Is Your Office 365 Email Really Secure?

The migration of email infrastructure from on-premises to the cloud has accelerated to such an extent that by 2021, Gartner estimates 70% of organizations will use cloud email services. So, naturally, the number one threat vector for organizations today is email. Microsoft Office 365 is the predominant SaaS service in the market, and while Microsoft provides a base level of email security it’s much like a lot of their products: just enough.

Built into every O365 Email subscription is EOP (Exchange Online Protection), along with the option to purchase Advanced Threat Protection (ATP) for an added layer of security. While much better than nothing, Office 365 EOP and spam filters don’t prevent many of the modern techniques attackers use to pass through filters. Hundreds if not thousands of threats pass through O365 ATP suite and into the inboxes of small business users every month.

Because of these numbers, and how vulnerable email is, Gartner recommends adding cloud email supplemental security to protect cloud mailboxes with layered security and diversified threat intelligence. So, since the cloud security umbrella is wide (and for the sake of not writing a 200-page thesis), we’ll focus on cloud email security.

Microsoft Email Security Options

Let’s get into the details of some key areas that at a base level should be securing your office 365 email beyond SPAM filtering. Microsoft’s ATP does provide basic threat protection and reporting, along with some key features, such as URL rewriting, attachment sandboxing, and (probably the most advertised) easy integration requiring no additional mail hops, mailflow rules, or connectors.

However, for about $35 a month, any hacker in the world can create an Office 365 account to figure out how to circumvent these security protections. We know from security analysts that there is code put in by hackers to specifically evade Microsoft’s default security. Down the road this might be a viable solo option. But having been introduced in 2015, the product is still relatively immature—especially compared to security vendors who’ve been doing this for decades.

Another large drawback is reporting and forensics. While, yes, there is reporting, visibility and control in the Microsoft security interface is limited, making it difficult to deep-dive into a specific incident, find the root cause, determine which users are impacted, if a user account was compromised, if data was lost, etc. At the same time, ATP limits reporting based on time constraints. For example, it takes a few hours to return a mail protection detail report for messages older than 7 days. For data older than 90 days, reports are inaccessible.

Additional Security Layers

To summarize, while not a complete enterprise solution, you should definitely use Microsoft as a primary security provider and layer additional security solutions from third parties that have more tailored AI, security that’s invisible to hackers, and expansive reporting.

Here are key areas to look for:

Unknown and Dynamic Threats – these threats can be missed and continue to linger in cloud mailboxes. Faster, automated detection and remediation tools are needed to mitigate the spread of email-borne threats inside your organization.

Targeted Platform-Wide Attacks – The broad-based adoption of cloud email opens organizations to new threat vectors. Attackers have increasingly targeted cloud mailboxes for takeover to launch attacks against the organization. Cloud email platforms are among the most impersonated domains. A successful credential phish can expand the attack surface to include the full office suite, with options to launch insider or spearphishing attacks.

Advanced Threats – Advanced threats like ransomware, Business Email Compromise (BEC) and targeted phishing attacks such as spearfishing can breach the native security defenses of cloud email platforms.

Perimeter Security – Cloud email platforms are susceptible to threats from within the office suite. A credential phish can lead to an account takeover, giving access to internal communications, and creating a launchpad for internal phishing and business email compromise attacks. Since perimeter security is unaware of insider threats, it’s important to scan every mail entering or leaving each cloud mailbox. Continuous mailbox analysis is the key to protecting against insider threats.

Where to start

If you want to do some quick research, Google a relatively new category of email security called Cloud Email Security Supplement (CESS). According to Gartner, “CESSs focus on specific threats, often in the realm of hard-to-detect phishing and can leverage full access to cloud-hosted inboxes via APIs for detection and remediation.” Some requirements in this category make it unique:

• Requires on-demand scanning of mailboxes, generally as a secondary scan at low-use times.
• Quickly manages outbreaks that spread through email.
• Demands detection methods that use historical communication patterns (e.g. to build social graphs in defense against phishing).
• Has substantial intra-domain email traffic without routing through a Secure Email Gateway (SEG).
• Uses applications that have programmatic access to the mail server.
• Users regularly post messages in public folders.
• Does not use an SEG.

If you’d like to expand your knowledge-base even further, a lot of smart people here at Anexinet would love to talk with you about this all day. Please feel free to reach out to us with any questions. We’d love to help you ensure your Office 365 email is secure.