Microsoft 365 Email Spam Filtering

How effective is Microsoft 365 email spam filtering and is it possible to improve the Microsoft 365 email spam filters to block more email threats? In this post we explore the benefits of Microsoft 365 email spam filtering and identify areas where improvements can be made to better protect against spam, phishing, malware, ransomware, and email impersonation attacks.  

According to Statistica, Microsoft 365/Office 365 is used by more than 1 million companies worldwide, including well over 700,000 in the United States alone. With so many businesses using Microsoft 365 it should come as no surprise to discover cyber threat actors actively target Microsoft 365 email accounts. Estimates suggest 43% of all phishing attempts are sent to Microsoft accounts and around 120 billion spam messages are being sent every day worldwide.

With such high numbers of spam email – which includes malicious messages – and the extent to which Microsoft accounts are targeted, it is vital for adequate spam protections to be implemented. Microsoft 365 email spam filtering is included with all Microsoft 365 and Office 365 licenses to all users are protected against email threats such as phishing and malware. However, the level of protection provided depends on the license purchased and how the solutions are configured.

There are two levels of Microsoft 365 email spam filters: The first, which protects all accounts, is Exchange Online Protection (EOP). EOP includes a package of protections that will block spam and phishing emails, email impersonation attacks, and malware and ransomware. According to Microsoft, around 5 billion threats are blocked each month and the Microsoft 365 email spam filters block over 99% of spam email.

Consider that there are 120 billion spam messages sent per day and 43% target Microsoft accounts. That means around 50 million messages each day are not blocked by the Microsoft 365 email spam filters. Fortunately, it is possible to improve the effectiveness of Microsoft 365 email spam filtering while also reducing the cost of spam filtering.

Microsoft 365 Email Spam Protection

Microsoft 365 email spam protection is achieved using a variety of different mechanisms. Like other anti-spam solutions, one of the most important front-end protections comes from blocklists. Blocklists are lists of IP addresses that are known to be used for sending spam or malicious messages. If an email comes from an IP address included in the list it will not be delivered. Other front-end checks include the use of proprietary machine learning technologies, which can identify spam emails from previously unknown sources of spam. Checks are also performed on email attachments to identify malicious scripts and malware. Checks are also performed on inbound emails in accordance with the anti-phishing policies in place.

The basic level of protection provided by EOP is reasonable, but it is unlikely to be sufficient on its own for most businesses and certainly enterprises. Fortunately for enterprise users an additional level of protection is provided by Defender for Office 365, which is included in the upper tier Microsoft 365 plans. This additional suite of Microsoft anti-spam measures can be purchased separately by businesses on the lower-level plans.

Defender for Office 365 will ensure more threats are blocked due to the comprehensive range of anti-threat technologies included. For instance, Defender for Office 365 includes sandboxing to identify more advanced malware in email attachments and to verify the legitimacy of embedded URLs, with URLs rewritten to provide time-of-click URL verification.

Defender for Office 365 does provide a good level of protection for SMBs and enterprises, but there are some issues with Microsoft 365 email spam filters and one notable feature missing.

Advantages and Disadvantages of Microsoft 365 Email Spam Filtering

Tools are provided with both EOP and Defender for Office 365 that can be used to tweak the settings to improve the effectiveness of Microsoft 365 email spam filtering, and these can be used to good effect to improve spam and malicious email detection. The downside is configuring the Microsoft 365 email spam filters is not particularly straightforward and there is potential for misconfigurations to occur which can negatively impact the effectiveness of spam filtering.

There is also a considerable management overhead which means IT teams may have to spend many hours managing the solution to get it working as effectively as it should. It is necessary, for instance, to set spam thresholds for different departments to ensure spam filtering is effective across the entire organization, and this is a time-consuming process that can involve a considerable amount of trial and error to get right.

For organizations with hybrid environments, where EOP is used to protect on-premises Exchange mailboxes, spam filtering is more complex. Two sets of transport rules must be configured for on-premises Exchange mailboxes to allow EOP spam headers to be recognized. Any mistakes made during this set up process will significantly reduce the effectiveness of spam filtering. Many users complain about the number of threats that are delivered to inboxes or the volume of legitimate messages that are sent to junk folders, which is mostly due to configuration issues.

