Equipping Users to Combat Phishing Attacks in Office 365

Following a recent conversation with a customer, I started thinking about how user vigilance is the most effective tool to combat phishing attacks. Phishing is now – more than ever – a real threat in pretty much every organization. We even see phishing attempts in our personal lives with malicious SMS messages and email becoming a common occurrence. As admins, there are an array of tools available to us to help combat Phishing before it reaches our users but no technical prevention method is 100% successful.

I’ve discussed a lot of these methods in the past so I won’t be looking at them in this post, however here’s a shortlist of the top tools we can use to try to protect our environment from Phishing attacks:

Outside of these prevention and remediation tools, there are a tonne of small things we can do to help users identify phishing attempts. In this post, I’ll take a look at some of the options we have.

Corporate Branding

Branding isn’t just something that the marketing department want in place to make everything comply with corporate policies. It can be a very useful tool to help users identify phishing. Let’s say a user gets an email asking them to log into Office 365 via an embedded link. By default every tenant has an identical login page that is very easy to spoof from a design perspective.

With Corporate Branding in place, users will grow to expect a customized login experience for the organization. Things users can watch out for are:

  1. The organizational logo
  2. Custom background image
  3. Company specific working

This can be seen in Figure 1 and even a small thing like this can help users identify threats that otherwise may catch them out.

Figure 1: Corporate Branding in action

Running Regular Phishing Simulations / Training Campaigns

I’ve discussed this in detail in a previous post, but running regular simulations in your environment can help keep users vigilant. The Microsoft Defender for Office 365 Attack Simulations can allow you to easily run a campaign across all users or even a subset. The important thing about running these campaigns is that they are not used to “catch out” users, they are used to raise awareness. If a user “fails” a phishing campaign for example, we can automatically assign them training so that they can do better next time (Figure 2).

Figure 2: Users are assigned short training sessions

Encourage the use of the Report Message Add-In

The Microsoft Report Message Add-In (Figure 3) allows users to report malicious messages directly to Microsoft. The Add-In can be deployed centrally and it should be encouraged as the “go to” place for dealing with suspected spam/phishing etc. There are multiple benefits to users using the add-in, reporting directly to Microsoft improves the overall filtering capabilities but admins also get visibility of the reported messages. This replaces the legacy behavior where users are actively forwarding malicious mail to Service Desks etc.

Figure 3: Deploy the Report Message Add-In

Another benefit of deploying the add-in, is that it gives users an easy, quick way to report messages and improve the filtering for the organization.


In this post, I’ve looked at three, very easy, ways we can help users to combat malicious mails in Office 365. The technical solutions for prevention are great but at the end of the day, we will never be 100% successful in preventing threats coming into our organization. User vigilance and awareness is one of the most important components in any organizations threat prevention policy. A lot of the steps here will also translate directly into users personal lives such as looking at branding, interrogating mails for signs of phishing and actively reporting threats.

One thought on “Equipping Users to Combat Phishing Attacks in Office 365

  1. Pingback: Configuring Exchange Online Advanced Delivery to Allow Third-Party Phishing Simulations and SecOps Monitoring Mailboxes – Sean McAvinue

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s