Office 365 Email Security

Office 365 is one of the most popular cloud-based software solutions, but how does Office 365 email security stack up? Does Microsoft’s Office 365 email security offerings provide sufficient protection against malware and ransomware, and should Microsoft’s anti-phishing defenses be augmented with one of the many third-party email security solutions on the market?

Microsoft’s Office 365 Email Security Options

Microsoft offers two email security options for Office 365, the most basic of which – Exchange Online Protection (EOP) – is included with the cost of the standard Office 365 license. The second tier of security, which has more advanced security features, is Advanced Threat protection (APT).

The protection provided by EOP can be considered to provide the bare minimum level of security against malware and phishing. A study conducted by Osterman Research showed EOP is effective at blocking known malware threats, 100% of which were stopped by EOP’s signature-based antivirus controls in its tests. EOP also provides a reasonable level of anti-spam filtering, blocking 99% of unsolicited bulk mail and EOP provides a reasonable level of protection against standard phishing emails.

APT provides a higher level of protection against more advanced malware through sandboxing through “Safe Attachments”, malicious URLs or web links protection in emails and attached documents by comparing the links against Real-time blackhole lists (RBLs) through “Safe Links”, and advanced anti-phishing protection. APT is split into two tiers. The above measures are included with APT Plan 1, which is available with Microsoft 365 Business Premium. Plan 2 takes protection further by adding threat trackers, threat explorer, and automated investigation and response capabilities. Plan 2 is provided with Office 365 E5, Office 365 A5, and Microsoft 365 E licenses.

Enhancing Office 365 Email Security

Microsoft has taken steps to improve its security controls in recent years, and threat detection capabilities have been significantly enhanced to provide greater protection against more targeted attacks such as spear phishing and zero-day threats, but there is still room for improvement. Microsoft Office 365 email security does not use the multi-layered approach found in more advanced third-party Office 365 email security solutions, such as predictive technologies to identify advanced threats, machine learning, and algorithmic analyses and pattern matching.

SE Labs analyzed Microsoft’s security controls for Office 365 and found that even with APT, the level of protection provided is still only at the low to mid-market level. A study conducted by Avanan found that the anti-phishing mechanisms used by Microsoft failed to block 25% of phishing threats, which were delivered to Office 365 inboxes.

In healthcare, which has long been extensively targeted by cyber actors, advanced phishing defenses are needed. Healthcare data breaches are being reported at record levels and phishing is the number one cause of data breaches. Given the high risk of phishing attacks, doubling up on phishing protection is strongly recommended.

Layered Security Improves Protection Against Sophisticated Email Attacks

The key to good email security for Office 365 is layered defenses. Adding different layers to your defenses ensures that if one detection mechanism fails to detect a threat, others are in place to provide protection. It is unwise to rely on just one cybersecurity vendor to provide all of your security. Combining solutions from multiple vendors will increase the probability that threats will be detected. When businesses have their email on-premises, multiple cybersecurity protections are used and security solutions are rarely all supplied by the same provider. A similar approach should be adopted for protecting cloud-based email, using cloud-based security solutions from different vendors. Most cybersecurity firms have developed email security solutions for Office 365 that can be layered on top of Office 365 protections to provide even greater protection against more sophisticated threats. These enterprise-class solutions take threat detection and response a step further than APT and improve protection against attacks such as business email compromise (BEC), Spear phishing, email impersonation attacks, and zero-day malware and phishing threats. By layering an advanced, enterprise-class Office 365 email security solution on top of Microsoft’s defenses, these advanced threats are much more likely to be blocked.

Office 365 Email Security Checklist

In addition to enhancing anti-spam, anti-phishing, and anti-malware protection with advanced security solutions, there are several other steps to take to improve email security for Office 365. We have compiled a list below of the additional protections that should be enabled on your Office 365 accounts.

  • Ensure multifactor authentication is enabled to prevent compromised credentials from being used to access Office 365 accounts
  • Enable mailbox audit logging
  • Ensure SPF, DKIM, and DMARC are enabled to identify and block email impersonation attacks
  • Disable mailbox auto-forwarding to remote domains
  • Disable POP3 or IMAP4 access to mailboxes in Exchange Server
  • Block sign-in for shared mailbox accounts
  • Disable macros on all devices
  • Use a web filtering solution to provide time-of-click protection against malicious hyperlinks in emails
  • Enable Office 365 message encryption or use a third-party email encryption solution
  • Create an email retention policy and use an email archiving solution to reduce the number of emails stored in mailboxes.
  • Create a data loss prevention policy to prevent accidental sharing of sensitive data on email
  • Ensure the workforce is provided with regular security awareness training


If I have an advanced email security solution, do I still need to provide security awareness training?

No email security solution will provide total protection from email threats, so some malicious emails will arrive in inboxes. It is important to provide security awareness training to ensure employees can recognize any email threats that are not blocked by the spam filer. Security awareness training is also a requirement for HIPAA compliance.

How often should security awareness training be provided?

HIPAA is rather vague on the required frequency of security awareness training for the workforce. The best practice is to provide security awareness training to everyone as part of the onboarding process, and then to provide at least annual refresher training. Given the rapidly changing threat landscape, bi-annual training sessions are recommended, and the frequency should be guided by a risk assessment.

Why is outbound scanning of emails important?

Outbound scanning of emails is important for identifying compromised mailboxes that are being used to send phishing emails. Some email security solutions also have data loss protection features and scan outbound messages for sensitive data types such as PHI. These features allow you to identify potential breaches and HIPAA violations and take rapid action to mitigate the threat.

How can I find out more about the best Office 365 email security solutions?

Email security solution providers are unlikely to tell you the negatives about their solutions. It is advisable to check independent review sites to find out how genuine users of the products feel they perform. Sites such as G2, Expert Insights, Spiceworks, Reddit, and Software Advice are a good place to start. Also, take advantage of any free trials on offer.

What providers offer alternative Office 365 email security solutions?

Many cybersecurity firms offer email security solutions for Office 365, including CISCO, Mimecast, ESET, Proofpoint, and TitanHQ. TitanHQ has recently launched SpamTitan Plus, which provides superior protection against malicious links in emails with 100% coverage of ALL current market-leading anti-phishing feeds and faster detections than the current market leaders.

Immediate Access

Privacy Policy