Microsoft 365: Exchange Online security

M365 Email is UVic’s first application of the Microsoft Exchange Online cloud email solution. Exchange Online provides a modern email service for students and uses a suite of email security tools to filter out malware and phishing messages.

Here are the highlights:

  • If you think you’ve received a phishing message, use the Report Phishing feature!
  • You can secure your M365 Email account with UVic MFA!
  • Logins are protected by Microsoft's modern authentication method.
  • Auto-forwarding is not available for M365 Email accounts. 
  • Attachments will be scanned for viruses and malware.
  • Use a supported Microsoft Outlook product to access your email.
  • Set a lock screen passcode on your mobile device.
  • Automatic junk mail and deleted items clean-up.
  • Emails from a non-UVic account will show an external sender header.

  More details about these new security features can be found below.

 

Exchange Online Protection (EOP)

Exchange Online Protection is the suite of security tools built-in to Exchange Online. UVic’s Information Security team uses these tools to take proactive action in protecting UVic email accounts.

Features include:

  • better filtering for spam messages
  • protection from malware hidden in attachments
  • increased defense against phishing emails
  • more effective block list and safe sender options
  • secure connection protocols

Report Phishing feature

The Report Phishing feature allows you to report emails that may be phishing messages. The tool was set-up by the Information Security team for the faculty & staff email system and is now integrated into M365 Email as well.

You can learn how to use this feature by checking out the Microsoft Support article: Use the Report Message add-in

Please note: We have customized this feature for UVic accounts. Any messages reported from a UVic M365 Email account are reviewed by our Information Security team and not Microsoft.


You can learn more about protecting yourself from phishing in our phishing awareness section.

Multi-factor authentication (MFA)

Whether you add your UVic M365 Email account to your phone, computer, or access it through a web browser, it's always protected if you added UVic MFA to your NetLink ID. 

You can learn more about setting up email on mobile in our M365 Email support section.

Modern authentication

Email services with basic or older security settings are more vulnerable to being accessed by someone other than you. Your M365 Email account is protected from unauthorized access by Microsoft's modern authentication protocol so your inbox is safer!

You can find in-depth information about this security feature in the Microsoft article: modern authentication.

Auto-forwarding restrictions

UVic's Exchange Online service is configured so M365 Email accounts can't be forwarded to an external address. We made the decision to prioritize your account security over the optional convenience of email forwarding. 

Why does it matter? Auto-forwarding inbox rules are a common tactic used by attackers looking for email accounts to control. In many cases you might not notice your inbox has been modified until too late. Disabling auto-forwarding makes it impossible for someone else to re-route your email and compromise your data.

If you wish to forward your email, you can use the legacy student email service.

Email attachment scanning

Attachments will be scanned for virsues and malware, so you can feel safer opening files in your inbox. 

Have to send a file that's too large? Working on a group project and hate losing track of file versions? You can upload it to your UVic OneDrive and share it instead.

You can learn more about setting up your UVic OneDrive in our OneDrive support section.

Junk mail and deleted items clean-up

Any email you delete or put in your junk folder will be automatically cleaned up after 30 days. If you accidentally delete something, you can recover it for up to 14 days after it's been removed from your inbox.

You can learn how to recover deleted items from Microsoft Support article: Restore deleted email messages in Outlook.com

External sender message headers

We want your inbox to feel safer so we turned on the external sender feature. Any email you receive from a non-UVic account will have an alert at the top that let's you know the address is from outside the UVic organization. 

Why does this feature help protect your M365 Email account? Sometimes phishing attacks will impersonate other UVic addresses to get you to click on malicious links. The external sender header gives you a head's up if you get emails from a source you aren't expecting. 

Mobile device security settings and permissions

You'll need to set a lock screen passcode if you add your M365 Email account to a mobile device. This security setting is required for your device to connect to UVic's Exchange Online email service. 

If you're using a mobile device running a supported version of Android or iOS, you probably already have a passcode set!

 

Important note about device permissions warnings:

Some versions of Android or iOS may ask for permission to "wipe the device if there are too many invalid password attempts". This is a Microsoft ActiveSync security feature that is not enabled for UVic student accounts, but the permission notification message on your phone doesn't specify those details.

If you are a student, your M365 Email account will be removed from your mobile device if there are more than 10 incorrect lock screen passcode attempts in a row. This won't delete any of your email, it just removes it from the device in case your phone has been lost or stolen. This will not wipe your entire device.

Mobile device restrictions for student employees

If you're a student and a UVic employee, your M365 Email account will have some extra security requirements. All UVic employee email accounts must adhere to the university's information security standards.

You can only add your M365 Email account to a mobile device that is capable of handling all the following security requirements:

  • your lock screen passcode can't be too simple, like 111111 or 123456
  • the passcode must be at least six characters long
  • your mobile device is encrypted
  • your M365 Email account will be removed from your mobile device if there are more than 10 incorrect lock screen passcode attempts in a row. This won't delete any of your email, it just removes it from the device in case your phone has been lost or stolen.
  • your lock screen timeout can only be set to a maximum of 15 minutes

 

You can learn more about the employee email security standards in our ActiveSync section.