Microsoft 365 can stop BEC when you enable and tune the right controls. Start with anti-phishing and impersonation protection, then turn on Safe Links and Safe Attachments. Next, enforce SPF, DKIM, and DMARC. Finally, require phishing-resistant MFA with Conditional Access, add external sender tags, block risky forwarding, train users, and keep a fast response plan ready.
What BEC Looks Like in Microsoft 365 and why it works
BEC succeeds because criminals blend social engineering with small technical gaps: weak identity policies, loose email authentication, and flat mailbox hygiene. They imitate executives, vendors, or lawyers, tweak bank details on invoices, and pressure finance teams with urgency. Because many environments still allow look-alike domains, risky links, or silent forwarding rules, attackers exploit defaults. Therefore, you must remove implicit trust from mail flows, verify sender identity, and close common mailbox backdoors while you keep user experience smooth.
The 9 Microsoft 365 Rules That Actually Work
-
Turn On Anti-Phish Policies with Impersonation Protection
Open the Microsoft Defender portal and enable anti-phishing policies beyond the defaults. Add executives, finance signers, and vendor domains to the impersonation list. Enable mailbox intelligence so the system understands typical communication patterns and raises confidence when messages deviate. Because attackers constantly rotate tactics, review detections weekly and refine thresholds. After tuning, impersonation attempts hit quarantine instead of finance. -
Enable Safe Links Across Email, Teams, and Office Apps
Attackers often send URLs that change after delivery. Safe Links checks destination risk at click-time and blocks known-bad pages. Consequently, users avoid fake login portals and malicious document lures. Extend protection to Teams and Office desktop apps so link safety follows people wherever they click. For high-risk roles, prevent click-through on detected phishing and log block events for audits. -
Enforce Safe Attachments for Detonation and Sandboxing
BEC often carries weaponized invoices, lures, or embedded droppers. Safe Attachments detonates unknown files in a sandbox before delivery and stops ransomware and remote access tools from reaching inboxes. Because productivity matters, use Dynamic Delivery so users receive the message body immediately while the attachment finishes analysis. After you prove stability, set the action to Block for unknown-malicious verdicts and monitor the rare false positive. -
Fix Email Authentication: SPF, DKIM, and DMARC
You cannot fight BEC at scale without solid sender authentication. Publish accurate SPF records that list all legitimate outbound sources, sign outgoing mail with DKIM for every sending domain, and enforce DMARC with p=quarantine and then p=reject after a short monitoring phase. Align subdomains and third-party senders before you flip to enforcement. As deliverability improves for real mail and spoofing gets blocked, your finance team sees fewer convincing fakes. -
Require Phishing-Resistant MFA with Conditional Access
Identity sits at the center of BEC defense. Require multifactor authentication for all users, and strengthen it for finance, executives, and admins. Use Conditional Access to force MFA on risky sign-ins, block legacy authentication, and elevate to phishing-resistant methods where possible. Because BEC often rides on compromised credentials, strong MFA slashes account-takeover attempts that enable payment fraud. -
Add External Sender Tagging and Custom MailTips
People make faster, safer decisions when the UI helps. Turn on the external sender tag so Outlook flags emails from outside your tenant. Add MailTips that warn about look-alike domains or first-time contacts that mention invoices, wire transfers, or bank changes. Because these visual cues appear at the moment of decision, staff pause and verify before approving payments. -
Harden Mailbox Rules and Forwarding
Attackers love quiet persistence. They create hidden rules that forward mail to external inboxes, mark alerts as read, or delete messages from security. Therefore, block automatic forwarding to external domains, alert on new forwarding rules, and audit any rule that moves payment-related mail into rarely viewed folders. As you tighten controls, you cut the window for undetected fraud. -
Run Attack Simulation Training Regularly
Users remain targets. Run phishing simulations that mirror current lures, including supplier-update themes and finance approvals. Assign short training to users who click. Track report rates and reduce time-to-report through the Outlook report button. Because simulations reinforce the technical controls above, your people and your policies work together instead of fighting each other. -
Prepare a One-Page BEC Incident Playbook
When someone reports a suspicious payment change, every minute matters. Your playbook should fit on one page and live where finance and IT can access it instantly. Lock the account, revoke tokens, reset the password, and remove malicious rules. Then place a temporary hold on payments and start vendor verification through a second known-good channel. Because clarity beats panic, pre-write bank and vendor templates and practice the workflow with finance each quarter.
Step-By-Step Setup Notes
You will find anti-phish, Safe Links, and Safe Attachments under Threat policies in the Microsoft Defender portal. Start with Standard or Strict presets, then scope stricter policies to executives and finance while you validate impact. For email authentication, begin with DMARC at p=none, collect reports, fix alignment and third-party senders, and move to quarantine and finally reject within a few weeks. For Conditional Access, require MFA for all users and add stronger authentication for high-risk roles. Moreover, block legacy protocols and test from known locations before you enable enforcement. Because change causes friction, publish a short schedule and avoid month-end finance cycles.
Governance, Exceptions, and Measuring Success
Write a simple policy that defines who must use MFA, which roles get stronger checks, and how to handle exceptions. Track metrics that matter: blocked impersonation attempts, Safe Links click-blocks, sandboxed attachments, DMARC reject counts for spoofed senders, creation of suspicious inbox rules, and time-to-report. Meanwhile, partner with finance. Ask teams to call vendors on a known number whenever bank details change. As your controls stabilize, share quarterly wins with leadership: fewer payment diversions, faster containment, and less manual triage.
BEC thrives when identity controls and mail policies lag. These nine Microsoft 365 rules change the game: tuned anti-phish and impersonation, Safe Links, Safe Attachments, SPF/DKIM/DMARC, strong MFA, clear external tagging, hardened mailbox rules, realistic simulations, and a one-page incident plan. Start with executives and finance, measure real outcomes, and raise enforcement as confidence grows.
FAQs
Do these rules break email?
Well-tuned policies should not. Start with Standard or Strict presets and test strict scopes on executives and finance first. Use Dynamic Delivery for attachments so messages arrive quickly while analysis completes.
Can we keep a fallback during rollout?
Yes. You can keep softer link-click policies and less strict DMARC while you gather data. Then raise enforcement in stages and communicate each step.
How do we protect against vendor email compromise?
Treat vendor domains as “VIP senders” in impersonation protection, verify DMARC for vendors you pay, and ask finance to confirm any bank change via a second channel.
What should finance teams do before paying invoices?
Require a second person to verify bank changes with a known contact number. If an email mentions urgency or secrecy, slow down and confirm out-of-band.
What is the fastest response when we suspect BEC?
Pause payments, lock the account, revoke tokens, reset the password, remove malicious rules, and verify transactions with banks and vendors. Then review audit logs and notify stakeholders.
