Year-round email security best practices

Just came back from a cybersecurity conference yesterday, and here’s what crossed my mind: The longer I work in #cybersecurity, the more I realize: Most attacks don’t start with the company’s firewall. They start with a person. An email. A click. 𝟵𝟭% 𝗼𝗳 𝗯𝗿𝗲𝗮𝗰𝗵𝗲𝘀 𝗯𝗲𝗴𝗶𝗻 𝘄𝗶𝘁𝗵 𝗮 𝗽𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗲𝗺𝗮𝗶𝗹. One click is all it takes. Even with filters and awareness training in place, people still click. I’ve seen folks at highly technical companies fall for phishing emails with fake Amazon logos. Why? Because it was Friday, 6:03 PM. They were tired, distracted, and ready to go home. We had a case just two weeks ago in which a company managing $2,000,000,000 didn't have adequate email security. The VP clicked on the malicious link, and the attackers were able to take over his email account. Our team was able to identify it and block this attack, but what if we were not? That’s the second gap.  Even if nobody clicks, your credentials might already be out there for sale. There are 𝟮𝟰 𝗯𝗶𝗹𝗹𝗶𝗼𝗻+ 𝗹𝗼𝗴𝗶𝗻𝘀 𝗮𝗻𝗱 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀 floating around the dark web. They get traded, sold, and reused. Most companies—especially #SMBs — have no idea they’ve been exposed until it’s too late. 𝟴𝟯% 𝗼𝗳 𝗯𝗿𝗲𝗮𝗰𝗵𝗲𝘀 involve stolen or weak credentials. 𝟮𝟬𝟰 𝗱𝗮𝘆𝘀 is the average time to detect a breach. That’s nearly 7 months of silence while attackers have a foothold. Here are the basics any cybersecurity team should do:   • Run phishing simulations that aren’t just checkbox exercises  • Deploy advanced email protection (not “we’re covered by Microsoft”)  • Monitor for unusual logins and outbound email activity.  • Enforce mandatory password resets after exposures.  • Use #MFA across all systems.  • Constantly monitor the #darkweb If you’re not doing this yet, start simple: → 2-week 𝗳𝗿𝗲𝗲 𝗘𝗺𝗮𝗶𝗹 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗣𝗢𝗖 from Cyberwall – see what’s actually slipping past your filters → 𝗙𝗿𝗲𝗲 𝗗𝗮𝗿𝗸 𝗪𝗲𝗯 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗰𝗵𝗲𝗰𝗸 – see if your data is already exposed and in use Bonus: Add a 𝗳𝘂𝗹𝗹 𝗡𝗜𝗦𝗧 𝗖𝘆𝗯𝗲𝗿 𝗥𝗶𝘀𝗸 𝗔𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗳𝗼𝗿 $𝟱𝟬𝟬 — a clear, no-fluff snapshot of your cybersecurity posture based on the most common standard. Message me, and I’ll show you how to get it up and running fast without the headache.

SIEM Use Cases for Email Exchange 📧 In the world of cybersecurity, email exchanges are a crucial battleground. Here are some SIEM use cases that play a vital role in fortifying your organization's email security: 👉Top 10 External Communicators: Identify the top users sending emails to external domains. Understanding this communication flow helps monitor external interactions effectively. 👉Email Activity Insights: Keep an eye on the top 10 email receivers and senders within your organization. This insight aids in understanding communication patterns and potential anomalies. 👉Data Leakage Identification: Utilize SIEM to detect data leakage through email channels. Ensure that sensitive information doesn't fall into the wrong hands. 👉Large File Monitoring: Track and manage large files sent via email. This helps in controlling data transfer sizes and ensuring compliance with security policies. 👉Malicious/Suspicious Attachments: Enhance your security posture by identifying and addressing emails with malicious or suspicious attachments promptly. 👉After-Hours Email Monitoring: Monitor emails going out from your company domain to other domains after office hours. This helps in identifying potential security risks during non-business hours. 👉Individual Email Bandwidth: Keep track of high email bandwidth utilization by individual users. Unusual spikes may indicate security threats or abnormal activities. 👉Undelivered Messages Detection: Detect undelivered messages promptly. This ensures that critical communications are not missed and addresses potential delivery issues. 👉Mailbox Security Incidents: Identify unauthorized access, such as mailbox access by another user or a user sending a message as another user. Strengthen your email security by detecting and responding to such incidents. 👉Login Anomalies: Detect users logging into mailboxes that are not their primary accounts. Unusual login patterns may signal compromised accounts. 👉Auto Redirected Mails: Stay vigilant for auto-redirected emails. Detect and prevent unauthorized forwarding of emails. 👉Internal Email Insights: Identify the top 10 users sending emails internally. This helps in understanding internal communication dynamics. 👉SMTP Gateway Monitoring: Monitor SMTP gateways for sudden spikes in incoming emails. Rapid increases may indicate potential security threats or attacks. 👉Rejected Mails Analysis: Keep an eye on a high number of rejected emails from a single "from" address. This helps in identifying and mitigating potential spam or phishing attempts. Utilize these SIEM use cases to strengthen your email security strategy and create a robust defense against evolving cyber threats.