One notable omission from Microsoft is an anti-spam feature called greylisting, which can ensure a greater number of threats are blocked. Some spam filters incorporate greylisting in their front-end checks alongside the use of blocklists and machine learning filtering mechanisms. Greylisting is performed on non-whitelisted senders and involves initially rejecting an email and requesting it be resent by the originating mail server. Generally, email servers being used for spamming do not respond to these requests, or only deal with them at the end of a spam run. The resultant delay before the request times out indicates the likelihood of a message being spam.

Greylisting is effective at blocking spam and malicious emails and could reduce the pressure on Microsoft 365 spam filters, which would help to accelerate the delivery of legitimate emails. With a lower volume of spam and malicious messages, there would be less need to configure different spam thresholds for different departments. However, that would require a third-party solution to be layered on top of the Microsoft 365 spam filtering mechanisms.

The lack of greylisting and the complexities of the tweaks to Microsoft 365 email spam filters means that for many SMBs and enterprises, a better solution for improving the effectiveness of Microsoft 365 email spam filtering is to opt for a third-party spam filter to use in combination with the protections provided by Microsoft.

With a third-party spam filter that has greylisting, front end spam checks can be performed by that solution. Those checks include greylisting, checks against IP blocklists, invalid recipient checks, and Sender Policy Framework and DMARC checks. If an advanced solution is used, the secondary checks for compliance with spam filtering policies can also be performed by the solution rather than the Microsoft email spam filters. That would allow organizations to avoid the complex configuration issues of the Microsoft 365 email spam filters. Many third-party anti-spam solutions have been developed to work seamlessly with Microsoft 365 and compliment the Microsoft anti-spam measures and provide greater protection from email threats.

What is the Best Email Spam Filter for Microsoft 365?

The best email spam filter for Microsoft 365 is one that can be layered on top of Microsoft protections to plug the gaps in protection and make configuration much easier and less error prone. Greylisting is a must, as is integration with Active Directory.

The basic protections provided by the Microsoft EOP spam filters can be left as they are, with the third-party solution configured in accordance with the organization’s anti-phishing and anti-spam policies if the solution incorporates the advanced features of Defender for Office 365. That will also mean SMBs will not have to pay for the ad-on cost of Defender for Office 365.

Important features to look for are verification of embedded URLs and sandboxing to detect malware threats, in addition to antivirus controls – or dual antivirus engines for greater protection.

There is a lot to be said about having anti-spam protections from more than one company. Cyber threat actors develop campaigns to bypass EOP protections and test their campaigns against their own EOP accounts. Having an additional service provider protecting against spam will help to block more threats. A third-party solution will also ensure emails continue to be delivered when there is a Microsoft 365 outage.

For organizations that prefer to have their anti-spam solution deployed on premises, a third-party solution makes sense due to the lack of an on-premises option for Microsoft 365 spam filtering.

Alternative to Microsoft 365 Spam Filtering

One anti-spam solution that ticks many boxes is SpamTitan from TitanHQ. SpamTitan has been adopted by more than 12,000 companies for protecting their email environments and provides some key benefits over Microsoft 365 email spam filtering and can improve the effectiveness of Microsoft 365 email spam filters.

SpamTitan is available as a cloud-based solution or as a gateway solution for deployment on-premises. The solution is consistently rated highly by end users on independent software review sites, especially for ease of deployment, ease of use, threat detection, and the low management overhead compared to Microsoft 365.

The solution incorporates greylisting to plug the gap in Microsoft 365 spam filtering, and performs extensive front end checks including Bayesian analysis, heuristics, and machine learning to detect new sources of spam, phishing, and malware-laced emails. Protection from the latter comes from BitDefender and ClamAV anti-virus engines, and a Bitdefender-powered sandbox provides protection against zero-day threats. Six real-time blacklists are also used to block known sources of spam and malicious emails and help to achieve spam detection rates of 99.97%.

Granular filtering rules can easily be implemented and there is inbound and outbound scanning, with the latter including data loss protection mechanisms to protect against insider threats and compromised mailboxes.

Ease-of use is a major selling point, as not only does it reduce the maintenance burden and the associated cost, it also reduces the potential for misconfigurations, which can have serious consequences.

The full product is available on a free trial with full support for the duration of the trial to allow you to assess its effectiveness at complimenting the Microsoft 365 spam filters and improving protection at your organization.