Microsoft 365: You’ve Migrated, So What Can You Optimize?

Over the years, Microsoft has made its cloud offerings more attractive, motivating more and more businesses to make the migration from on-premise Microsoft Exchange email servers to cloud-hosted Microsoft 365. This includes improvements to email security functionality: features not available with Microsoft Exchange when it was on premise are improved in some significant areas with the migration to Microsoft 365. It’s important to be aware of what those features are.

The lack of some critical security features in on-premise Microsoft Exchange has led many institutions to augment their email security with secure email gateways (SEGs). However, with functionality now available in Microsoft 365, it’s important to know where you are duplicating efforts, so you don’t end up adding cost and complexity for functionality you already have.

You can get solid coverage by doing just a few basic things. As more time allows, you can tweak and tune as you see fit – hopefully with the help of your local Microsoft team giving you guidance.

Signature Management

Microsoft 365 offers the ability to set up a consistent signature, organization-wide. This can include anything from a marketing message and logo, to a legal disclaimer. Moreover, organization-wide signatures and disclaimers can be attached not just to messages sent by accounts in your organization, but to all messages that enter or leave your organization’s email. That can be an effective way to communicate with senders and recipients with messages that may be critical to maintaining good operational security. Microsoft has the full details here.


SEGs often lump in spam filters with security functionality. Blocking spam is not a security-related feature, but spam is a nuisance that many organizations want their email security admins to manage. Some use SEGs or other API cloud email security vendors to keep out unwanted email, but in fact Microsoft 365’s platform-level controls do a great job. Here are a few of them:

  • Connection filtering: An anti-spam feature of Microsoft 365 that allows or blocks email based on the message source.
  • Spam filtering: This feature looks for spam flags in the content of messages, and can be configured down to the level of specific policies for specific users or groups.
  • Outbound spam filtering: Here is one area where spam filters and security do overlap; outbound spam coming from a user in your organization often indicates.

Delivery Settings to Prevent Spam to User Inboxes

Microsoft has improved its Microsoft 365 Security Center with new features for managing spam. The default settings are designed to filter out most spam messages, but here are some steps you can take to improve your organization’s spam filters, using that improved functionality.

  • Configure Organizational Settings based on Recommendations.
  • Enable Junk Mail Rule.
  • Use Blocked Sender Lists.

This Microsoft document has an overview of the features and functionality available, and this video is also a helpful walk-through of some easy steps you can take to optimize these spam filters.


When it comes to real security threats, Microsoft actually provides a good baseline for protection against malware. For many of the signature-based malware found in attachments, Microsoft 365 does a good job at identifying and removing malicious files. As one of the largest software vendors in the world, Microsoft has access to the most real-time data about “known bad,” so leveraging the native platform you can manage most of the malware that is attempting to be delivered via email.

malicious payloads share image

To find out how to address malicious payloads, including ransomware and zero-day attacks, read GreatHorn’s eBook, Ransomware and Malicious Payloads:
What You Need to Know.

Download it here

Microsoft’s anti-malware baseline

Here’s what Microsoft 365 has to offer at the baseline level.

  • Anti-malware scans: Microsoft 365 applies multiple sets of heuristics for detecting malware.
  • Real-time threat response: If an attack is widespread and threatening enough, Microsoft can respond with real-time updates to policy rules that can detect the threat.
  • Fast anti-malware definition deployment: Another advantage of Microsoft’s size is its partnerships with anti-malware developers. At times, Microsoft receives updates from these developers before they are publicly released.


Like its anti-spam filters, Microsoft’s anti-malware filters can be customized beyond the defaults. Customizations include:

  • Policies: Create policies that match your organization’s specific needs.
  • Notifications: Set who is notified when a message is quarantined, and the content of those notifications.
  • Filter on/off settings: Default filters, such as a common attachment filter, can be turned on or off.
  • Zero-hour auto purge: Control what Microsoft does with messages that have been identified as threats, after they have already hit user inboxes.

You can find full details on these settings from Microsoft, here.

Data Loss Prevention (DLP)

Unlike the on-premise alternative, the cloud-based DLP in Microsoft 365 has been improved to allow organizations the option to protect sensitive information and prevent accidental disclosure of information (i.e. credit card numbers, social security numbers, or ePHI). And, unlike SEG alternatives, Microsoft can apply policies across Exchange email, SharePoint sites, OneDrive accounts, Teams chat, Windows 10 devices and Microsoft Cloud App Security.

  • Identify any email containing sensitive information with people outside your organization and apply a rule to automatically block the email from being sent.
  • Educate users about compliance-related policies when attempting to share documents that contain sensitive information, including an email notification to educate on the policy.
  • DLP Alerts Management Dashboard provides a single view into all alerts and metadata data related to DLP policies.

You can learn more about all of the Rules available in MIcrosoft 365 to protect sensitive information and how to configure the policies here.

Legacy SEGs: Don’t Pay for What You Don’t Need

Legacy secure email gateways (SEGs) often charge for these additional functionalities, and when an organization was hosting Microsoft Exchange on-premise, that approach may have made sense. As organizations are switching to cloud-based email in Microsoft 365, many are still beholden to SEGs for functionality that is currently available with easily applied features in their cloud email platform.

To find out about how you can save money and maintain confidence in email threat protection, read more about how GreatHorn and Microsoft 365 work together to keep your organization’s email secure.

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.