Email was not designed with security as a requirement. In fact, all "security" that involves email was bolted on after the fact. Here are four areas that were bolted on that should be part of your secure email basics.
Utilize MFA, for real
We have beat on this drum for over five years now, and people are still not using it. This is a FREE setting available for any commercial email service. Turn it on today.
If you are working with a technology partner that has not yet brought this up or enabled it for your organization, find a new partner! This is simply too important to ignore.
Check out your inbox rules for forwarding
The most common step for a hacker to take once they have access to your email is to setup a forwarding rule. This is quite simple to do and typically goes unnoticed by the user for some time. Once the forwarding is setup they monitor your email and wait for the right time to craft an email you would otherwise be expecting to gather more information. Ever wonder how all those emails regarding mortgage documents started showing up right when you were closing on that new house? Now you know!
You can click HERE to see if forwarding is setup on your Microsoft 365 email. You should also check your inbox rules occasionally to ensure email is flowing as expected once you receive it. You can do that HERE.
An appropriately configured Microsoft 365 tenant will have alerts in place to notify both users and administrators if a forwarding rule is enabled on a mailbox. Be sure this is the case for your organization or contact a partner that can assist with a review of your setup. The best answer to disable forwarding all together at the tenant level.
Setup Microsoft Advanced Threat Protection
Basic email security should now include the configuration (and licensing) of Microsoft Advanced Threat Protection. This is a fully integrated solution that will provide a number of services to keep your incoming and outgoing email protected. This is included in the M365 Business Premium plan, and as an add-on to most other email licenses.
This "product" will take the place of external 3rd party email services like MimeCast or Proofpoint which will reduce your application footprint, simply overall tech management, and provide for a more secure intuitive end user experience. For a deeper dive please review THIS post.
Setup Email Encryption
If you *must* send sensitive information via email, at least do so in a secure manner. This option is included with many of the Microsoft 365 plans today, and can also be an add-on via Azure Information Protection Plan 1. This is best handled by a technology partner that has experience with the configuration and licensing of these services. Gmail also has this feature via the Confidential Model option.