How to tighten M365 against Phishing attacks: 5-minute checklist

Phishing is the favourite trick of criminals because it’s cheap and it works. If your business runs Microsoft 365, there are a handful of settings you can change in five minutes that dramatically reduce the chance of a successful attack. This isn’t about deep security plumbing — it’s the version that actually works in practice: small, quick wins that stop most common scams and limit damage when one slips through.

Before you begin

These steps assume you have an M365 administrator account. If you don’t, ask whoever manages IT to make the changes or give you temporary admin access. Do the checklist out of hours if you’re nervous — none of the items should break normal mail flow, but it’s sensible to test on one user first.

The 5-minute checklist (do these now)

Aim for the quick wins first. Each item below takes seconds to a couple of minutes.

• Enable multi-factor authentication (MFA) for everyone.
  Why: Passwords get phished; MFA stops attackers using stolen credentials. How: Turn on Security Defaults in Azure AD (quick) or enforce Conditional Access for MFA if you already use it. Business impact: near-immediate reduction in account takeovers.
• Block legacy authentication.
  Why: Older protocols (IMAP/POP/SMTP, basic auth) bypass MFA and are commonly abused. How: In the Azure AD sign-in policies, disable legacy auth or create a Conditional Access rule to block it. Business impact: prevents many automated credential-stuffing and phishing follow-ups.
• Turn on anti-phishing protections and impersonation checks.
  Why: Microsoft 365 has built-in anti-phishing and impersonation detection that catches obvious spoofing attempts. How: In Microsoft 365 Defender / Exchange admin centre, enable anti-phishing policies and set high-risk actions (quarantine or reject) for impersonation. Business impact: fewer spoofed emails reaching the inbox.
• Enable Safe Links and Safe Attachments.
  Why: Malicious URLs and attachments are core phishing vectors. How: Enable Microsoft Defender for Office 365 features (Safe Links rewrites suspicious URLs; Safe Attachments scans attachments). If you don’t have Defender licences, at least enable link scanning where available. Business impact: reduces malware infections and credential-harvesting pages.
• Switch off automatic external forwarding.
  Why: A compromised mailbox can silently forward copies of mail to attacker-controlled addresses. How: Create a mail flow rule to block automatic forwarding to external domains. Business impact: prevents data leakage from mailbox compromise.
• Add the Report Message / Report Phishing button for users.
  Why: Reporting builds visibility and improves filtering. How: Deploy the Microsoft Report Message add-in from the Exchange admin centre (or ask users to add it). Business impact: faster detection and removal of dangerous emails.

What to check in the next 30 minutes

These take a little longer or may require coordination (DNS changes, licence checks). Do them soon.

• Review SPF, DKIM and DMARC status for your domains.
  Why: These DNS records reduce spoofing of your addresses. How: Check your domain settings in the Microsoft 365 admin centre and your DNS provider. Business impact: helps recipients and mail filters trust legitimate mail and reject fakes. Note: DNS changes can take time to propagate.
• Restrict admin roles and use dedicated admin accounts.
  Why: Admin accounts are high-value targets. How: Ensure admin users have MFA and, ideally, separate accounts for admin work vs. email. Business impact: reduces risk of catastrophic changes after a compromise.
• Check mailbox quarantine and user-reported messages regularly.
  Why: Detection is useful only if someone acts. How: Assign someone to review quarantine reports and user submissions daily. Business impact: quicker removal of threats and lessons for future tuning.

Short real-world notes

We see this most often when SMEs rely on a handful of long-running passwords and legacy mail apps. Turning on MFA and blocking legacy auth eliminates a large slice of exposure without changing how staff work day-to-day.

Also: don’t set everything to ‘reject’ straight away. You’ll catch false positives — quarantine or move to junk first, then tighten policies once you’re confident.

What to avoid doing in panic mode

• Don’t disable all external mail or block whole domains unless you’re ready for the business impact.
• Don’t make admin changes without documenting them. You’ll want to undo mistakes quickly.
• Don’t assume a single setting solves everything. Defence in depth wins.

Simple checks to spot an active compromise

• Unfamiliar mailbox forwarding rules. If present, investigate immediately.
• Recently-created inbox rules moving mail to folders or deleting messages.
• Multiple failed login attempts or logins from unexpected countries in sign-in logs.

Keeping it working beyond five minutes

These quick steps reduce risk fast. To keep it that way, schedule short regular checks: review quarantine and reported messages daily, check sign-in anomalies weekly, and run a licence and admin-role review monthly. That small amount of housekeeping prevents the slow creep back to risky configurations.

Related reading

• How Much Should Local IT Support Cost (with Pricing Benchmarks)
• The Warning Signs Your IT Is Held Together With Tape, explained for UK SMEs

FAQ

Will enabling MFA disrupt staff who use Outlook on phones?

It can if legacy authentication is in use. Modern Outlook apps support MFA natively. If a user has an old app that only uses basic auth, expect a quick reconfiguration or app update — worth the small hassle for much stronger protection.

Can these changes break mail delivery to customers or suppliers?

Unlikely if you follow the checklist sensibly. The main risk is strict anti-phishing or DMARC enforcement catching legitimate mail. Start with quarantine/junk actions, monitor reports, and then escalate to rejection if needed.

Do I need expensive licences to get most of this benefit?

No. Basic MFA and blocking legacy auth are free and high-impact. Some advanced Defender features need licences, but the majority of quick wins are available with standard M365 business plans.

Final thoughts

If you do nothing else today: enable MFA, block legacy auth and add the Report Message button. That combo alone stops a lot of trouble. The next half hour you spend on anti-phishing policies and external forwarding rules tightens the net further.

Want to convert these five-minute fixes into ongoing calm and resilience? A short, focused review can save time, reputational damage and money down the line — and leave you with the credibility that customers expect.