Microsoft 365 is the most adopted cloud email and office application solution available on the market today. Most IT admins say the reason they made the move to Office 365 is because “they no longer have the time to spend administering their on-premises exchange’’ However, most overestimate the security capabilities of Office 365.
It’s a well-known fact within the cyber security industry that a lot of threats originate from email accounts within Office 365’s own environment
Office 365 defaults for connection time checks such as SPF, DKIM and DMARC are non-secure.
Office 365 has other insecure default behaviours for legacy compatibility reasons and because they have to take a one size fits all approach to connection time security. For example, Office 365 will accept emails from non-existent domain names and domains which do not represent an FQDN.
Configuration can be a big issue when the person responsible for setting up Office 365 fails to configure it correctly, failure of correct provisioning can leave you vulnerable to so many major security threats.
Office 365 is commonly described as a one size fits all type solution with regards to security, what does this mean for you? Basically, because Office 365 is a multi-tenant environment it’s security features will not allow for flexibility when it comes to unique targeted email borne threats against end users.
Office 365’s E3 and E5 licenses are Office suite licenses that include security elements but are not fully focused on email security and threat prevention.
Given these factors, Office 365 has a number of shortcomings with regard to email security.
Office 365 is commonly used by hackers as a means to simulate their attacks, so it’s easy for attackers to test their methods until they can bypass Office 365’s security filters.
Our mission statement is to fully focus on protecting the communication of our end users. Microsoft Office 365 is a multifunctional product with no particular focus on email security.
If an employee account gets hacked, outgoing emails becomes a threat. Using an additional security layer provides you with the benefits of monitoring abnormal trends in outgoing email.
With the world’s most talented engineers and a seemingly infinite budget, why does Microsoft fall victim to phishing attacks that get past ATP and Exchange Online Protection (EOP) for Office 365? (25% of all Phishing Attacks get through MS 365).
The reasons have nothing to do with any specific failure by Microsoft, but much to do with the widespread adoption of Office 365 as an enterprise collaboration suite. Because Office 365 is the most used platform, it is also the most attacked. This creates strengths and weaknesses in ATP.
Organizations should use a third-party email security layer sitting in front of Office 365 that have more tailored AI, security that is invisible to hackers, and flexible and responsive reporting, control and support.
A layered security module is imperative when moving your email to a multi-tenant cloud environment like Office 365.
Many organizations believe that their current email security systems are up to the task of protecting them from malware, spam, and other email-borne threats. However, this is not true as most email security systems fall short and do not keep their organization safe. The entire industry needs to be working towards a higher standard in quality, protection, and email security.
Based on the principle “what gets measured, gets managed,” Topsec has used the numbers to establish a framework to measure the effectiveness of Microsoft Office 365 as an email security system. This report provides the details of the test results and explains what these results mean.
The Topsec Email Security Risk Assessment is a test that passively inspects emails that have been let through by third-party incumbent email systems as safe and ended up on an organization’s email management system. Topsec put these emails through their own email security systems to reinspect the emails for false negatives i.e., emails that are spam or contain malware or malicious attachments.
Total Caught as Spam: 1,500,777 detected as Spam. 500,259 rejected and 1,000,518 quarantined.
The TESRA test covered 13,553 email users over a 90-day period of email received from various organizations. Within that timeframe, more than 10 million emails were inspected by Topsec. These emails had already been passed as safe by the organization’s implementation of Microsoft Office 365 services with Exchange Online Protection or Advanced Threat Protection. The Topsec security test occurred passively after the incumbent email security systems had executed all their security filters and determined that nearly 1,504,010 or 15% of the 10, 014,185 emails were actually “bad” or” likely bad”. The overall false negative rate in the TESRA test of Microsoft Office 365 was 15% of all emails inspected by Topsec.
Most of these emails that got through were spam, with 99.79% of the false negatives passed by the incumbent email security systems that were caught by Topsec were spam emails. Most spam email is not lethal; however, these messages can lead to more sophisticated attacks. As we move down the funnel the number of false negatives decreases, however, these attacks are more lethal.
At the next level, 1,809 of the emails caught by Topsec were impersonation attacks that were missed by Microsoft Office 365. These types of malicious emails are socially engineered emails that attempt to impersonate a trusted party, a CEO for example, with the intentions of prompting the recipient to do something they should not doin a timely manner, e.g., transferring funds to a bank account as soon as possible. As these emails do notcontain malware or malicious attachments, they are harder to detect. The number of these targeted email attacks have significantly increased in recent years.
In the next level, 1,206 emails caught by Topsec were dangerous file types. Dangerous file types covermany file types which are not sent over email including .exe (executables) and .src (source) files. Topsec recommends that customers block or quarantine these dangerous file types by default.
Moving down a level, 218 emails were identified to contain‘known malware’ which is a term used for malware which has previously been seen in the environment and reported as malware. Missing any known malware is a massive sign of weakness in an IT security system and is very worrying.
Many organizations think that their current email security systems are keeping them safe from new and emerging email-borne threats, however, the TESRA test proves that this is not the case. These days, hackers are more sophisticated, resourced and targeted which leads to more effective email attacks. They continue to search to find holes and flaws in services such as Microsoft Office 365, so it is vital that you put as many layers of security in place as your budget will allow.