Phishing attacks are the number one threat facing UK businesses in 2026. Every day, your team is being tested: sometimes dozens of times: by emails designed to steal credentials, deploy ransomware, or trick staff into transferring money to fraudsters.
The good news? If you're running Microsoft 365, you already have some of the most powerful anti-phishing tools available baked into your subscription. The bad news? Most of them aren't switched on by default.
Let's fix that. Here are five essential Microsoft 365 settings you should enable today to dramatically reduce your team's exposure to phishing attacks.
1. Multi-Factor Authentication (MFA) : Your First Line of Defence
If you do nothing else after reading this post, enable MFA across your entire organisation.
Multi-factor authentication requires users to verify their identity using something they know (their password) and something they have (a mobile device or authentication app). Even if an attacker successfully phishes a password, they won't be able to access the account without that second factor.
Microsoft's own data shows that MFA blocks over 99.9% of account compromise attacks. It's not perfect, but it's the single most effective security control you can deploy.
How to enable it:
Head to the Microsoft 365 admin centre, navigate to Users > Active Users, and enable MFA for all accounts. You can also set up Conditional Access policies in Azure AD to require MFA based on location, device, or risk level.
Don't allow exceptions for "just the CEO" or "just finance." Those are the exact accounts attackers target first.
2. Safe Links : Stop Malicious URLs Before They're Clicked
Phishing emails are getting cleverer. Attackers now host malicious links on legitimate platforms like SharePoint, OneDrive, or Google Drive to evade basic URL filtering. By the time your user clicks the link, it's often too late.
Safe Links is part of Microsoft Defender for Office 365 (formerly Advanced Threat Protection). It rewrites URLs in emails and scans them in real-time when clicked. If the destination is malicious, the user is blocked from accessing it: even if the link looked perfectly safe when the email arrived.
Organisations using Safe Links have reported up to a 90% reduction in successful phishing attacks. It's particularly effective against zero-day phishing campaigns where attackers use fresh domains that haven't yet been blacklisted.
How to enable it:
Go to the Microsoft 365 Defender portal at https://security.microsoft.com. Under Email & Collaboration > Policies & Rules > Threat Policies, create or edit an anti-phishing policy and enable Safe Links for email, Teams, and Office documents.
Make sure "Track user clicks" is enabled so you can see which users are being targeted and provide additional training where needed.
3. Spoof Intelligence : Detect Forged Sender Addresses
Spoofing is one of the oldest tricks in the phishing playbook. An attacker sends an email that appears to come from your CEO, your finance director, or a trusted supplier, hoping the recipient won't notice the subtle differences in the sender address.
Spoof intelligence goes beyond traditional email authentication protocols like SPF, DKIM, and DMARC. It uses machine learning to analyse email patterns and detect when a sender address has been forged: even if the email technically passes authentication checks.
It's enabled by default in Microsoft 365, but you need to configure the action it takes when spoofing is detected.
How to configure it:
In the Microsoft 365 Defender portal, navigate to Anti-phishing policies. Set the action for spoofed emails to Quarantine rather than just moving them to Junk. This ensures suspicious emails are reviewed by an admin before reaching end users.
You should also configure your DMARC policy to reject emails that fail authentication checks. This prevents attackers from successfully impersonating your own domain when sending emails to your staff or customers.
4. Impersonation Protection : Guard Your VIPs
Not all phishing attacks involve fake sender addresses. Some of the most dangerous use slight variations of real names or domains that are easy to miss in a busy inbox.
For example:
- david.evestaff@evest4ff.co.uk (note the "4" instead of "a")
- David Evestaf (missing the final "f")
Impersonation protection allows you to specify high-value users and domains that should be closely monitored. If someone tries to send an email using a similar name or domain, Microsoft 365 will flag it or quarantine it automatically.
This is particularly important for protecting executives, finance teams, and anyone with authority to approve payments or share sensitive information. We've seen this setting save clients in property management: including those using specialist tools like propertyinventoryclerks.co.uk for compliance work: from costly invoice fraud schemes.
How to enable it:
In your Anti-phishing policy, add users to protect (your CEO, CFO, IT team) and domains to protect (your primary domain and any trusted partner domains). Set the action to Quarantine for suspected impersonation attempts.
This setting isn't enabled by default, so you'll need to manually configure it: but it's worth the 10 minutes it takes.
5. Mailbox Intelligence : Let AI Spot the Patterns
Mailbox intelligence is the unsung hero of Microsoft 365's anti-phishing toolkit. It works alongside impersonation protection to analyse the typical communication patterns of each user.
If someone who normally emails your finance director once a quarter suddenly sends an urgent payment request, mailbox intelligence flags it. If an external sender mimics the writing style of a trusted supplier but uses a slightly different domain, it catches that too.
It's essentially behavioural analysis for email: and it's frighteningly effective at catching sophisticated spear-phishing attempts that bypass traditional filters.
How to enable it:
Mailbox intelligence is enabled automatically when you configure impersonation protection. Make sure the toggle is switched on in your anti-phishing policy settings, and review quarantined messages regularly to fine-tune the AI and reduce false positives.
Bonus Tip: Enable Mailbox Auditing
While not strictly an anti-phishing setting, mailbox auditing is critical for forensics and compliance. If a phishing attack succeeds, you need to know what the attacker accessed, which emails they read, and whether they forwarded anything externally.
Mailbox auditing is now enabled by default for all Microsoft 365 mailboxes, but it's worth double-checking. You can view audit logs in the Microsoft 365 Compliance Center to track mailbox access, message deletions, and permission changes.
This is particularly useful if you're subject to regulatory requirements (GDPR, FCA, Cyber Essentials) or if you need to demonstrate due diligence after a security incident.
Putting It All Together
Phishing isn't going away. If anything, attackers are getting better at bypassing traditional defences and exploiting human psychology. But with the right Microsoft 365 settings enabled, you can make your organisation a much harder target.
Here's your action plan:
- Enable MFA for all users: no exceptions.
- Turn on Safe Links to scan URLs in real-time.
- Configure spoof intelligence to quarantine forged emails.
- Protect high-value users with impersonation protection.
- Enable mailbox intelligence to catch behavioural anomalies.
These settings take less than an hour to configure, and the risk reduction is immediate.
If you're not sure where to start: or if you'd rather have an expert handle your Microsoft 365 security configuration: we can help. Book a free discovery call at https://itandconsutancy.co.uk, and we'll walk you through exactly what's enabled, what's missing, and what should be your top priority.
Your team deserves better than hoping phishing emails end up in the junk folder. Give them the protection they need.
Leave a Reply