[Email Security - Falling at first hurdles?] Email Security failures I am still seeing: - DMARC still in p=none with no reporting (how will you progress to reject without reporting?) - DMARC on .onmicrosoft[.]com domains -> these may be acting as SMTP proxy domains. - Email Encryption - Not empowering users to be proactive with malicious emails with user tips (are you really getting your ROI on security awareness training?) - Improper Scoping of Defender for Office Policies to groups/users instead of domains such as Safe Attachment policies when no further fine-graining policies are applied - Not extending Domain impersonation to all domains you own + any partners/suppliers/subsidiaries - Not using user impersonation for VIP users - Not blocking Email AutoForwarding (common Persistence technique - there are countless ways to limit/block this in #Exchange or MDO) - Not using TABL to block abused TLDs (both domains and URLs) - Using complicated rule exceptions instead of a SecOps Mailboxes for security Teams - Doubling up on Email Gateways needlessly and watching them both not work in their best capacity (journalling is honestly a valid use-case for dual gateways) - Allowing domains to bypass anti-spam instead of using an Exchange Transport rule - Not checking your homework with Config Analyzer Email security can be intimidating in defender, with many buttons and policies you can enable (I encourage you to check out these mindmaps https://lnkd.in/eJ3j8UQk by James Agombar). Chances are if malicious emails are getting in/out then there is still hardening that can be done. This is not a complete list of things you can do, there is plenty of things you can add on top but please please don't forget the basics such as DMARC. Every time I see a major breach in the news I always check DMARC and 7/10 times its not correctly configured (causation or correlation? will never know) and 99% of the time they haven't configured DMARC for their MOREA domain which may be acting as the #SMTP proxy address. Theres also the more debatable MDO controls such as dynamic delivery...personally think its best left off as it can be a bad UX and bad experience for a #SOC responder trying to purge emails. I also think allowing End users to control their own safe senders is a SOC responder nightmare as it overrides admin controls. With collaboration now extending to other areas such as Teams, Slacks there is yet another set of policies and controls to enable.... maybe I'll talk about those in another post. #Purview #MDO #Defender #Phish #Security #Cybersecurity #DefenceInDepth

Email may seamlessly enable communication, but each message also poses risks. Networks, devices, and people all introduce vulnerabilities that cybercriminals exploit to intercept sensitive data. But...encryption can serve as a line of defense. Email encryption scrambles content into coded formats only intended recipients can decrypt. This safeguards information as messages transit between senders and readers. Here are 4 best practices to implement robust email encryption: 1. Encrypt everything: Don’t selectively secure messages. Consistent encryption protects company-wide communication. 2. Select proper platforms: Validate provider or software reliability and compatibility with partners. 3. Verify indicators: Check for signals like padlocks that confirm encryption is active before sending confidential data. 4. Reinforce training: Technology alone can’t outweigh human judgment. Continually educate employees on handling links, attachments, and suspicious messages. Don’t let your email be an easy target for hackers. With these simple steps, you can encrypt your messages and keep your information safe and sound.

Was awesome to unplug over the thanksgiving break and recharge! Back in the saddle this morning with a focus on the importance of email authentication. Comprehensive Email Authentication Understanding SPF, DKIM, and DMARC: SPF (Sender Policy Framework) helps validate the sender, DKIM (DomainKeys Identified Mail) ensures message integrity, and DMARC (Domain-based Message Authentication, Reporting & Conformance) aligns SPF and DKIM for a robust defense. Without these, emails are easy targets for cybercriminals, leading to compromised data and lost credibility. Real-World Impact: Consider a scenario where a phishing email, undetected due to poor authentication, leads to a significant data breach. This could result in not only financial loss but also irreversible damage to the organization's reputation. Evolving Security Protocols: Microsoft 365 updates its security protocols regularly to combat emerging threats. Organizations failing to adapt can find their emails misclassified, blocked, or worse, hacked. Best Practices for Compliance: Regularly review and update your email security policies. Engage in continuous learning and training programs to keep your IT team informed about the latest Microsoft 365 updates. Handling Email Fraud: DMARC's role in Microsoft 365 is crucial in preventing email fraud. Ignoring these policies can lead to an increase in phishing attacks and loss of sensitive information. Actionable Steps: Implement and regularly review your DMARC policies. Monitor DMARC reports to understand how your emails are being handled and adjust your strategies accordingly. Beyond Email Security: The implications of email security extend beyond preventing cyber-attacks. It's about building and maintaining trust with clients, partners, and employees. A secure email environment is a foundation for reliable digital communication. Holistic Approach: Combine technical solutions with employee education. Regularly conduct phishing simulations and security awareness training. Foster a culture where email security is everyone's responsibility. For anyone needing specialized assistance with Defender for Office 365, there's a helpful link in the comments that offers expert support. This resource is ideal for those who may be new to Defender or seeking advanced help! #healthcareit #healthcarecybersecurity #fintech #bankingtech #higheredtech #higheredcybersecurity #k12it #k12cybersecurity #cybersecurity #infosec #technology #microsoft #datasecurity #itsecurity #cloudsecurity #networking #emailsecurity #dataprotection