Exchange Online Security

Email remains the number one attack vector. A fully secured Exchange Online tenant is the most important line of defense against ransomware, spearphishing, and Business Email Compromise (BEC).

Your Strategy

Implement a multi-layered email defense (defense-in-depth). Use strict email authentication (DMARC) to protect your own reputation, and advanced threat protection (safe links/attachments) to neutralize incoming threats.

Best Practices

▸Authentication: Enforce DMARC with 'p=reject' and disable legacy protocols.
▸Transparency: Use transport rules to clearly flag external emails.
▸Permissions: Continuously monitor mailbox delegations and full access for anomalies.

STRIDE-LM Design Risks

SpoofingS-EXO-01

Business Email Compromise (BEC)

Takeover of mailboxes to conduct fraud (e.g., CEO fraud).

SpoofingS-EXO-02

Legacy Auth Exploitation

Use of outdated protocols (POP3, IMAP) to bypass MFA.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-M365-01

Exfiltration via Inbox Rules

Automated forwarding of emails to external addresses.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Initial Access

T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by

Anti-Phishing & Anti-Spam PoliciesBaseline ProtectionLow

CIS: 9.2NIST: PR.PT-4

Mailflow Rules (Transport Rules)Baseline ProtectionLow

CIS: 9.3NIST: PR.DS-2

Email Authentication (SPF, DKIM, DMARC)Baseline ProtectionMedium

CIS: 9.1NIST: PR.DS-2

ATP Safe Links & AttachmentsBaseline ProtectionLow

CIS: 9.2NIST: PR.IP-1

FIDO2 EnforcementBaseline ProtectionMedium

CIS: 6.5NIST: PR.AC-7OWASP: A07:2021

Conditional Access PoliciesBaseline ProtectionMedium

CIS: 6.1NIST: PR.AC-7OWASP: API2

Output Content FilteringBaseline ProtectionLow

NIST: AI-1.2OWASP: LLM02

T1566-001

Spearphishing Attachment

ATT&CK

Delivering harmful file attachments to specific targets.

Mitigated by

Anti-Phishing & Anti-Spam PoliciesBaseline ProtectionLow

CIS: 9.2NIST: PR.PT-4

Email Authentication (SPF, DKIM, DMARC)Baseline ProtectionMedium

CIS: 9.1NIST: PR.DS-2

T1566-002

Spearphishing Link

ATT&CK

Delivering malicious links to obtain credentials.

Mitigated by

Anti-Phishing & Anti-Spam PoliciesBaseline ProtectionLow

CIS: 9.2NIST: PR.PT-4

T1566-003

Spearphishing via Service

ATT&CK

Phishing via trusted cloud services (Teams, LinkedIn).

Mitigated by

Anti-Phishing & Anti-Spam PoliciesBaseline ProtectionLow

CIS: 9.2NIST: PR.PT-4

T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by

Email Authentication (SPF, DKIM, DMARC)Baseline ProtectionMedium

CIS: 9.1NIST: PR.DS-2

Modern Auth EnforcementBaseline ProtectionLow

CIS: 6.1NIST: PR.AC-1

FIDO2 EnforcementBaseline ProtectionMedium

CIS: 6.5NIST: PR.AC-7OWASP: A07:2021

Unified Audit Log (UAL)Baseline ProtectionLow

CIS: 8.2NIST: PR.PT-1

Conditional Access PoliciesBaseline ProtectionMedium

CIS: 6.1NIST: PR.AC-7OWASP: API2

Execution

T1137

Office Application Startup

ATT&CK

Exploitation of Office startup processes for code execution.

Mitigated by

Mailbox Delegation MonitoringExtended ProtectionLow

CIS: 6.2NIST: DE.AE-2

Restricted App ConsentBaseline ProtectionLow

CIS: 16.1NIST: PR.AC-1

Unified Audit Log (UAL)Baseline ProtectionLow

CIS: 8.2NIST: PR.PT-1

Persistence

T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by

Mailbox Delegation MonitoringExtended ProtectionLow

CIS: 6.2NIST: DE.AE-2

Restricted App ConsentBaseline ProtectionLow

CIS: 16.1NIST: PR.AC-1

Unified Audit Log (UAL)Baseline ProtectionLow

CIS: 8.2NIST: PR.PT-1

Credential Access

T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by

Privileged Access Workstation (PAW)Extended ProtectionHigh

CIS: 6.4NIST: PR.AC-3

T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by

Modern Auth EnforcementBaseline ProtectionLow

CIS: 6.1NIST: PR.AC-1

FIDO2 EnforcementBaseline ProtectionMedium

CIS: 6.5NIST: PR.AC-7OWASP: A07:2021

Conditional Access PoliciesBaseline ProtectionMedium

CIS: 6.1NIST: PR.AC-7OWASP: API2

T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by

Output Content FilteringBaseline ProtectionLow

NIST: AI-1.2OWASP: LLM02

Collection

T1114-003

Email Forwarding Rule

ATT&CK

Automated exfiltration through inbox rules.

Mitigated by

Mailflow Rules (Transport Rules)Baseline ProtectionLow

CIS: 9.3NIST: PR.DS-2

Mailbox Delegation MonitoringExtended ProtectionLow

CIS: 6.2NIST: DE.AE-2

Unified Audit Log (UAL)Baseline ProtectionLow

CIS: 8.2NIST: PR.PT-1

T1114-002

Remote Email Collection

ATT&CK

Harvesting emails directly from the server.

Mitigated by

Mailflow Rules (Transport Rules)Baseline ProtectionLow

CIS: 9.3NIST: PR.DS-2

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation