Improving the Spam Filter on Office 365

Although the Office 365 spam filter offers a reasonable level of security, many businesses find it lacking when it comes to preventing highly-sophisticated cyber threats – especially advanced and persistent spear phishing attacks. Although Microsoft frequently introduces new features to improve spam detection rates, many of these are paid-for features or only available as part of an Advanced Threat Protection (APT) subscription. Others (for example “IP throttling”) can cause users more distress than the spam emails this feature is meant to prevent.

One of the reasons why the spam filter on Office 365 fails to detect all spam emails spam is that Microsoft´s “real-time blocklists” (RBLs) are updated retrospectively. Only after a customer has reported a spam email will Microsoft add the IP address to the RBLs and include the blacklisted IP address in the next software update. With spammers frequently changing IP address, retrospective updating is generally ineffective.

IP throttling was supposed to resolve this issue by blocking emails or giving a low Spam Confidence score to emails originating from sources with no “IP reputation”.This resulted in emails from legitimate businesses with new IP addresses being flagged as spam; and, when Microsoft launched a self-service IP Delist Portal to help businesses with new IP addresses get around their lack of IP reputation, it gave spammers the opportunity to delist their blocked IP addresses as well – exacerbating the problem.

Spam Email Attacks are Increasing and Office 365 Users are Being Targeted

Research shows the extent to which ransomware has been adopted by cybercriminals and is increasingly being used in email attacks. It is reported that in 2021 the number of ransomware attacks almost doubled due to users falling for phishing scams and/or clicking on malicious links related to the COVID-19 pandemic. There has also been an increase in cybercriminals “cryptojacking” business networks via malware-laden emails in order to mine cryptocurrencies – something that Office 365 was unable to prevent happening to a Georgia school system in 2018.

Many users of Office 365 find the level of spam filtering is nowhere near good enough and many phishing emails are delivered to inboxes, while zero day malware threats are similarly not blocked. An report from SE Labs suggests Office 365 only offers protection in the low-middle end of the market, even though Office 365 includes two layers of protection: Exchange Online Protection and Advanced Threat Protection. Research conducted by Osterman research suggests that while Office 365 is good at blocking known malware threats – 100% of known malware is blocked – unknown (0day) malware often makes it past Office 365 defenses.

Basic threats and 99% of spam email are usually blocked by Office 365, but spear phishing threats often make it past Office 365 defenses and are delivered to end users’ inboxes. For this reason, many businesses choose to improve the spam filter on Office 365 with third-party antispam software.

Greylisting Improves the Spam Filter on Office 365

Greylisting would be an ideal feature to improve the spam filter on Office 365. It is a process that returns non-whitelisted emails to their originating server, and most are resubmitted within minutes. However, spammers’ mail servers often have the mail retry capability disabled due to the volume of emails returned to them, so the spam email is never returned to the intended recipient´s server.

Whereas real-time blocklists block inbound emails from previously reported sources of spam, the Greylisting process eliminates inbound emails from as-yet-unreported sources of spam. Spam filters with a Greylisting feature are therefore more effective at preventing spam from evading detection and reduce the risk of a business falling victim to a phishing attack, or malware or ransomware download.

Microsoft feels the Greylisting feature is unnecessary for the spam filter on Office 365, and claims that the filter´s sender authentication processes can identify inbound emails from as-yet-unreported sources of spam. Clearly this is not the case, as verifiable tests have recorded spam filters with a Greylisting feature as having spam detection rates as high as 99.97%. The difference between this detection rate and a spam filter with a 99% detection rate can be substantial for a business with a significant volume of inbound email.

Advanced Features of SpamTitan Compliment the Office 365 Spam Filter

Greylisting has some issues of its own. Because of the way in which the process works, the receipt of business-critical emails can be delayed if they originate from genuine sources with a large mail output. We acknowledge this can happen, and consequently – as well as including Greylisting as an optional feature in our SpamTitan email filters – we also include a whitelisting feature to allow business-critical emails from trusted sources to bypass the front-end spam detection mechanisms. This ensures that mission-critical emails are not delayed, while the benefits of greylisting are not lost.

