Why Relying on Office 365's Built-In Email Security is a Bad Idea

We get it, you migrated to Office 365 and low and behold it has its own built in email security capability. Thats handy, no more need for a separate solution, Microsoft can handle it for you, right?

Well, not in our experience - we are users of Office 365 too and have been amazed at the sheer quantity of phishing and fraudulent emails landing in our inboxes. That's right, not in spam but in the most trusted folder of all - the inbox.

We are not an anomaly here, if you take a look at the breach disclosure for HIPAA organisations in the US, the number of breaches involving email and organisations using Office 365, is worrying.


What is Wrong with Office 365 Email Security?

Firstly, this is not a blog post bashing Office 365 or Microsoft - considering that email security is a minor bolt-on to their email service, you are getting a good basic level of security. However, in the face of a wave of fraudulent emails, it is simply not enough.

In-fact, some researchers now estimate that up to 90% of all breaches begin with some form of fraudulent email. This indicates a significant level of risk for any organisation; and needs focus.

Image result for office 365 email security

Office 365 will provide you with AV scanning for malware; checks for DKIM and SPF; and even some checks on content for indicators of spam. But, that's where it ends.

What happens when someone sends in an email from a non-blacklisted domain, with no malware and no indicators of spam, that looks like a person of authority asking to transfer funds?

It gets through, of course.

Let's take a look at an example.


Using Domain Aging to Beat Office 365

As mentioned previously, a large vector for Office 365 in detecting malicious emails is to check blacklists and the SPF and/or DKIM records.

By registering a new domain, such as office-secure-mail-server.management for a minimal cost, with DNS management. We can create legitimate SPF and DKIM records; and not be on a blacklist because the domain is untainted.

We can then create an email with a from label which looks to be from a familiar source. In-fact, we do this all time as part of or phishing simulation service.

Spoofed Email Using Domain Age

Note. This screenshot was taken from a G-Suit email app to highlight the vulnerability of both platforms.

By relying on the age and innocence of the domain, we can bypass most of Office 365's controls and pretend to be someone else based on the GUI of most email clients hiding the email address by default.


How to Protect Office 365?

Our recommendation is not to rely on Office 365's built-in security; but to beef it up with something complimentary.

Taking the example of domain age checks, there are actually only a handful of solutions out there which check domain ages and warn users about newly created domains, as a risk.

CORVID email protection uses this and 22 other methods to determine the authenticity and safety of an email. It them plants a colour-coded banner at the top of the email so that the recipient can determine whether or not they trust the sender and its content.

Corvid Email Protection Warning Banner

The best thing of all is that a number of CORVID customers are indeed users of Office 365; and have opted to complement it with CORVID email protection. Thus arming their users with the information needed to protect their networks, where technology can't.

If you would like to learn more about email security or CORVID email protection, you can book a call with one of our solution specialists by clicking here.