or do anything with emails you weren’t expecting to receive.” It’s probably way overdue to have a zero-trust mentality with email (assume nothing is, by default, deserving of trust), but I guess here we are.

2. Email admins should enable some sort of external email flag. And while you’re at it: Enable the First Contact Safety Tip as well. In the Exchange Admin Center, you can modify emails such that a bit of custom HTML can be put at the top. When coupled with a rule to apply to messages sent from outside the organization, this can be a useful banner to alert senders that an email is from outside of their organization. While I used to be somewhat skeptical about that, just seeing it as a bit of safety theater, with the rise in these different phishing attempts, I see it as a useful tool. Coupled with Defender’s First Contact Safety Tip, these two tools can work in concert to give users information to assess for themselves if an email is truly valid. “Why would an email from our CEO be coming from an external user and an email I’ve not seen before? Hmm… that must be a fraudulent email.”

3. Have users report spam and phishing emails using Outlook’s spam and phishing reporting tools. My biggest gripe about Microsoft Outlook on Windows is that it’s not easy to report spam or phishing emails as it is on Outlook for mobile, on the web, or for macOS. But do make your users report bad emails as such, because that helps everyone.

4. Enable Microsoft 365’s safe links and safe attachments features of Microsoft Defender. While also not a perfect catch-all, enabling Microsoft 365 Safe Links and Safe Attachments can help mitigate some attacks. If a user clicks on a link they shouldn’t have, that attack may be stopped in its tracks. But that’s also why these QR code attacks are so devilishly clever: it removes that defense mechanism from the chain. Now do you know why IT security people can’t really sleep at night?

5. Educate all users to use their company email for anything company-related – leave the personal email for personal matters. This might be the biggest one. It’s just a good idea to do this, because you’re now able to put better mechanisms in place to deflect possible spoofing attacks or worry about your colleagues storing information on things you don’t have control over. Plus, it’s helpful for data retention policies.

The last thing, and this is an essay in its own right, is that as IT professionals, especially in the nonprofit context, we have to be serious about security. But in being serious about security, we have to understand that our users need to do things for the mission, and IT can’t be what stops that. I’m not saying that we need to abandon our core principles as IT practitioners, especially when it comes to security, but we need to find a way to get from no to yes.

Aren’t our jobs fun?