How to Improve the Effectiveness of a Microsoft 365 Spam Filter

If your organization subscribes to a Microsoft 365 or Office 365 business plan, you are likely familiar with the capabilities of the Microsoft 365 spam filter and how the filter fits into a multilevel defense against internal and external threats. However, there are ways in which the effectiveness of a Microsoft 365 spam filter can be improved.

The Microsoft 365 spam filter is a key element of Exchange Online Protection (EOP) – a suite of tools that protects organizations against spam, malware, phishing, and spoofing. Microsoft claims its spam filter captures more than 99% of junk mail and detects more than five billion threats each month. These are very impressive statistics when they are taken out of context.

When you put the statistics into context, they don´t look so good. It has been estimated around 120 billion spam emails are sent each day (as of January 2021); and although Microsoft won´t reveal how many mailboxes are protected by Microsoft 365 spam filters, it is known by industry experts that 43% of phishing attempts are sent to Microsoft accounts.

If we assume that 43% of 120 billion spam emails are also sent to Microsoft accounts, and the spam filter in Microsoft 365 captures 99% of them, this implies more than 50 million spam emails avoid detection – every day. Not all of these 50 million spam emails will harbor malware or seek to obtain login credentials, but it only takes an interaction with one of them for there to be potentially disastrous consequences.

How Microsoft 365 Email Spam Filtering Works

Microsoft 365 email spam filtering works by comparing inbound mail against IP block lists of known sources of spam and by using proprietary machine learning technologies to identify junk mail that does not yet appear on an IP block list. Emails and their attachments are subsequently scanned for malware, and emails from senders that are not authenticated or whitelisted are reviewed for compliance with an organization´s anti-phishing and anti-spoofing policies.

Organizations can enhance the way in which Microsoft 365 email spam filtering works by subscribing to a plan that includes Defender for Office 365. This service – which is also available as a premium add-on for less comprehensive plans – can be configured to check attachments for malware and verify embedded URLs in sandboxed environments. Defender for Office 365 also rewrites URLs embedded into the content of emails to provide time-of-click URL verification.

Although the tools in both Exchange Online Protection and Defender for Office 365 can improve the effectiveness of a Microsoft 365 email spam filter, the degree of effectiveness is subject to how the filter is configured. For example, Microsoft 365 spam filters have to be configured with spam confidence levels (per user, department, etc.) and policies that stipulate what actions should be taken when a spam email or threat is identified, and how the intended recipient should be notified.

The management overhead of the Microsoft 365 spam filter can be significant – especially in hybrid environments where EOP protects on-premises Exchange mailboxes. In this scenario, organizations have to configure two sets of transport rules for on-premises Exchange mailboxes to recognize EOP spam headers. If errors are made in any configuration process, it can substantially impact the Microsoft 365 spam filter detection rate or result in legitimate emails being sent to junk folders.

What Microsoft 365 Spam Filtering is Lacking

One noticeable absentee from the range of Microsoft 365 spam filtering tools is greylisting. Greylisting is a front-end operation in which emails from all non-whitelisted senders are automatically returned to their originating mail servers with a request for the email to be sent again. Spammers´ mail servers are typically too busy to respond to the request before it times out, and therefore the spam email is never returned – and never enters the organization´s mail server.

Greylisting fills the gap in the Microsoft 365 spam filtering process between IP block lists of known sources of spam and machine learning technologies to identify junk mail that does not yet appear on an IP block list. While greylisting wouldn´t increase the spam detection rate (because unreturned emails cannot be identified as junk mail), it would reduce the pressure on busy Microsoft 365 email spam filters and accelerate the delivery of legitimate emails.

In theory, greylisting should also reduce the management overhead of configuring the spam filter for Microsoft 365 because fewer spam emails and emails harboring threats will be entering the mail server. Consequently, an organization should not need to apply a lower spam confidence score to (for example) sales department emails to prevent sales leads being identified as junk. The same spam confidence scores can be applied universally throughout the organization.

Therefore, the best way to improve the effectiveness of a Microsoft 365 spam filter is to place it behind a second spam filter with greylisting capabilities. The secondary spam filter can run all the front-end operations such as greylisting, IP block checks, invalid recipient checks, and Sender Policy Framework checks; and – depending on its capabilities – continue with the back-end checks such as scanning emails for malware and compliance with anti-phishing and anti-spoofing policies.

What Makes the Best Spam Filter for Microsoft 365?

The best spam filter for Microsoft 365 will be one with greylisting capabilities that is easy to use – although if it is capable of the same back-end checks as the Microsoft 365 email spam filter and supports integration with Microsoft Active Directory, so much the better. In this case, system administrators will only have to configure one set of policies for the secondary, easier-to-use spam filter and keep the default settings of the Microsoft 365 email spam filter as they are.

An even better scenario would be if the secondary spam filter had some of the capabilities included in Defender for Office 365 such as the ability to check attachments for malware and verify embedded URLs in sandboxed environments. This would mean the cost of the secondary spam filter service would be covered by not having to pay for a premium add-on. A secondary spam filter with AD integration would also ensure email continuity in the event of a Microsoft 365 outage.

For some organizations, the best spam filter for Microsoft 365 will be one that can be deployed on-premises. The lack of an on-premises option for Microsoft 365 spam email filtering is an issue for some organizations; and although it is easier to redirect EOP´s mail exchanger server to a cloud-hosted spam filter than it is to install an on-premises Gateway solution, system administrators with experience of on-premises solutions should not find managing a Gateway solution too complicated.

Ultimately, the best spam filter for Microsoft 365 is the one which ticks all the boxes for your organization without the need to reinvent the wheel, implement complex software, or retrain staff. For this reason, SpamTitan could be your best option. SpamTitan has been a leading choice for improving the effectiveness of Microsoft spam filters for almost twenty years and is trusted by more than 12,000 customers for their email security.

How SpamTitan Improves the Effectiveness of Microsoft 365 Spam Filters

SpamTitan improves the effectiveness of Microsoft 365 spam filters by providing organizations with a choice of easy-to-deploy and easy-to-use spam filtering options – SpamTitan Cloud and SpamTitan Gateway for organizations that would prefer their email filtering service to be on-premises. Both options have greylisting capabilities and similar features to Microsoft 365 spam filters:

  • Once returned from the greylisting operation, emails are checked against six real time blacklists to identify any from known sources of spam, malware, phishing, and spoofing.
  • Content filters developed using Bayesian analysis, heuristics, and machine learning detect new sources of malware, phishing, and spoofing.
  • Further checks for malware are conducted by BitDefender and ClamAV anti-virus engines with sandboxing available at no extra charge.
  • Granular filtering rules and policies for both inbound and outbound mail enables organizations to protect users against internal and external threats.
  • Multiple web authentication settings including directory synchronization with Active Directory.
  • Extensive reporting suite, compatible with all operating systems, and unlimited scalability.

SpamTitan´s ease of use significantly reduces the potential for misconfigurations and potentially disastrous consequences; and, if you would like to know more about how SpamTitan improves the effectiveness of Microsoft 365 spam filters, do not hesitate to contact us. Our team will be happy to answer your questions and will invite you to take advantage of a free trial of the SpamTitan solution most suitable for your requirements (i.e., SpamTitan Cloud or SpamTitan Gateway).

Our free trial gives you the opportunity to evaluate our Microsoft 365 email spam filter in your own environment so you can experience the effectiveness of greylisting. At the end of the free trial, there is no obligation on you to continue using our service; but should you choose to do so, we offer a competitive range of subscription options based on the number of mailboxes SpamTitan will protect, your preferred deployment option, and the frequency of payment.