Skip to main content

Stopping Phishing Emails in Microsoft 365 and Google Workspace: Practical Configurations

Phishing is the leading attack vector against schools. While user awareness training is essential, the strongest defense is stopping phishing emails before they ever reach staff and students.

Microsoft 365 (Exchange Online Protection) and Google Workspace provide built-in security controls that can block or quarantine phishing attempts at no extra cost.

Here’s how to configure them.


Microsoft 365 (Exchange Online / Entra)

Microsoft Documentation: https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-mdo-configure


1. Enable Anti-Phishing Policies

  • Go to the Microsoft 365 Security & Compliance Center.
  • Navigate to Threat Management → Policy → Anti-Phishing.
  • Enable built-in impersonation protection to detect lookalike domains and spoofed accounts.


Impact: Helps prevent phishing that impersonates staff, leadership, or vendors.


2. Quarantine Suspicious Messages

  • Instead of sending suspicious emails to Junk, configure Quarantine policies.
  • Go to Threat Policies → Quarantine Policies.
  • Set suspicious or high-confidence phishing to quarantine for IT review.


Impact: Keeps dangerous emails out of inboxes but allows IT to release false positives.


3. Block Automatic Forwarding

  • Attackers often set forwarding rules after compromise.
  • Go to Exchange Admin Center → Mail Flow → Remote Domains.
  • Disable auto-forwarding to external domains.


Impact: Prevents silent exfiltration of sensitive student/staff emails.


4. Create Transport Rules (Mail Flow Rules)

  • Go to Exchange Admin Center → Mail Flow → Rules.
  • Block messages containing specific phishing keywords or from known bad domains.
  • Example rule: Block subject lines containing “Password Expired” from outside domains.


Impact: Adds an extra layer of defense tailored to your environment.


Google Workspace

Google Workspace Documentation: https://support.google.com/a/answer/9157861?hl=en&src=supportwidget0&authuser=0


1. Turn On Phishing & Spam Protection

  • Admin Console → Apps → Google Workspace → Gmail → Safety.
  • Enable Protect against spoofing, phishing, and malware.
  • Turn on enhanced pre-delivery message scanning.


Impact: Stops many phishing attempts before delivery.


2. Disable Automatic Forwarding

  • Admin Console → Apps → Gmail → User Settings.
  • Under “Forwarding,” disable automatic forwarding for all users except IT staff who require it.


Impact: Prevents data exfiltration via hidden forwarding rules.


3. Create Content Compliance Rules

  • Admin Console → Apps → Gmail → Compliance → Content Compliance.
  • Add a rule to detect messages with specific keywords, suspicious file types, or domains.
  • Action: Quarantine message for IT review.


Example:

  • If subject line contains “Password Expired” AND sender domain is not school-owned → Quarantine.


Impact: Blocks targeted phishing that bypasses default filters.


4. Enable Attachment & Link Scanning

  • Admin Console → Gmail → Safety.
  • Enable “Scan incoming messages for suspicious attachments and links.”
  • Reject or quarantine detected threats.


Impact: Protects against malicious attachments and drive-by phishing links.


Phishing prevention doesn’t always require expensive tools. Schools can dramatically reduce the number of phishing emails that ever reach staff and students by using built-in configurations in Microsoft 365 and Google Workspace, like quarantines, forwarding restrictions, anti-phishing policies, and content compliance rules.


Combined with regular user training, these no-cost controls go a long way toward protecting sensitive student and staff data.

Disclaimer: The instructions and configuration steps provided above are accurate as of the time of publication. However, Microsoft 365 and Google Workspace regularly update their security features and admin settings. Always refer to the most recent official Microsoft and Google Workspace documentation before making changes in your environment. 

Labels:

Comments

Post a Comment

Popular posts from this blog

Why Securing Things “Backwards” Is So Difficult in K–12 IT

Many K–12 districts are facing a difficult reality: after years of convenience-first technology use, the time has come to adopt a more secure, structured approach. Cyber insurance requirements are tightening. State and federal regulations are growing. Threats are increasing. And school systems are expected to modernize their security posture quickly and without disrupting learning. But strengthening security in a district that has operated with wide-open access for years isn’t just a technical challenge; it’s a cultural renovation. Transitioning from “anything goes” to “secured by design” is one of the hardest shifts for schools to make. Not because people don’t care about security, but because securing things backwards means undoing years of habits, expectations, and legacy decisions. Here’s why it’s so difficult , and how districts can make the transition without breaking what’s working. Why Securing Things Backwards Is Hard 1. You’re Taking Away What People Are Used To When classr...
Post a Comment
Read more

Vendor and Third-Party Risk Management in K–12: Protecting Student Data Beyond Your Walls

Modern school districts rely on hundreds of third-party applications, ranging from learning management systems and browser extensions to assessment platforms and parent communication tools. Each of these vendors connects to your network, accesses your data, or processes sensitive student information. Every one of them represents potential risk. While internal defenses like patching, MFA, and backups are essential, vendor risk management ensures your district is protected from vulnerabilities that originate outside your network . Why Vendor Risk Management Matters for Schools School technology ecosystems have expanded rapidly over the last decade. What used to be a handful of software systems is now a web of cloud tools, integrations, and data sharing agreements. Without strong oversight, this complexity creates real-world risk: Data Breaches via EdTech Vendors: Many school breaches occur not from internal attacks, but through compromised third-party systems. Privacy Compliance Exp...
Post a Comment
Read more

Incident Response for Schools: Why Playbooks Matter

When a cybersecurity incident occurs, such as a phishing email, ransomware outbreak, or accidental exposure of student data, the first few minutes are crucial. Yet, many school districts lack a clear, step-by-step plan for responding. The result? Confusion, delayed decisions, extended downtime, and even compliance failures. That’s why every school should have Incident Response (IR) playbooks : simple, one-page guides that outline who to call, what to do, and how to contain and recover from common incidents. Why Playbooks Are Critical in Schools Clarity Under Pressure: When panic sets in, playbooks provide structure. Staff know exactly what steps to take. Consistency: Every incident is handled the same way, reducing the risk of mistakes. Compliance: For Kansas schools, ITEC 7230a requires incident response planning and documentation. Playbooks help districts meet that standard. Framework Alignment: The NIST Cybersecurity Framework (CSF) 2.0 emphasizes Respond as o...
Post a Comment
Read more