One issue that I have found time in and out is that Office 365 inherently has some vulnerabilities. I chose to move to a spam filtration system that does anti-impersonation as a backbone. If you choose to keep O365 I would suggest just a short list of the following.
* Highly suggest investing in a spam filtration system that sits behind the 0365 console*
- disable OWA or enable MFA with app authentication (no matter what else you do)
- Set to strip all hyperlinks in messages
- One nice feature of Office 365 is that in the Admin portal, under the security it has a rating system from 0-365 (cute) which will give you different check offs you can do that will allow you too increase your security score.
*the key is to remember that training your staff is the one of the if not the most important part of email and infrastructure security, if you do not have their buy in for the changes made, as each change will make it more time consuming for them to log in, then you will have a rather hard time*