The single biggest threat to our business’s online security is malicious emails. As responsible Messaging Administrators/Engineers/Architects, it’s up to us to require email security best practices among our users and institute a security-minded culture within our organization.


Contrary to popular myth, the most effective hacking techniques require almost no technical skill. A hacker needs only the Internet connection, an email account and a knack for deception. Fishing email attacks remain the most common and devastating attack vector. These attacks use various social engineering strategies and target end users (i.e. our employees) rather than infrastructure.

According to research by Symantec looking at 2016, “One in 131 emails sent were malicious, the highest rate in five years.” These kind of attacks have become so widespread, costing businesses worldwide about$1.8 billion a year, that in 2017 the FBI decided to put out a public service announcement about it. They reported that the amount of money lost to email scams had increased 2,370% between January 2015 and December 2016.

In this article, I explain how implementing email security best practices can minimize our organization’s vulnerability.


Email security best practices

Given that hackers tend to exploit human mistakes rather than technical ones, our company’s security policy should emphasize each employee’s role in preventing cyberattacks. Here are the main points we may want to focus on:

Education — The most important thing we can do is to keep security as a priority among our company. Start by understanding the common fishing attacks and share updates and reminders with our employees regularly.

Limit public information — Attackers cannot target our employees if they don’t know their email addresses. We don’t publish non-essential contact details on our website or on any public directories, including phone numbers or physical addresses. All these information pieces can help attackers engineer an attack.

 Check emails carefully— fishing attacks are seldom perfectly executed. Often there’s a tell, such as a bizarre From address (e.g. [email protected]), unusual links (e.g., or a high number of typos or formatting mistakes in the text. If it looks suspicious, employees should report it.

Beware links and attachments — Our employees should be skeptical anytime they receive an email from an unknown sender. Do not click on links or download attachments without verifying the source first and establishing the legitimacy of the link or attachment. Attachments are especially dangerous because they may contain malware, such as ransomware or spyware, that can compromise the device or network.

Hover over hyperlinks — Never click on hyperlinked text without hovering our cursor over the link first to check the destination URL, which should appear in the lower corner of our window. Sometimes the hacker might disguise a malicious link as a short URL. We can retrieve the original URL using this tool.

Never enter your password — Unless we are 100% certain the website is legitimate, we should never enter our password anywhere. If we aren’t logging into our account and we haven’t requested to reset our password, then password reset links are likely part of a phishing attack. Password managers, in addition to help us to use strong, unique passwords, can detect fake websites for us.

If you are in doubt, ask — Better safe than sorry. Our employees should be instructed to check with IT staff or a manager any time they have doubts about an email.


Technical safeguards in Exchange Online Protection (EOP)

Security training is our best defense, but it isn’t the only defense. It’s important to choose an email service provider that takes security seriously. Microsoft has implemented a number of unique security features designed to minimize the threat of email-based attacks, including several dedicated anti-phishing technologies. It is called Exchange Online Protection (EOP).

Microsoft (EOP) is a cloud-based email filtering service that helps to protect our organization against spam and malware, and includes features to safeguard our organization from messaging-policy violations. EOP can simplify the management of our messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware and software.

As another line of defense against account compromise, Microsoft allows users on Office 365 to enable two-factor authentication(2FA). This assures that even if hackers gets the user’s password, they would still be prevented from logging in.


Additional information

In the past, I have written several articles about MFA and EOP. If you are interested in more information about this topic, I advise you the following articles:

Exchange Online Protection – EOP
Brief how-to: Enable MFA for Office 365





Photo by Kevin Ku on Unsplash