Your Microsoft 365 Email Security Is Wide Open: 3 Settings You Must Fix Now (For Free) + Video

Listen to this Post

Featured Image

Introduction:

In the modern cybersecurity landscape, your email is the primary battlefield. While organizations rush to purchase expensive, AI-driven email gateways, they often neglect the foundational security configurations already included in their Microsoft 365 or Google Workspace licenses. Attackers rarely need to break down a reinforced door when the window is left open. By exploiting basic misconfigurations like legacy protocols and MFA fatigue, cybercriminals can bypass advanced defenses entirely. Here is how to lock down the three most critical—and free—security settings you likely haven’t enabled.

Learning Objectives:

  • Implement Number Matching in Microsoft Entra ID to prevent MFA push bombing attacks.
  • Configure tenant-wide policies to block automatic email forwarding to external, malicious domains.
  • Identify and disable legacy authentication protocols (POP3, IMAP, SMTP) that bypass Multi-Factor Authentication.

You Should Know:

1. Stop MFA Fatigue with Number Matching

Multi-Factor Authentication (MFA) is a cornerstone of security, but it is not infallible. Attackers have adapted with “MFA Push Bombing” or “MFA Fatigue,” where they bombard a user with authentication requests until the user, frustrated or sleepy, accidentally approves one. The default “Approve/Deny” push notification is vulnerable to this social engineering tactic.

Step‑by‑step guide to enable Number Matching in Microsoft Entra ID:
This setting forces users to enter a number displayed on their login screen into their authenticator app, ensuring the request is intentional.

  1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com).
  2. Browse to Protection > Authentication methods > Policies.

3. Select Microsoft Authenticator.

  1. Click the Configure tab for the target group (or your global policy).
  2. Under “Configure authentication method,” set Enable to “Yes” and target specific users/groups.
  3. Find the setting Number matching (under “Configure” for the Authenticator app) and set it to Enabled.
  4. Optional but Recommended: Also enable Display additional context in notifications to show the user the location/IP of the login request.

8. Click Save.

2. Block Auto-Forwarding to External Domains

Once an attacker gains access to an inbox, their primary goal is data exfiltration. They often achieve this by creating an Inbox rule that silently forwards specific emails (e.g., containing “invoice,” “NDA,” “password reset”) to an external email address they control. This allows them to siphon data long after they’ve been locked out.

Step‑by‑step guide to block external forwarding in Exchange Online:
You must disable this both via Mail Flow rules and Remote Domains for complete coverage.

Option A: Using Exchange Admin Center (Mail Flow Rule)
1. Open the Exchange admin center (https://admin.exchange.microsoft.com).

2. Navigate to Mail flow > Rules.

  1. Click Add a rule > Create a new rule.

4. Set Name: `Block Auto-Forwarding to External Domains`.

  1. Apply this rule if: The recipient > is external/external.
  2. Apply this rule if: The message properties > include the message type > Auto-forward.
  3. Do the following: Block the message > reject the message and include an explanation.
  4. Enter a rejection message: `Auto-forwarding to external domains is prohibited for security reasons.`

9. Set Severity: Medium.

10. Click Next and Finish.

Option B: Verify via PowerShell (Get-Enabled Feature)

To audit which users currently have forwarding enabled, use the Exchange Online Management Shell:

 Connect to Exchange Online
Connect-ExchangeOnline

Find users with forwarding enabled
Get-Mailbox -ResultSize Unlimited | Where-Object {$_.ForwardingSmtpAddress -ne $null} | Format-Table Name, ForwardingSmtpAddress, DeliverToMailboxAndForward

Disable forwarding for a specific user
Set-Mailbox -Identity "[email protected]" -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false

3. Kill Legacy Authentication Protocols

Legacy protocols such as POP3, IMAP, SMTP Auth, and Exchange ActiveSync (if misconfigured) were built before modern security standards existed. They do not support MFA. If these protocols are enabled, an attacker with a valid password (obtained via phishing or a breach) can bypass your MFA entirely and log straight into the mailbox.

Step‑by‑step guide to disable Legacy Authentication in Microsoft Entra ID:
The most effective way is to create a Conditional Access policy blocking all legacy clients.

  1. Navigate to the Microsoft Entra admin center > Protection > Conditional Access.

2. Click + Create new policy.

3. Name: `Block Legacy Authentication`.

  1. Assignments > Users: Select “All users” (or a pilot group).
  2. Assignments > Target resources: Select “All cloud apps.”

6. Conditions > Client apps: Configure:

  • Set Configure to Yes.
  • Check the boxes for:
    – `Exchange ActiveSync clients`
    – `Other clients` (This covers POP3, IMAP, SMTP, MAPI over HTTP, etc.)
  • Note: Do not check “Browser” or “Mobile apps and desktop clients” here, as those are modern clients.

7. Access controls > Grant: Select Block access.

  1. Set Enable policy to Report-only initially for monitoring, then switch to On.

9. Click Create.

Verification via PowerShell:

To check if a specific user still has legacy protocols enabled on their mailbox:

Get-CASMailbox -Identity "[email protected]" | Format-List PopEnabled, ImapEnabled, SmtpClientAuthenticationDisabled

To disable IMAP and POP for a user:

Set-CASMailbox -Identity "[email protected]" -PopEnabled $false -ImapEnabled $false

4. Audit External Email Forwarding Rules (Proactive Hunt)

Blocking new rules is step one. You also need to hunt for malicious rules that may have been created before you locked it down.

Step‑by‑step guide to hunt for existing malicious rules:

Use the Microsoft 365 Defender portal to search for suspicious forwarding activities.
1. Go to Microsoft 365 Defender (https://security.microsoft.com).
2. Navigate to Incidents & alerts > Hunting > Advanced hunting.
3. Run the following KQL query to find users who created forwarding rules recently:

EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Intra-org"
| where DeliveryAction == "Forwarded"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, ForwardingAddress
| where ForwardingAddress contains "gmail.com" or ForwardingAddress contains "outlook.com" or ForwardingAddress contains "yahoo.com"
| summarize ForwardedMessages = count() by SenderFromAddress, ForwardingAddress
| sort by ForwardedMessages desc

What Undercode Say:

  • Foundations Over Features: The most sophisticated AI security tool is useless if attackers can simply log in via IMAP without a password. Organizations must prioritize hardening the native identity and access layers before adding third-party bolt-ons.
  • Defense in Depth is Configuration: Security is not just about buying products; it is about correctly configuring the products you already own. These three settings represent the “lowest hanging fruit” for defenders and require zero additional budget, only technical diligence.
  • Automation is Mandatory: Manually checking for MFA fatigue or forwarding rules is impossible at scale. Utilizing PowerShell scripts for auditing and Conditional Access policies for automated enforcement is the only way to maintain a secure posture against relentless identity-based attacks.

Prediction:

As push-bombing attacks become increasingly automated and effective, we will see a regulatory shift mandating “number matching” or passkeys as the baseline standard for MFA in finance and healthcare sectors. Furthermore, as legacy authentication is disabled across most enterprises, attackers will pivot entirely to exploiting OAuth consent grants and application registrations—shifting the focus from compromising user passwords to compromising application permissions, which currently have less stringent monitoring.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: James Haynes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky