Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.
Microsoft Defender for Office 365 supports priority accounts as tags that can be used in filters in alerts, reports, and investigations. For more information, see User tags in Microsoft Defender for Office 365.
For attackers, ordinary phishing attacks that cast a random net for ordinary or unknown users are inefficient. On the other hand, spear phishing or whaling attacks that target priority accounts are very rewarding for attackers. So, priority accounts require stronger than ordinary protection to help prevent account compromise.
Microsoft 365 and Microsoft Defender for Office 365 contain several key features that provide additional layers of security for your priority accounts. This article describes these capabilities and how to use them.
For information about securing privileged accounts (admin accounts), see this topic.
Increase sign-in security for priority accounts
Priority accounts require increased sign-in security. You can increase their sign-in security by requiring multi-factor authentication (MFA) and disabling legacy authentication protocols.
Note: We strongly recommend that you globally disable legacy authentication protocols for all priority users as described in the previous article. If your business requirements prevent you from doing so, Exchange Online offers the following controls to help limit the scope of legacy authentication protocols:
You can (until October 2023) use Client Access Rules in Exchange Online to block or allow Basic authentication and legacy authentication protocols like POP3, IMAP4, and authenticated SMTP for specific users.
You can disable POP3 and IMAP4 access on individual mailboxes. You can disable authenticated SMTP at the organizational level and enable it on specific mailboxes that still require it. For instructions, see the following articles:
It's also worth noting that Basic authentication is in the process of being deprecated in Exchange Online for Exchange Web Services (EWS), Exchange ActiveSync, POP3, IMAP4, and remote PowerShell. For details, see this blog post.
Use Strict preset security policies for priority accounts
Priority users require more stringent actions for the various protections that are available in Exchange Online Protection (EOP) and Defender for Office 365.
For example, instead of delivering messages that were classified as spam to the Junk Email folder, you should quarantine those same messages if they're intended for priority accounts.
You can implement this stringent approach for priority accounts by using the Strict profile in preset security policies.
User tags in Microsoft Defender for Office 365 Plan 2 (as part of Microsoft 365 E5 or an add-on subscription) are a way to quickly identify and classify specific users or groups of users in reports and incident investigations.
Priority accounts is a type of built-in user tag (known as a system tag) that you can use to identify incidents and alerts that involve priority accounts. For more information about priority accounts, see Manage and monitor priority accounts.
You can also create custom tags to further identify and classify your priority accounts. For more information, see User tags. You can manage priority accounts (system tags) in the same interface as custom user tags.
Monitor priority accounts in alerts, reports, and detections
After you secure and tag your priority users, you can use the available reports, alerts, and investigations in EOP and Defender for Office 365 to quickly identify incidents or detections that involve priority accounts. The features that support user tags are described in the following table.
Feature
Description
Alerts
The user tags of affected users are visible and available as filters on the Alerts page in the Microsoft Defender portal. For more information, see Alert policies in the Microsoft Defender portal.
Incidents
The user tags for all correlated alerts are visible on the Incidents page in the Microsoft Defender portal. For more information, see Manage incidents and alerts.
In Explorer (Defender for Office 365 Plan 2) or Real-time detections (Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see Tags in Threat Explorer.
Email entity page
You can filter email based on applied user tags in Microsoft 365 E5 and in Defender for Office 365 Plan 1 and Plan 2. For more information, see Email entity page.
Campaign Views
User tags are one of many filterable properties in Campaign Views in Microsoft Defender for Office 365 Plan 2. For more information, see Campaign Views.
Threat protection status report
In virtually all of the views and detail tables in the Threat protection status report, you can filter the results by priority accounts. For more information, see Threat protection status report.
Top senders and recipients report
You can add this user tag to the top 20 message senders in your organization. For more information, see Top senders and recipients report.
Compromised user report
User accounts that are marked as Suspicious or Restricted in Microsoft 365 organizations with Exchange Online mailboxes shows up in this report. For more information, see Compromised user report.
Admin submissions and user reported messages
Use the Submissions page in the Microsoft Defender portal to submit email messages, URLs, and attachments to Microsoft for analysis. For more information, see Admin submissions and user reported messages.
Quarantine
Quarantine is available to hold potentially dangerous or unwanted messages in Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations for Priority accounts. For more information, see Quarantine email messages.
Attack simulation
To test your security policies and practices, run a benign cyberattack simulation for your target users. For more information, see Attack simulation.
Email issues for priority accounts report
The Email issues for priority accounts report in the Exchange admin center (EAC) contains information about undelivered and delayed messages for priority accounts. For more information, see Email issues for priority accounts report.
Train users
Training users with priority accounts can help save those users and your security operations team much time and frustration. Savvy users are less likely to open attachments or click links in questionable email messages, and they're more likely to avoid suspicious websites.
The Harvard Kennedy School Cybersecurity Campaign Handbook provides excellent guidance for establishing a strong culture of security awareness within your organization, including training users to identify phishing attacks.
Microsoft 365 provides the following resources to help inform users in your organization:
Attack simulation training in Microsoft Defender for Office 365 Plan 2 allows admin to configure, launch, and track simulated phishing attacks against specific groups of users.
Multifactor authentication helps secure your environment and resources by requiring that your users confirm their identity by using multiple authentication methods, like a phone call, text message, mobile app notification, or one-time password. You can use multifactor authentication both on-premises and in the cloud to add security for accessing Microsoft online services, remote access applications, and more. This learning path provides an overview of how to use multifactor authentication as part of a cyber
Admins can learn how to identify specific groups of users with user tags in Microsoft Defender for Office 365 Plan 2. Tag filtering is available across alerts, reports, and investigations in Microsoft Defender for Office 365 to quickly identify the tagged users.
The steps to protect your c-suite with priority account protection. Tagging an account as a Priority account enables the extra protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations.
Admins can learn how to use the configuration analyzer to find and fix security policies that are less secure than Standard protection and Strict protection in preset security policies.
Admins can learn how to apply Standard and Strict policy settings across the protection features of Exchange Online Protection (EOP) and Microsoft Defender for Office 365
What are best practices for Exchange Online Protection (EOP) and Defender for Office 365 security settings? What's the current recommendations for standard protection? What should be used if you want to be more strict? And what extras do you get if you also use Defender for Office 365?
