Learn more about Microsoft 365 email security
Microsoft 365 Email is UVic’s first application of the Microsoft Exchange Online cloud email solution. Exchange Online provides a modern email service for students and uses a suite of email security tools to filter out malware and phishing messages.
Here are the highlights:
- Emails caught by security filters now go to quarantine instead of your spam folder.
- If you think you’ve received a phishing message, use the Report Phishing feature!
- You can secure your M365 Email account with UVic MFA!
- Logins are protected by Microsoft's modern authentication method.
- Attachments will be scanned for viruses and malware.
- Use a supported Microsoft Outlook product to access your email.
- Set a lock screen passcode on your mobile device.
- Automatic junk mail and deleted items clean-up.
- Emails from a non-UVic account will show an external sender header.
More details about these new security features can be found below.
Exchange Online Protection (EOP)
Exchange Online Protection is the suite of security tools built-in to Exchange Online. UVic’s Information Security team uses these tools to take proactive action in protecting UVic email accounts.
Features include:
- better filtering for spam messages
- protection from malware hidden in attachments
- increased defense against phishing emails
- more effective block list and safe sender options
- secure connection protocols
Email quarantine
Emails caught by blocked file type, phishing, malware filters can end up in quarantine. This means unsafe emails aren't delivered to you at all instead of ending up in your inbox or spam folder. If someone sends you an email that ends up in quarantine, you'll receive a notification email within 24 hours. This notification will tell you:
- the reason the email was quarantined
- actions you can take to preview the email
- how to request release of the email to your inbox
- how to delete the email or block the sender
You can check your quarantined emails anytime by logging into with your UVic M365 account.
If you believe a quarantined email is actually legitimate, follow the prompts to request release of the message. This will alert UVic’s Information Security team to review and release the message if it’s safe to do so.
If you are using a role-based email, you won't be able to review the message in the Quarantine Portal. Please contact the Computer Help Desk to request of an email if you think it is legitimate.
Please note that emails quarantined because of blocked file type will not be released from quarantine. Blocked file types include common executable files, scripting files, and OneNote documents; compressing these files in a Zip will not bypass filters. If you have questions about emails sent to you that have ended up in quarantine, contact the Computer Help Desk.
If a time-sensitive email has ended up in quarantine, we recommend contacting the sender as soon as possible to let them know what has happened. If the email has attachments that may have triggered the quarantine, ask the sender for to a link to the files rather than attaching them to an email.
Safety tips
At the beginning of some emails is a message that reads “You don't often get email from … Learn why this is important”. This is called a safety tip, and it is added to certain emails in order to raise your suspicions of a new sender’s email address.
The safety tip is shown to recipients in the following scenarios:
- The first time you get a message from a sender
- You don't often get messages from the sender
This adds an extra layer of security protection against potential impersonation attacks.
If you receive an email from a new email address trying to impersonate someone you know, you may glance over the name and not notice that this is email address is pretending to be a person familiar to you. This could then lead to you communicating with the malicious actor before you realize this may be a scam email, such as a gift card scam.
There is no way to disable this message. However, as you correspond with the senders the system should recognize the sender and the banner should go away.
Safe Links URL re-writing
Safe links scans incoming email for malicious hyperlinks and wraps the hyperlink with a standard Microsoft URL prefix: https://can01.safelinks.protection.outlook.com/url=.
All hyperlinks in received emails are re-written with this prefix so that safe links can check the webpage when it’s clicked to ensure the webpage is not malicious.
Learn more about from Microsoft Support.
Report Phishing feature
The Report Phishing feature allows you to report emails that may be phishing messages. The tool was set-up by the Information Security team for the faculty & staff email system and is now integrated into M365 Email as well.
You can learn how to use this feature by checking out the
Please note: We have customized this feature for UVic accounts. Any messages reported from a UVic M365 Email account are reviewed by our Information Security team and not Microsoft.
You can learn more about protecting yourself from phishing in our phishing awareness section.
Multi-factor authentication (MFA)
Whether you add your UVic M365 Email account to your phone, computer, or access it through a web browser, it's always protected if you added UVic MFA to your NetLink ID.
You can learn more about setting up email on mobile in our M365 Email support section.
Modern authentication
Email services with basic or older security settings are more vulnerable to being accessed by someone other than you. Your M365 Email account is protected from unauthorized access by Microsoft's modern authentication protocol so your inbox is safer!
You can find in-depth information about this security feature in the .
Email attachment scanning
Attachments will be scanned for viruses and malware, so you can feel safer opening files in your inbox.
Have to send a file that's too large? Working on a group project and hate losing track of file versions? You can upload it to your UVic OneDrive and share it instead.
You can learn more about setting up your UVic OneDrive in our .
Junk mail and deleted items clean-up
Any email you delete or put in your junk folder will be automatically cleaned up after 30 days. If you accidentally delete something, you can recover it for up to 14 days after it's been removed from your inbox.
You can learn how to recover deleted items from
External sender message headers
We want your inbox to feel safer so we turned on the external sender feature. Any email you receive from a non-UVic account will have an alert at the top that let's you know the address is from outside the UVic organization.
Why does this feature help protect your M365 Email account? Sometimes phishing attacks will impersonate other UVic addresses to get you to click on malicious links. The external sender header gives you a head's up if you get emails from a source you aren't expecting.
Mobile device security settings and permissions
You'll need to set a lock screen passcode if you add your M365 Email account to a mobile device. This security setting is required for your device to connect to UVic's Exchange Online email service.
If you're using a mobile device running a supported version of Android or iOS, you probably already have a passcode set!
Important note about device permissions warnings:
Some versions of Android or iOS may ask for permission to "wipe the device if there are too many invalid password attempts". This is a Microsoft ActiveSync security feature that is not enabled for UVic student accounts, but the permission notification message on your phone doesn't specify those details.
If you are a student, your M365 Email account will be removed from your mobile device if there are more than 10 incorrect lock screen passcode attempts in a row. This won't delete any of your email, it just removes it from the device in case your phone has been lost or stolen. This will not wipe your entire device.
Mobile device restrictions for student employees
If you're a student and a UVic employee, your M365 Email account will have some extra security requirements. All UVic employee email accounts must adhere to the university's information security standards.
You can only add your M365 Email account to a mobile device that is capable of handling all the following security requirements:
- your lock screen passcode can't be too simple, like 111111 or 123456
- the passcode must be at least six characters long
- your mobile device is encrypted
- your M365 Email account will be removed from your mobile device if there are more than 10 incorrect lock screen passcode attempts in a row. This won't delete any of your email, it just removes it from the device in case your phone has been lost or stolen.
- your lock screen timeout can only be set to a maximum of 15 minutes
You can learn more about the employee email security standards in our ActiveSync section.