+61 2 9270 0666

The Facts on Office 365 Email Security

Office 365 Email Security

Out of the box, Microsoft’s Office 365 email security provides some good levels of protection around basic spam and malware filtering. If you want something more substantial that will suit your business, it’s most likely that you need to look at 3rd party products to fill the gap.

The Office 365 suite isn’t a one-site fits all platform. Microsoft have built the platform with all it’s tools as a great starting point. In many cases, adding 3rd party products can enhance the functionality and security than the uplift that Microsoft would charge for similar services.

You will need to plan your strategy to help thwart the security attacks on your Office 365 email. Industry pundits are already suggesting that phishing scams will be more of a problem than hacking or ransomware.

When you’re moving your business to the cloud, managing all the security requirements adds another layer of complexity and consideration. It’s important to make sure you know what you need and what you are getting.

What’s in the box with Office 365 Exchange Online Protection?

Exchange Online Protection (EOP) includes a lot of features that you would expect in many on-premise email filtering platforms. With Office 365, the included security features make it an easy option.

EOP is Microsoft’s cloud-based email filtering services. It was built to protect your business against spam and malware.

With the Office 365 Enterprise plans, Microsoft have only included the anti-spam and malware defence with their subscription. If you want more, you will need to upgrade to Advanced Threat Protection.

Office 365 Spam Protection

Anti-spam measures are a big commodity item these days in the email filtering landscape. Spam has been around for that long that most products provide spam filtering – and everyone should be doing it well. Sadly, not all do.

Microsoft’s EOP spam filtering works okay and is centrally managed within the Office 365 administration portal.

Like most anti-spam engines, EOP utilises a range of techniques and content analysis to detect spam. Office 365 EOP checks for spam inbound and outbound of your tenancy.

By default, all detected spam is sent to the Junk Email folder within the Exchange profile. This can be accessed on any device to review and retrieve any emails that have been falsely marked as spam.

One downside with Exchange Online Protection is that if any email is falsely marked as spam, you need to the send the email as an attachment to Microsoft to have the email examined and re-classified.

This is a bit of a burden on many users. It’s unlikely many people would go through the process.

Microsoft’s Exchange Online Protection includes:

  • Inbound spam detection
  • Outbound spam detection
  • Bulk email filtering
  • Malicious URL block lists for known-bad URLs
  • Anti-Phishing protection for known-bad spam domains

Office 365 Malware Protection

By default, malware filtering is enabled across the board in Office 365. Basically, it includes:

  • Anti-malware protection in all inbound email
  • Anti-malware incorporates anti-virus and anti-spyware controls

Microsoft claims to have zero-day protection against malware. Interestingly, Microsoft also provides a service for users to upload malware to report malware that made it through the filter.

Domains hosted in Office 365 are the most targeted for phishing attacks. Interestingly, phishing attacks in Office 365 can originate from other domains hosted within Office 365.

Anti-malware policies can be customised, however the default policy will always remain.

In short, the anti-malware component is very simple. When malware is detected, it deletes the whole message or just the attachments.

Office 365 Email Security Features You May Need

Simply, look at third party vendors. In this space, Microsoft has realised there’s and issue and now offers Advanced Threat Protection (ATP) as a separate product to add-on to EOP.

By the time you add the costs of ATP, you might be better off looking at 3rd party solutions. To learn more about Office 365 ATP, go here:

Robust Anti-Phishing

Phishing attacks are transforming. They are just getting smarter. Office 365 EOP only provides the basic checks. You will likely need to go further.

Phishing scams can be used to steal credentials and solicit money from your business. To stay in front of the evolving techniques used by scammers, you should look at:

  • Deploy URL filtering and web filtering. These strategies can provide defence against malicious URLs and provide ‘time-of-click’ analysis.
  • Look at adopting cyber security training to keep your staff up to date with the latest phishing strategies so they know how to identify a potential scam.
  • Implement a Secure Email Gateway (SEG) in front of Office 365 to better identify spoofing of internal email addresses, similar domain names and other traits of phishing scams.

Building in Email Resilience

Every business relies on email. Internal and external communication stops without it. If you are solely relying on Office 365, any outage can essentially take your business offline.

When you are looking to enhance you email security, you need to look at not only protecting your email against threats, you need to protect your email against outages.

There are 3rd party solutions out there that provide resiliency for Office 365. If your Office 365 tenancy goes down for any reason, you can use your resiliency options to send and receive emails. This applies to both desktop and mobile applications.

Once your 365 email comes back online, all your email, including those that you’ve sent, will flow back to your Office 365 mailboxes for all your staff.

Upgrading Your Anti-Malware Position

Once you’ve deployed a SEG in front of Office 365, you will have access to a range of strategies and mechanisms that aren’t included with Exchange Online Protection.

SEG solutions have the ability to encode URLs. When someone clicks on an encoded URL, the destination address is checked by the SEG when the link is clicked on. Further checks are performed at the ‘time-of-click’ to validate the domain and any potential payload for malware.

Most email gateways only check URLs against a known block list when they are delivered to your mailbox. This kind of defence is a false sense of security.

Look Internally for More Security

Your staff are always the last line of defence and technology can only do so much. Security awareness training can help.

Training your staff to be aware of phishing attacks and other questionable practices around the use of email is a powerful weapon against nefarious email traffic.

Only 11% of organisations focus any effort on training for cyber attacks. This would suggest that over 90% of businesses are relying purely on technology solutions to fill the gaps.

There are many solutions available in the market that provide self-paced online training that will ensure your staff are aware of the tricks and tactics that scammers use to try and con your staff.

Where to next?

It’s important to understand that once you’re in Office 365, you might have gaps around email security. How are you going to fill those gaps?

With the growing number of threats around phishing attacks and at the speed these attacks are evolving, you need to make sure that your Office 365 email security solution is protecting your business data, your staff and your customers.

Use available technology to limit the exposure to phishing attacks. At the same time, train your staff to identify the scams to further mitigate the risk against falling prey to phishing scams.


    ITConsult designs, implements and supports IT environments for Australia‘s medium-large organisations through a portfolio of business IT solutions. Navigating technology today can be a minefield and everyone seems to have an agenda.

    If you'd like to have a good old fashioned talk about what might work for you, please get in touch for an obligation-free, over the phone chat.