Office 365 Email Protection

The default Office 365 email protection used to be good. But, as hackers and cybercriminals have found ways to circumnavigate Microsoft´s protective mechanisms, more email-borne threats are evading detection. To address this issue, and better protect Office 365 mailboxes, you should implement a secondary mail filter such as SpamTitan.

Office 365 is one of the most widely used software suites in the world and, consequently, one of the most targeted software suites in the world. Aware of this, Microsoft frequently rolls out updates for Office 365 email protection and other services; but it doesn´t take long for cybercriminals to discover ways of circumnavigating Microsoft´s updates – and ways for their threats to avoid detection.

An example of how quickly Office 365 email protection can go out of date relates to email sender authentication mechanisms. In September 2019, Microsoft announced DMARC support across all its email platforms; yet, within a year, a Black Hat Briefing identified eighteen types of attacks to bypass email sender authentication mechanisms – including SPF, DKIM, and DMARC.

The same happened in 2015 when Microsoft launched the SafeLinks feature to detect malicious links embedded in emails, and – when the SafeLinks feature was circumnavigated – in 2019 when Microsoft added Native Link Rendering so end users could inspect the original embedded link and make an informed decision about whether or not to click it. In both cases, it took less than a year for cybercriminals to devise ways to circumnavigate the latest Office 365 email protection.

How to Enhance Office 365 Email Protection

The Black Hat Briefing referenced above concluded that “even a conscientious security professional using a state-of-the-art email provider service […] cannot with confidence readily determine when receiving an email, whether it is forged.” It is also the case that, due to SiteCloak obfuscation, neither Microsoft nor end users can determine whether a URL is malicious. So, how can you enhance Office 365 email protection to mitigate threats of this nature? The answer is greylisting.

Greylisting is a process.that takes place as soon as an email enters a mail server. Before passing the email through to front end checks such as recipient verification and sender authentication, the email is returned to its originating server with a request for the email to be resent. In most cases, the email is returned within minutes, recognized by the greylisting process, and passed through to the remaining checks before being delivered to the recipient´s inbox.

However, the majority of emails harboring threats are not returned because spammers´ mail servers are rarely designed with mail retry queues. This is attributable to spam email often being rejected by mail servers; and, if mail retry queues were quickly filled up with rejected emails, there would be no capacity remaining to send fresh spam. Consequently, forged emails and those containing cloaked malicious links are less likely to be delivered to unsuspecting users.

Microsoft doesn´t acknowledge the fact that greylisting can enhance Office 365 email protection – despite independent tests increasing the spam detection rate from 99% to 99.97%. The company says the existing SPF, DKIM, and DMARC mechanisms do the same job as greylisting (which they clearly don´t) and that greylisting can significantly delay the delivery of genuine emails – which is true, but can easily be overcome by whitelisting trusted contacts so their emails are not greylisted.

How to Add Greylisting to Office 365 Mailboxes

As Microsoft doesn´t support greylisting, the best way to enhance Office 365 email protection with greylisting is to use a secondary email filter such as SpamTitan. The Office 365 mail server has to be configured to only accept email traffic from SpamTitan, and the Office 365 domain and destination server added to SpamTitan. Thereafter all non-whitelisted emails will be returned to the originating mail server, and only when they are resent will they be forwarded to the Office 365 mail server.

Alternatively, it is possible to use SpamTitan as a standalone email filter. This gives organizations the option of whether to deploy their email filter in the cloud (SpamTitan Cloud) or as an on-premises virtual appliance (SpamTitan Gateway). Both options offer a better level of email protection than Office 365 inasmuch as they are more intuitive to configure, support granular filtering policies, and protect against Zero-Day malware attacks.

Additionally, SpamTitan Cloud and SpamTitan Gateway enable the application of data leak prevention rules, offer advanced phishing protection, and are equipped with dual antivirus engines that scan both the content of emails and any attachments for malware. It is also possible to take advantage of a powerful next-generation sandbox security capability that protects against advanced email attacks. To find out more, visit www.spamtitan.com.