Microsoft 365 admin center: Organizational Messages now supports Email messages

🚨 The Signal: Organizational Messages can now be delivered via email, in addition to existing Windows and Teams channels. This expands the attack surface for targeted internal phishing and social engineering campaigns.

The Impact

All users are affected by a new internal email channel, increasing risk of social engineering and phishing.

• End users face increased risk from internal phishing via new email channel.
• Security teams must update monitoring for internal email-based social engineering.
• Admins need to review and secure new message delivery configurations.
• Compliance teams must update policies for internal communication channels.

The Action

1. Review existing Organizational Messages policies for email channel implications.
2. Educate users on identifying legitimate organizational messages vs. phishing.
3. Monitor internal email for suspicious activity mimicking organizational messages.
4. Configure message sender authentication to prevent spoofing of internal communications.

Domain: Exchange · Impact: medium · Workload: Exchange Online