Office 365 Email Protection

Office 365 email protection is best described as basic rather than truly effective, and therefore organizations who use Microsoft as a primary email provider should enhance Office 365 email protection with a secondary security solution that can prevent the delivery of emails harboring threats such as malware, ransomware, and phishing.

It is understandable that organizations who use Microsoft as a primary email provider can be lulled into a false sense of security with regards to Office 365 email protection as Microsoft frequently updates the Office 365 suite and rolls out improvements to the existing software. However, because the Office 365 suite is so vast, many updates and improvements do not impact email services.

Furthermore, when email services are updated and improved, cybercriminals quickly find ways around new security measures to (for example) bypass email sender authentication protocols and cloak embedded phishing links so emails cannot be identified as threats by the SafeLinks or Native Link Rendering features of the Advanced Threat Protection (ATP) service.

The best way to mitigate threats such as malware, ransomware, and phishing is to prevent emails harboring these threats being delivered to end users, and the best way to achieve that is through a process known as greylisting. Office 365 does not support greylisting because Microsoft believes existing authentication protocols are sufficient to verify the authenticity of emails. They´re not.

How Greylisting Reduces Email-Borne Threats

When an email is received by a mail server, it typically goes through multiple test and checks. Front-end tests verify the recipient, authenticate the sender, and check the source of the email against one or more real-time blocklists (RBLs) to identify emails originating from known sources of spam. If the email is not rejected by one of these tests, its content and any attachments are virus scanned and checked against filtering policies before the email is delivered to the recipient´s inbox.

With greylisting, when an email is received by a mail server, unless the source of the email has been previously approved (whitelisted), the email is returned to the mail server that sent it with a request for the email to be resent. Genuine emails are usually resent within minutes – at which point they follow the process described above. Spam emails and those harboring threats are often not returned – avoiding the risk that they bypass authentication protocols or contain cloaked phishing links.

The reason spam emails are not often returned is that many spammers´ mail servers lack mail retry capabilities due to so many emails being returned – not necessarily due to greylisting, but also because recipients don´t exist or the email has been rejected by an RBL. If every returned email was added to a mail retry queue, it would limit the ability of the mail server to send fresh spam – thus limiting the likelihood of a malware, ransomware, or phishing attack being successful.

Despite Microsoft´s reluctance to support greylisting, this pre-filtering process is proven to be successful in enhancing Office 365 email protection. In independent tests, greylisting increases the spam detection rate from 99% to 99.97% with only 0.003% false positives. Although this means some spam emails and emails harboring threats did manage to avoid detection, there is a reduced risk to organizations that implement a secondary solution with greylisting capabilities.

How to Enhance Office 365 Email Protection with a Secondary Solution

The process for enhancing Office 365 email protection with a secondary solution may vary depending on each organization´s setup and the secondary solution being used. However, in most cases, it involves editing the default connection filter and creating a new mail flow rule in the Exchange Admin Center so the Office 365 mail filter blocks all inbound mail except traffic from the secondary solution´s IP address. (Other rules may be necessary depending on the domain(s) used).

Then, on the Admin portal of secondary solution, enter the domain(s) and destination server in order to redirect the MX record. The process takes just a few minutes and, once it is completed, all the organization´s inbound mail for the selected domains will be greylisted by the secondary solution before being delivered to the Office 365 mail filter to continue the usual tests and checks explained above. It really is that simple to enhance Office 365 email protection – and it needn´t cost a lot.

Secondary solutions such as SpamTitan Cloud can cost less than $1.00 per user per month depending on the number of users and the length of the subscription. Compared to the cost of remediation, restoration, and recovery after a successful cyberattack, it is a very small price to pay to enhance Office 365 email protection. To find out more, and to arrange a free demo of SpamTitan Cloud in action, visit today.