Email Security Considerations for Microsoft 365 Users

Microsoft’s Email Security Strengths

With an incredible volume of email passing through its security measures, Microsoft continues to up its game and improve its built-in email security all the time. But threat actors are increasing the sophistication of their attacks too.

Using public-domain literature from Microsoft, including its Defender documentation (previously EOP), and insights from the experience of GreatHorn’s operations teams, we looked at how Microsoft protects your enterprise from email related risks and attacks.

First off, let’s look at its strengths. As noted in our 2023 State of Email Security Report, Microsoft has improved its attachment scanning, resulting in a dramatic decline in attachment-based attacks reaching users. Microsoft’s native capabilities are known to be effective for a number of other basic hygiene capabilities too, like:

• Blocking emails from known bad senders
• Blocking emails with known bad URLS
• Performing content analysis to identify SPAM

Eliminating known bad emails (senders, links or attachments) through quarantining prevents users from engaging with these risky emails. By default, all emails will be scanned for spam (anonymous, unsolicited messages sent in bulk) which is important hygiene to increase business productivity and reduce the number of daily nuisance emails that contribute to inbox fatigue, lowering users’ capacity to spot true risks.

Mind These Gaps

Microsoft was one of the top 7 brands for attackers to spoof in 2022. Threat actors also continue to target Microsoft’s email users with increasingly sophisticated attacks to bypass Microsoft’s own native controls.

Here are some potential gaps worth considering to ensure you have the best protection against business email compromise (BEC) and zero-day attacks.

• Sophisticated anomaly detection
• Credential harvesting attacks
• Account takeover detection

While Microsoft has strong baseline capabilities for handling known bad emails, it hasn’t fared as well against more sophisticated attacks.  In our blog, we shared an example of GMX.net phishing attacks that bypassed Microsoft’s own native controls. With impersonation and account takeover attacks on the rise via business email compromise (BEC), many organizations will want to consider additional email security to protect your enterprise from email related risks and attacks.

Augmenting Cloud Email Security

With Microsoft handling static threats well, organizations should be considering solutions that allow for dynamic policies, specific to phishing and other threats and requirements, to close that gap.

Integrated cloud email security (ICES) solutions, that connect to cloud-native email platforms using APIs to examine emails, are fast becoming the industry standard. Providing defense- in- depth through a variety of advanced detection techniques, user education, and streamlined search and remediation capabilities to contain the impact of compromised internal accounts, ICES augment Microsoft’s native email security for more robust risk mitigation.

Key Capabilities to Consider Adding

• Artificial Intelligence (AI) and Machine Learning (ML)

  Enhance your ability to identify and address attack types that operate in the grey area, outside of what typical threat intelligence can detect, with solutions harnessing AI, ML, and even natural language understanding (NLU) and natural language processing (NLP). These technologies can be used to perform relationship analysis, paired with machine vision to inspect destination sites in real-time, and evaluate communication patterns and styles to identify other anomalous characteristics that simple matching against known bads fails to reveal.

• User Education

  User education can greatly reduce email risk, but for end users to make informed decisions, they need to be armed with contextual information. ICES commonly utilize custom banners to offer guidance directly oriented towards the potential risk the user is interacting with. Less commonly, they may provide additional mailbox intelligence that alerts and helps users understand who it is they are communicating with, if they or their colleagues have ever spoken to the sender in question before, and if there are any notable risk areas included with the message they are reading. Account takeover protection is a key protection against BEC, used to actually validate the identity of a sender using biometric authentication, reducing exposure from any compromised account.

• Streamlined Search and Remediation

  Since sophisticated attacks can take many forms and often lack the sender and/or subject line consistency of more simplistic volumetric phishing campaigns, having a robust search engine that enables you to search against any combination of factors, from relatively simple content-based keyword searches to more technical metadata, is beneficial in acting quickly to remediate. For larger organizations especially, incident response that makes it easy to perform bulk removal of threats from user inboxes is an  important capability.

Overall, Microsoft 365’s built-in email security features provide strong baseline protection against static, known bad emails. But ‘Unknown Bad’ attacks are delivered daily by social engineering, malware, malicious links, vendor and executive impersonation, Business Email Compromise (BEC), phishing, supply chain, advanced malware, and combinations of these.

To optimize the performance of your email-related risk function, complementary capabilities gained from integrated cloud email security solutions (ICES) provide defense in depth, dynamically engaging additional layers of content analysis, user education, and remediation capabilities. ICES offer a wide range of functionality, so invest wisely in comprehensive protection, while minimizing overlaps, overhead, and redundant spend.