AD2.12 Module Summary

Module Summary

This module configured the second layer of your security improvement sequence: email protection. With identity controls from Module AD1 catching credential-based attacks at the authentication layer, email protection now reduces the volume of phishing that reaches your users in the first place.

You deployed three Defender for Office 365 controls that transform your email security from basic EOP filtering to a layered defense. Safe Links rewrites URLs and scans them at click time — catching phishing pages that become malicious after the email is delivered. Safe Attachments sandboxes every attachment in a virtual machine before delivery — catching weaponised documents that signature-based scanning misses. Anti-phishing impersonation protection flags emails where the display name matches your protected executives but the sender domain doesn't match your organization — catching the BEC attacks that cause the most financial damage.

You built the complete email authentication stack: SPF declares which servers can send as your domain, DKIM adds a cryptographic signature proving message authenticity, and DMARC tells receiving servers what to do when validation fails. Together, they prevent anyone from spoofing your domain — protecting your clients, vendors, and employees from fraudulent emails that appear to come from your organization. The DMARC deployment progresses from monitoring (p=none) through quarantine to reject over 6-8 weeks, with report data guiding each stage transition.

You tuned anti-spam beyond defaults — lowering the bulk threshold, quarantining high-confidence spam and phishing, and enabling ZAP for retroactive removal. You deployed the user-reported phishing workflow with the Report Message button, dual routing to Microsoft and your admin queue, and the feedback loop that encourages continued reporting.

And you learned the 15-minute phishing investigation procedure: Classify (is it real?), Scope (who else got it?), Impact (did anyone click?), Contain (purge + block + reset compromised accounts), Close (document + notify + submit). This procedure works entirely with E3 tools and connects directly to the compromised account response from Module AD1.

What you built

• Safe Links policy with URL rewriting, click-time scanning, and real-time detonation
• Safe Attachments policy with Dynamic Delivery and redirect to admin mailbox
• Anti-phishing policy with impersonation protection for executives and key domains
• SPF record authorizing M365 (and any additional sending services)
• DKIM enabled with two CNAME records for key rotation
• DMARC record deployed at monitoring level with reporting configured
• Anti-spam tuning: bulk threshold, quarantine actions, ZAP enabled
• User-reported phishing workflow: Report Message button → admin review → feedback
• 15-minute phishing investigation procedure card
• Email protection metrics baseline for quarterly reporting

What changed at NE

NE's email posture moved from 1/10 to 7/10. Safe Links and Safe Attachments catch the sophisticated phishing that EOP misses — reducing phishing reaching inboxes by an estimated 60%+. Impersonation protection catches BEC attempts targeting the CEO and CFO. SPF and DKIM authenticate outbound email, and DMARC (progressing from none to reject over the next 6 weeks) will prevent domain spoofing entirely. Users have a one-click reporting mechanism for suspicious email, and the admin has a structured investigation procedure for every report.

What's next

Module AD3 covers devices and endpoints — the third phase of the security improvement sequence. You'll build Intune compliance policies that check encryption, OS version, firewall state, and antivirus status. You'll integrate compliance with conditional access so that only healthy, managed devices can access Exchange Online, SharePoint, and Teams. This is the control that stops AiTM token replay — even with a stolen session token, the attacker's unmanaged device is blocked by the compliance requirement. With identity, email, and device controls in place, your security posture covers the three attack surfaces that account for the vast majority of M365 compromises.