Office 365 Email Protection

Microsoft offers a range of Office 365 email protection via a selection of subscription plans and premium services. However, even at the highest level of email protection, the shortcomings of the Exchange Online Protection, Defender for Office 365, and Advanced Threat Protection services could leave your business vulnerable to malware, ransomware, and phishing attacks.

In September 2019, Microsoft announced support for Domain Message Authentication, Reporting, and Conformance (DMARC) across all email platforms. The objective of DMARC support was to shore up existing email sender authentication protocols (SPF and DKIM), to enhance Office 365 email protection, and make the Office 365 suite more resilient against email spoofing and impersonation.

Less than a year later, a Black Hat Briefing demonstrated eighteen types of attacks to bypass email sender authentication mechanisms – including SPF, DKIM, and DMARC – and concluded “even a conscientious security professional using a state-of-the-art email provider service […] cannot with confidence readily determine when receiving an email, whether it is forged.”

This isn´t the first time a measure to enhance Office 365 email protection has been found to be fallible. In 2015, Microsoft launched the SafeLinks feature in Defender for Office 365. This feature was supposed to provide URL scanning, rewriting, and time-of-click URL verification. However, Site Cloaking can easily fool Microsoft´s scanners – rendering this protection measure virtually useless.

How to Better Protect Office 365 Mailboxes

A better way to protect Office 365 mailboxes is to prevent threats that can evade detection from ever reaching the Office 365 mail server. The best way to do this is by implementing a secondary filtering device that supports greylisting and placing it in front of the Office 365 mail server so that the majority of malware, ransomware, and phishing attacks never reach their intended victims.

Greylisting is a process that returns all emails to their originating mail servers unless the source of the email has been whitelisted. Returned greylisted emails are accompanied by a request for the email to be resent, and most genuine emails are returned within a couple of minutes. The secondary filtering device knows they have passed greylisting and forwards them to the Office 365 mail server.

The reason for non-genuine emails not being returned is that many spammers´ mail servers are not equipped with retry capabilities. This is because a lot of emails are returned to spam mail servers and, if a server tried to resend every one – along with all the new spam it was trying to send – it would likely exceed the server´s capacity and limit the opportunity for a successful attack.

In terms of preventing threats that can evade detection from ever reaching the Office 365 mail server, greylisting increases Microsoft´s spam detection rate from 99% to 99.97% – justifying the cost of implementing a secondary filtering device to enhance Office 365 mail protection. Furthermore, enhancing Office 365 mail protection with a secondary filtering device is easy.

How to Enhance Office 365 Email Protection with SpamTitan

Not all secondary filtering devices connect with Office 365 in the same way. Therefore, for this explanation of how to enhance Office 365 email protection with a secondary filtering device we have chosen SpamTitan by TitanHQ – a leading email filtering solution that supports greylisting and is highly recommended on many independent review sites.

As mentioned above, SpamTitan has to be placed in front of the Office 365 mail server so inbound email first goes to the SpamTitan email filter. Emails from sources that have been whitelisted are passed from SpamTitan to Office 365, and all other emails are returned to their originating mail server. Those that are returned are passed from SpamTitan to the Office 365 mail filter – where the usual front-end tests and checks against blocklists and filtering policies proceed as usual.

In most cases, connecting the Office 365 mail server with SpamTitan involves editing the default connection filter in the Exchange Admin Center and creating a new mail flow rule so that all inbound emails are blocked other than those sent by the SpamTitan email filter. In the SpamTitan admin portal, all organizations need to do is enter the domain(s) and destination server(s) in the MX record. The process takes a few minutes and barely disrupts the flow of inbound emails.

A primary consideration for many businesses will be the cost of implementing a secondary filtering solution to overcome the shortcomings of Office 365 email protection. However, SpamTitan can cost less than $1.00 per month per user depending on the number of seats and length of subscription. For many businesses, this is a small price to pay to prevent threats such as malware, ransomware, and phishing. To find out more and to request a demo of SpamTitan in action, visit