Exchange Spam Filters

Microsoft Exchange spam filters provide a basic level of protection against spam, phishing emails, and malware. In the default configuration, many users feel the level of protection provided by Exchange spam filters falls short of what is required. By default, the filters are set to be very permissive, which means many threats slip through the net.

With some tweaking it is possible to enhance the protection provided and more aggressive spam filtering controls can be applied, but even with some customization the level of protection provided by Exchange Online Protection (EOP) may not be sufficient for healthcare organizations.

The healthcare industry is heavily targeted by cybercriminals and email is the primary attack vector. Email is used to spread malware – via malspam – and phishing and social engineering are used to convince healthcare employees to disclose their login credentials, giving cybercriminals access to email accounts to use for BEC attacks, phishing campaigns, and other attacks on the organization. The volume and variety of email threats received by an average healthcare organization each day means spam filters need to be very effective.

Spam and Phishing Protection

Microsoft Exchange spam filters, especially EOP, lack the sophistication to block sufficient numbers of these threats. Exchange spam filters block around 99% of spam email, but many third-party solutions block more than 99.9% of spam email.

Greylisting is an important anti-spam control that can help to improve detection rates past the 99% mark. This is not included in EOP. Greylisting involves rejecting messages from questionable domains and IPs and sending a request for the message to be resent. Legitimate mail servers tend to respond to these requests promptly and resend the message, whereas mail servers being used for spamming never resend the message or a response is severely delayed. The time delay is a good indicator of whether the sender is genuine.

Exchange spam filters provide some protection against phishing, but this is an area where the difference between third party solutions and EOP is really noticed. A recent study by Avanan revealed 25% of phishing emails were not blocked by exchange spam filters and were delivered to inboxes. It is therefore understandable why EOP is often criticized by IT departments.

Exchange spam filters use real-time block lists (RBLs) to identify spam and phishing emails. RBLs are constantly updated lists of IP addresses that have been identified as having been used for sending spam, phishing, and other malicious emails. This is an important mechanism for blocking spam, but it is less effective at blocking phishing emails. Many third-party anti-spam solutions combine RBLs with SUBRL filtering. SUBRL filtering is an additional check that is similar to RBLs, but instead of checking the IP address it checks the link against a constantly updated list of URLs that have been used for phishing and malware distribution. This is lacking in EOP.

The healthcare industry is particularly susceptible to phishing attacks. Healthcare organizations have a large workforce and staff turnover is high. Providing security awareness training is a requirement of HIPAA but keeping the workforce up to date on the latest threats and making sure all employees with access to email receive training can be a major challenge.

A study published in The Journal of the American Medical Association (JAMA) in March 2019 confirmed how susceptible healthcare organizations are to phishing attacks During the period of study, 2.9 million simulated phishing emails were sent to employees at 6 hospitals. The click rate was 16.7%. Almost one in 7 emails were clicked by employees.

With such a high click rate it is vital that advanced spam filtering controls are in place to block the majority of threats. Healthcare organizations can pay extra for Advanced Threat Protection (ATP) from Microsoft to improve their email security defenses or they can choose a third-party spam filter that provides a much greater level of protection. It is unwise to rely on EOP alone.

Anti-Malware Protections in Exchange Spam Filters

In addition to having problems detecting phishing emails, Exchange spam filters struggle to detect malware threats.

The signature-based malware detection mechanisms used by Microsoft are good at blocking known malware threats, but they do not provide protection against zero-day threats – new malware variants that have yet to be detected as malicious and have their signatures uploaded into anti-virus software engines.

Microsoft does not include sandboxing in in its Exchange spam filters. A sandbox is an isolated environment where suspicious email attachments can be executed safely and analyzed for malicious actions.

Known malware threats can be easily rejected by anti-virus controls, but zero-day threats are likely to pass through unhindered. With a sandbox, any suspicious email attachments can be subjected to deep analysis to identify malicious actions and command and control center callbacks. Third party solutions also usually allow you to easily block certain types of attachments that are commonly associated with malware, such as .zip files, .exe files, and .scr, and .js files.

Third party anti-spam solutions often include data loss protection features, which allow you to implement comprehensive content filtering rules and delete, redirect, quarantine, or bounce emails that violate your rules. These controls are important in healthcare where there is a high risk of data loss.

If you want to improve your security posture and protect against email attacks, you will need to implement layered defenses. If you want to make an instant improvement to your security posture and resiliency to phishing and email-based malware attacks, an advanced anti-spam solution is the best place to start.


What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol that helps prevent email impersonation attacks, where scammers forge the from address. Checks are performed to ensure the sender is authorized to send messages from that domain. You should look for an Exchange spam filter that incorporates DMARC and other email authentication checks.

How can a third-party Exchange spam filter help with HIPAA compliance?

A third-party Exchange spam filter can improve protection against phishing emails and malware, which will help to prevent data breaches. Spam filters with outbound scanning can identify compromised mailboxes and attempts by employees to send HIPAA-protected data to external email accounts.

Is security awareness training for employees required for HIPAA compliance?

The HIPAA Security Rule requires covered entities to implement a security awareness and training program, that includes periodic security updates. The best practice is to provide security awareness training to the workforce at least annually and should teach employees how to recognize and respond to suspicious emails.

Does greylisting slow down email delivery?

Greylisting is an important feature of a spam filter, as it allows previously unknown sources of spam to be detected. When greylisting is activated, there will be a small delay in receiving emails, but no more than a few minutes. To ensure business-critical emails are not delayed, you could whitelist trusted senders, who would then be excluded from the greylisting process.

Should I set highly aggressive spam filtering rules?

Having highly aggressive spam filtering rules will ensure virtually all email threats are blocked; however, the more aggressive the filtering rules, the more likely it is for genuine emails to be caught by the spam filter. They will then need to be released from quarantine by the administrator, which will slow down email delivery. You should take a risk-based approach to spam filtering, with the more aggressive controls set for individuals most at risk of being targeted.