Office 365 Spam Filter

If your company subscribes to an Office 365 enterprise plan or Microsoft 365 business plan it is likely incoming emails pass through the Office 365 spam filter. This is because the Office 365 spam filter is a key element of Exchange Online Protection and Microsoft Defender for Office 365. 

The basic Office 365 spam filter is a fairly effective tool for blocking junk email. It works by verifying the authenticity of the sending mail server, comparing inbound emails against “real-time blocklists” (RBLs) of known sources of spam, and calculating a Spam Confidence Level (SCL) for each email so that those with a low SCL can be blocked, quarantined, or flagged as potential spam depending on the company´s anti-phishing and anti-spoofing policies.

With Exchange Online Protection, the built-in spam filter scans emails and their attachments for malware; while with Microsoft Defender for Office 365, the spam filter also rewrites URLs embedded into the content of emails to provide time-of-click URL verification. Under all plans, the Office 365 spam filter alerts users to emails from a source they have not previously received an email from, and scans outbound emails for spam to prevent reputational damage.

Yet 500 Million Spam Emails Avoid Detection Each Day

Microsoft claims that, due to its rich range of features, the Office 365 spam filter detects 99% of junk email. While this sounds impressive, it has been calculated that approximately 50 billion spam emails are sent to Office 365 accounts each day. This implies that the spam filter fails to detect more than 500 million spam emails on a daily basis. So, how could the detection rate be improved to prevent users falling victim to threats such as phishing and ransomware?

While it is not possible to know what type of spam email the Office 365 spam filter is not detecting (because Microsoft does not release that type of information), it is possible to determine what feature the spam filter is missing by comparing it to other spam filters such as SpamTitan. The SpamTitan email filter includes a front-end feature called greylisting that returns all non-whitelisted emails to their originating servers. The email is added to the originating server´s mail retry queue and resubmitted within minutes.

Due to the volume of undeliverable mail returned to spammers´ mail servers, the mail retry function is often disabled and the spam email is never returned. Because the spam email never gets beyond the front end of the recipient´s mail server, the pressure is reduced on back-end processes – accelerating the delivery of legitimate emails. In tests, greylisting has improved the Office 365 spam filter detection rate to 99.97%, yet it is a feature Microsoft does not want to add to its email filter.

Why Microsoft Doesn´t Like Greylisting – And Why It Should

Microsoft fails to acknowledge the effectiveness of greylisting because – as non-returned emails cannot be blocked, quarantined, or flagged as spam – there is no way of recording and quantifying its effectiveness in real-life scenarios. Additionally, Microsoft claims the existing SPF, DKIM, and DMARC authentication processes are sufficient to identify spam from unauthenticated sources. Clearly they are not if more than 500 million spam emails are avoiding detection each day.

The problem lies in the fact that SPF, DKIM, and DMARC authentication processes have been around for a long time – during which, hackers have found ways to circumnavigate them. In 2020, a Black Hat Briefing identified eighteen types of attacks to bypass authentication processes and concluded “even a conscientious security professional using a state-of-the-art email provider service […] cannot with confidence readily determine, when receiving an email, whether it is forged.” With greylisting, it is likely the forged email will never have been delivered.

There is also a perceived issue that greylisting delays the delivery of email by up to fifteen minutes. While this may be the case in some circumstances, it is possible to whitelist approved sources so that emails from these sources bypass the greylisting process; and, although whitelisting in itself may be a time-consuming process, the payback is that email threats will be reduced by up to 97% (99% detection without greylisting > 99.97% detection with greylisting), so it´s probably worth it!

Using SpamTitan with the Office 365 Spam Filter

For many companies, replacing the Office 365 spam filter with another email filtering solution is not an option because the spam filter is packaged with other security and productivity tools in Office 365 enterprise and Microsoft 365 business plans, and already paid for regardless of whether it is used or not. Furthermore, many companies will have already set Spam Confidence Levels for users and departments, and applied anti-phishing and anti-spoofing policies which may not be exportable.

Therefore, for companies already committed to enterprise and business plans that include Exchange Online Protection or Microsoft Defender for Office 365, the best way to overcome the shortcomings of the default spam filter is to deploy a secondary solution such as SpamTitan in front of the Office 365 spam filter to take advantage of SpamTitan´s greylisting features and reduce the volume of spam email entering the Office 365 mail server.

Alternatively, for companies who do not have Exchange Online Protection or Microsoft Defender for Office 365 included in their plans, deploying SpamTitan in front of the Office 365 spam filter will provide access to features such as checking attachments for malware and verifying embedded URLs. This will not only enhance online security without having to pay for a premium Microsoft service but will also ensure email continuity in the event of an Office 365 outage.