Office 365 Spam Filter and Phishing Protection

If you work in healthcare and regularly receive spam and malicious emails in your Office 365 inbox there is a strong probability that you only have the basic Microsoft spam filter – Exchange Online Protection (EOP) in place. Given the extent to which healthcare organizations are being targeted by cybercriminals and the high cost of an email data breach, the basic Microsoft spam filter provided with Office 365 licenses as standard is unlikely to provide sufficient protection and could be exposing your organization to an excessive level of risk.

Office 365 is an Excellent Software Suite, but Office 365 Anti Spam Protections are not a Strong Point

Microsoft has an extensive range of products within its Office 365 suite and actively markets those products to healthcare organizations, including email services. There are now in excess of 1 million companies globally using Office 365 and well over 600,000 companies in the United States use Office 365. In October 2019, Microsoft broke the 200 million active monthly user mark and the number is increasing at a rate of around 3 million per month. It is clear that its products are much loved and extremely popular.

The products fulfil many needs in healthcare and Microsoft has achieved the highest possible HITRUST CSF rating for Office 365. Microsoft supports HIPAA compliance and its Office 365 products are covered by its business associate agreement. However, one area where Office 365 attracts criticism is the volume of spam and phishing emails that bypass the Office 365 spam filter and make it to inboxes where they can be opened by employees. Office 365 spam filter reviews often cite the relatively poor catch rates as the reason for seeking an alternative spam filter for Office 365.

Office 365 Spam Filter Performance

Microsoft’s signature-based detection mechanisms will block 100% of known malware threats (According to an Osterman Research Study), but phishing and spam emails often sneak past its defenses. The standard EOP Office 365 spam filter is heavily reliant on real-time blackhole lists (RBLs) to determine whether a message is genuine and should be delivered or if it is spam and should be blocked.

RBLs are constantly updated lists of domains and IP addresses that have been reported as being used for spamming or other malicious purposes. Any messages from those domains will be automatically flagged and quarantined.

To get around the problem of RBLs, spammers change domains frequently. By the time an IP address has been added to an RBL, it has likely already been abandoned and replaced. Alternatively, hundreds of different domains may be used for spamming and phishing campaigns, with each sending mail at low levels well below the threshold where they will be flagged for spamming and added to an RBL. These campaigns are often tested on dummy Office 365 accounts to ensure the messages are delivered before the campaign is launched.

The Office 365 spam filter problem is not due to a lack of technical expertise. More advanced anti-spam and anti-phishing mechanisms are available from Microsoft, but they are only included in the Advanced Threat Protection (ATP) package – The second tier Microsoft spam filter.  Microsoft claims APT offers comprehensive protection against phishing attacks and other email threats, and it is a significant improvement on EOP. APT will certainly provide a better level of protection against more advanced and sophisticated email threats and should certainly be considered, but even the APT package has shortcomings.

Independent tests conducted by SE Labs showed that even the higher tier anti spam Office 365 protections from Microsoft failed to block many threats. SE Labs reported that the level of protection provided by APT was only equivalent to email security solutions in the “low to middle end of the market.”

In healthcare, more advanced anti-spam and anti-phishing features are required and better detection rates are needed. The industry is heavily targeted by hackers and phishing is the number one method of attack. A look at the HHS’ Office for Civil Rights breach portal clearly shows the extent to which healthcare organizations are falling victim to phishing attacks. Email is the most common location of breached protected health information and there are often well over a dozen phishing attacks reported by healthcare organizations each month. Phishing attacks are the leading cause of healthcare data breaches.

Third-Party Office 365 Email Security Solutions Provide Superior Protection

Malware and ransomware also pose a major threat to healthcare organizations, and these threats commonly arrive via email. A analysis by Proofpoint in June 2020 showed an increase in ransomware attacks via email, which could indicate email may once again become a main entry point for ransomware gangs.

Signature-based detection mechanisms will protect against all known malware and ransomware threats, but they are not effective at blocking zero-day threats – malware and ransomware variants that have not been detected before. New variants of existing malware and ransomware are constantly being released and it takes time for the threats to be identified and added to the virus definition lists used by AV engines in spam filters.

To block these new malware threats, additional non-signature-based detection mechanisms are required. Predictive machine-learning solutions are useful in this regard, as is sandboxing. Sandboxing is used to execute suspicious files that have passed AV inspection. The files are sent to the sandbox where they are subjected to in-depth analysis for command and control center callbacks and other malicious actions. These advanced protections are not available with the basic Microsoft spam filter.

To ensure phishing risk is effectively managed and reduced to an acceptable level, advanced anti-spam and anti-phishing protections are required. That means Microsoft APT should be used as a minimum or, for even greater protection, a third-party spam filtering solution should be layered on top of Office 365.

The third-party route is a wise choice. With a third-party solution, EOP will still be active and blocking threats but will be augmented. The third-party solution provides an additional layer of protection and when it comes to cybersecurity, it pays not to put all of your eggs in one basket and have all security provided by the same vendor.


Will an Office 365 spam filter block all spam email?

Most advanced spam filters will block more than 99.9% of spam and malicious emails and will only misidentify a tiny percentage of genuine emails as spam. It is usually possible to increase the aggressiveness of the spam filter, but this typically results in a higher false positive rate.

How does a spam filter detect spam emails?

Spam filters use a variety of techniques for detecting spam and malicious emails. These include blacklists of known spam sources, sender policy frameworks to detect email impersonation attacks, greylisting to identify new sources of spam, and the headers and message body are assessed and scored on content. Malware is identified using antivirus software and sandboxing and many modern spam filters also incorporate AI and machine learning engines to improve detection rates.

Will a spam filter block malware?

The antivirus engines of spam filters use signature-based detection methods and will identify and block all known malware threats. New malware variants are constantly being released, so many spam filters also incorporate a sandbox where suspicious email attachments are analyzed in safety for malicious actions if they pass the antivirus checks.

How can I improve the Office365 spam filter?

Office 365 includes a spam filter – Exchange Online Protection (EOP) – although this spam filter only provides a basic level of protection. Many businesses find this level of protection insufficient and augment EOP with a third-party spam filter or Microsoft’s add-on advanced spam filter, Advanced Threat Protection (ATP). APT and third-party spam filters provide superior protection against sophisticated phishing attacks and new malware threats.

What is Sandboxing?

A sandbox is a secure environment where suspicious files are analyzed for malicious actions. Spam filters often include a sandbox where suspicious email attachments are subjected to in-depth analysis is they pass the initial checks performed by the spam filter and are not detected as malicious by the in-built antivirus engines. Sandboxing is important for detecting never-before-seen malware variants.