This blog is Part 1 of a two-part blog series on how your business can use Office 365 security controls to stop targeted email attacks. Today we’ll talk about the strengths and gaps of native Office 365 email protection. In Part 2, we’ll discuss what’s needed to augment native Office 365 email security.
Email continues to be the lifeblood of business communications, but it’s also undergoing a paradigm shift. This transition has two clear drivers: a shift to the cloud and commoditization of certain email security features. Microsoft sits at the intersection of these email trends.
Of the 90% of businesses that have shifted to cloud services, over half are Office 365 users. The momentum heralded by cloud-based Office 365 offerings has improved organizational agility and simplified corporate application management.
Microsoft has attempted to ease this transition by including an array of email security features within their Office 365 suite, enabling customers to move away from on-premise Secure Email Gateways (SEGs).
In this blog, we’ll review Office 365’s native email security capabilities, what it does well, and which areas of protection are still lacking.
Fig 1: The strengths and gaps in native Office 365 email security.
Native Office 365 Email Security: Strengths
Office 365’s native offerings have essentially commoditized many traditional elements of email security.
Exchange Online Protection (EOP)
Microsoft describes EOP as a cloud-based email filtering service that helps protect organizations against spam, malware, and messaging-policy violations. Organizations pay for EOP as part of both the E3 and E5 O365 licenses.
EOP protects against:
- Mass phishing campaigns
EOP security capabilities include:
- Anti-spam protection: Blocks spam by using URL and domain lists, content filtering, and connection filtering.
- Anti-malware protection: Contains multiple anti-malware engines along with customizable malware filtering rules.
- Mail routing and flow rules: Routes and filters emails by domain, region, keywords, subject line, and other parameters.
- Reporting and logging: Audits logs, web-based reports, and message tracing, providing email activity visibility.
- Service Level Agreements (SLAs) and support: Offers a spam effectiveness SLA of >99% and a virus detection/blocking SLA of 100%.
A complete list of EOP capabilities is available here.
Microsoft Defender for Office 365 (MSDO)
Microsoft Defender is an add-on security offering that safeguards against malicious threats posed by email messages, links (URLs), and collaboration tools. Organizations pay for Defender as part of the E5 O365 license; two Defender plans are available.
Microsoft Defender leverages threat intelligence and machine learning models to:
- Detect advanced phishing attempts
- Stop zero-day malware
- Provide attack simulations to improve end-user education
Microsoft Defender security capabilities include:
- Safe attachments and links: Protects against zero-day malware with dynamic analysis and provides time-of-click verification for all URLs.
- SharePoint, OneDrive, and Teams support: Identifies and blocks malicious files on team sites and document libraries for cross-platform protection.
- Anti-phishing protection: Applies machine learning models for advanced phishing protection.
- Threat investigation and response: Uses threat intelligence and real-time reports for threat identification and analysis.
- Attack simulation: Runs realistic attack scenarios to identify organizational vulnerabilities.
A complete list of Microsoft Defender capabilities is available here.
Native Office 365 Email Security: Gaps
So, is office 365 email secure? Reasonably secure, yes.
However, while email security has matured, cybercrime has not remained static. New email threats use social engineering to get past traditional security controls and compromise human targets. These include advanced impersonation attacks and payroll fraud.
These attacks, broadly classified under the Business Email Compromise (BEC) umbrella, have led to billion-dollar losses over time. According to their 2020 IC3 Report, the FBI received 19,369 BEC complaints in 2020, with adjusted losses of over $1.826 billion.
Let’s see why BEC attacks usually get past native Office 365 email security controls.
- Laser targeted: Rather than use the scattergun approach of mass phishing attacks, BEC attacks result from extensive groundwork and research conducted by the attacker. The perpetrator often knows the victim’s name, job title, reporting manager, and sometimes even what days they’ll be out of office.
No malicious payloads: BEC attacks rarely include URLs or attachments that contain malicious payloads, especially in the first email. Payloads may sometimes be introduced at the end of email chains after the attacker has gained the victim’s trust.
It’s more likely for the payload to be within the email content itself, i.e. requests that look like they’re coming from a legitimate person the victim knows.
- Rules and metadata are not enough: Since BEC attacks are “more sniper than sledgehammer” in their technique, metadata and binary rules are not enough to catch them. These protection techniques lead to a flood of false positives or let finely crafted BEC attacks escape their grasp.
- Socially engineered: BEC attacks prey on human nature as much as (if not more than) security controls. Leaning on age-old psychological tricks like urgency, authority, persuasion, and fear, the language in these emails encourages victims to divulge sensitive information without overthinking it.
Since BEC attacks can’t be detected by heavy-handed “all or nothing” signals, third-party email security controls can provide a breadth and depth of signal analysis that cuts across user identity, behavior, and email language.
This results in a more holistic approach, a wider variety of techniques, and a more efficient security budget allocation.
In Part 2 of this blog, we’ll look at the characteristics of third-party email security controls that provide the most effective complement to native Office 365 email security.