Office 365 defaults for connection time checks such as SPF, DKIM and DMARC are non-secure.
Office 365 has other insecure default behaviours for legacy compatibility reasons and because they have to take a one size fits all approach to connection time security. For example, Office 365 will accept emails from non-existent domain names and domains which do not represent an FQDN.
With the world’s most talented engineers and a seemingly infinite budget, why does Microsoft fall victim to phishing attacks that get past ATP and Exchange Online Protection (EOP) for Office 365? (25% of all Phishing Attacks get through MS 365).
The reasons have nothing to do with any specific failure by Microsoft, but much to do with the widespread adoption of Office 365 as an enterprise collaboration suite. Because Office 365 is the most used platform, it is also the most attacked. This creates strengths and weaknesses in ATP.
Organizations should use a third-party email security layer sitting in front of Office 365 that have more tailored AI, security that is invisible to hackers, and flexible and responsive reporting, control and support.
A layered security module is imperative when moving your email to a multi-tenant cloud environment like Office 365.
Many organizations believe that their current email security systems are up to the task of protecting them from malware, spam, and other email-borne threats. However, this is not true as most email security systems fall short and do not keep their organization safe. The entire industry needs to be working towards a higher standard in quality, protection, and email security.
Based on the principle “what gets measured, gets managed,” Topsec has used the numbers to establish a framework to measure the effectiveness of Microsoft Office 365 as an email security system. This report provides the details of the test results and explains what these results mean.
Total Caught as Spam: 1,500,777 detected as Spam. 500,259 rejected and 1,000,518 quarantined.
The TESRA test covered 13,553 email users over a 90-day period of email received from various organizations. Within that timeframe, more than 10 million emails were inspected by Topsec. These emails had already been passed as safe by the organization’s implementation of Microsoft Office 365 services with Exchange Online Protection or Advanced Threat Protection. The Topsec security test occurred passively after the incumbent email security systems had executed all their security filters and determined that nearly 1,504,010 or 15% of the 10, 014,185 emails were actually “bad” or” likely bad”. The overall false negative rate in the TESRA test of Microsoft Office 365 was 15% of all emails inspected by Topsec.
Most of these emails that got through were spam, with 99.79% of the false negatives passed by the incumbent email security systems that were caught by Topsec were spam emails. Most spam email is not lethal; however, these messages can lead to more sophisticated attacks. As we move down the funnel the number of false negatives decreases, however, these attacks are more lethal.
In the next level, 1,206 emails caught by Topsec were dangerous file types. Dangerous file types covermany file types which are not sent over email including .exe (executables) and .src (source) files. Topsec recommends that customers block or quarantine these dangerous file types by default.