This is Part 1 of a two-part blog series on how organizations can efficiently augment their native Office 365 security controls to stop targeted email attacks. In Part 1, we’ll evaluate the strengths and gaps of native Office 365 email security measures.
Email continues to be the lifeblood of business communications, but it’s also undergoing a paradigm shift. This shift has two clear drivers: a shift to the cloud, and a commoditization of certain email security features - and Microsoft sits at the intersection of these email trends.
Of the 81% of businesses that have made the shift to cloud services, over half are Office 365 users. The groundswell of momentum heralded by cloud-based Office 365 offerings has improved organizational agility and simplified the management of corporate applications. Microsoft has attempted to ease this transition by including a wide spread of email security features within their Office 365 suite, enabling customers to move away from on-premise Secure Email Gateways (SEGs).
In this blog, we’ll study Office 365’s native email security capabilities, what it does well, and which areas of protection are still lacking.
Exchange Online Protection (EOP)
Microsoft describes Exchange Online Protection (EOP) as a cloud-based email filtering service that helps protect organizations against spam, malware, and messaging-policy violations. Organizations pay for EOP as part of both the E3 and E5 O365 licenses.
EOP security capabilities include:
- Anti-spam protection: Blocks spam by using URL and domain lists, content filtering, and connection filtering.
- Anti-malware protection: Multiple anti-malware engines along with customizable malware filtering rules.
- Mail routing and flow rules: Route and filter emails by domain, region, keywords, subject line, and other parameters.
- Reporting and logging: Audit logs, web-based reports, and message tracing provide visibility into email activity.
- SLAs and support: A spam effectiveness SLA of >99% and a virus detection/blocking SLA of 100%.
A full list of EOP capabilities is available here.
Advanced Threat Protection (ATP)
Microsoft describes Advanced Threat Protection (ATP) as an add-on security offering that safeguards organizations against malicious threats posed by email messages, links (URLs), and collaboration tools. Organizations pay for ATP as part of the E5 O365 license, with two ATP plans available to choose from.
ATP security capabilities include:
- Safe attachments and links: Protects against zero-day malware with dynamic analysis. Provides time-of-click verification for all URLs.
- SharePoint, OneDrive, and Teams support: Identifies and blocks malicious files on team sites and document libraries for cross-platform protection.
- ATP anti-phishing protection: Applies machine learning models for advanced phishing protection.
- Threat investigation and response: Uses threat intelligence and real-time reports for threat identification and analysis.
- Attack simulation: Runs realistic attack scenarios to identify organizational vulnerabilities.
A full list of ATP capabilities is available here.
Strengths and Gaps
Native Office 365 email security (EOP) does a good job protecting against spam, known malware, and mass phishing campaigns. ATP leverages threat intelligence and machine learning models to detect advanced phishing attempts, stop zero-day malware, and provide attack simulations to improve end user education. Thus, many traditional elements of email security have essentially been commoditized by Office 365’s native offerings.
However, cybercriminals have not stood still while email security has matured. There are entire new categories of email threats that are socially engineered to get past traditional security controls and induce human targets into taking actions that lead to compromise. These attacks - broadly classified under the Business Email Compromise (BEC) umbrella - have dripped and dripped over the years to create a billion dollar ocean. The 2019 IC3 Report from the Federal Bureau of Investigation found that over $26 billion has been lost in BEC attacks over the past three years.
Fig 1: The strengths and gaps in native Office 365 email security.
Let’s see why BEC attacks usually get past native Office 365 email security controls:
- Laser targeted: BEC attacks eschew the scattergun approach of mass phishing attempts and are the result of extensive groundwork and research conducted by the attacker. The perpetrator is aware of the victim’s name, job title, reporting manager, and sometimes even what days they’ll be out of office.
- No malicious payloads: BEC attacks rarely include URLs or attachments that contain malicious payloads, especially in the first email. Payloads may sometimes be introduced at the end of email chains, after the attacker has gained the victim’s trust. It’s more likely for the ‘payload’ to be within the email content itself i.e. requests that are framed like they’re coming from a legitimate person that the victim knows.
- Rules and metadata are not enough: Since BEC attacks are more sniper than sledgehammer in their technique, metadata and binary rules are not enough to flag these emails. These protection techniques either lead to a flood of false positives or let finely crafted BEC attacks escape their grasp.
- Socially engineered: BEC attacks prey on human nature as much as (if not more than) security controls. Leaning on age-old psychological tricks like urgency, authority, persuasion, and fear, the language in these emails make the victims ‘want’ to take action without thinking too much about it.
There’s only so far that eye tests and phishing awareness can take us. Organizations should complement native O365 email security with third-party controls that take a different approach to threat detection. Such an email security suite results in a more holistic approach, a better spread of techniques, and a more efficient allocation of the security budget.
Since BEC attacks can’t be detected by heavy-handed ‘all or nothing’ signals, third-party email security controls should provide a breadth and depth of signal analysis that cuts across user identity, user behavior, and email language.
In Part 2 of this blog, we’ll look at characteristics of third-party email security controls that provide the most effective complement to native Office 365 email security.