SpamTitan´s email filter has SURBL filtering and malicious URL detection mechanisms to minimize the likelihood that a phishing email evades detection, and dual anti-virus software engines to inspect the content of email attachments for malware and ransomware. SpamTitan also includes sandboxing for detecting zero-day malware threats. If the front end checks are passed, and the dual antivirus engines do not detect malicious attachments, they are sent to the sandbox for in-depth analysis. This feature is vital for detecting zero-day malware that has not had a signature uploaded to the virus definition lists used by the AV engines.

These mechanisms complement the default mechanisms found on an Office 365 spam filter (Recipient Verification Protocols, Sender Policy Frameworks, Content Filter Agents) to maximize spam detection while minimizing false positives.

SpamTitan also incorporates pattern learning to identify zero-day threats – attacks that have previously not been seen. Predictive techniques such as Bayesian analysis, heuristics, and machine learning are capable of anticipating new attack methods and blocking threats to prevent them from reaching inboxes.

SpamTitan also includes data leak protection technology, allowing sensitive information such as Social Security numbers to be tagged. Tags can also be added for specific keywords. This is an important additional control to protect against internal data loss – a problem prevalent in the healthcare industry in the United States. Such controls are only present in advanced spam filtering solutions such as SpamTitan.

Other features of our email filters to improve the spam filter on Office 365 include:

  • Quick deployment as a gateway or cloud-based solution.
  • Easy synchronization with Active Directory and LDAP.
  • Administered via a web-based portal. No agents required.
  • Spam Confidence Levels can be applied by user, user-group and domain.
  • Greylist, whitelist or blacklist senders/IP addresses.
  • SpamTitan Cloud is highly scalable and universally compatible.

How SpamTitan Filters Out Spam and Malicious Emails

To significantly improve spam filtering on Office 365 it is necessary to adopt a defense in depth approach. The security settings of Office 365 can be tweaked, but this can be a complicated process and even if the optimal settings are found, the level of protection is often found to be inferior to a third party Office 365 spam filtering solution.

SpamTitan is an advanced email filtering solution that works seamlessly with Office 365 to improve spam detection rates and block more threats. SpamTitan uses predictive techniques to block new malware variants, spear phishing, and zero-day attacks to prevent these threats from being delivered to end users’ inboxes.

office 365 spam filter


Compliment the Office 365 Spam Filter with SpamTitan

If, despite Microsoft´s best efforts, you are unhappy with the volume of spam emails being delivered to your inboxes, you are invited to take advantage of a free demo of SpamTitan. Our free demo gives you the opportunity to see the difference in spam detection rates when the Greylisting process is both activated and deactivated.

Our team of Sales Technicians will also be happy to answer any questions you have about improving the spam filter on Office 365 with our software, will discuss which deployment option is best suited to your specific circumstances and explain how you can place a SpamTitan email filter in front of Office 365 to better protect users´ inboxes.

FAQs about Improving the Spam Filter on Office 365

Do I need to replace the Office 365 spam filter?

The default Office 365 spam filter provides basic protection against spam, phishing, and malware, but more sophisticated spam and phishing emails are unlikely to be blocked.  To improve protection, you do not need to replace the Office 365 spam filer, you just need to layer an extra level of protection on top with a third-party solution. SpamTitan for Office 365 allows you supplement Office 365s native email security with award-winning phishing protection from a dedicated security provider. As ransomware and phishing attacks increase, Office 365 has become a primary target, making it vital for IT professionals to take proactive steps with Office 365 email security and “hack-proof” their environments.

Will a spam filter detect compromised email accounts?

Spam filters are primarily concerned with blocking incoming spam and malicious emails. A third-party Office 365 spam filter with outbound scanning will detect compromised email accounts by scanning outbound emails for spam and phishing signatures, malware, and attempts to send certain types of data outside the organization. Any rule violations will trigger alerts for the security team.

How does a spam filter block malware and ransomware?

At the heart of a spam filter is an antivirus engine that scans all inbound attachments for signatures of known malware. Multiple antivirus engines will provide greater protection from known malware threats. Sandboxing is used to subject suspicious email attachments to in-depth analysis to identify new malware threats. SpamTitan’s sandboxing feature protects against breaches and sophisticated email attacks by providing a powerful environment to run in-depth, sophisticated analysis of unknown or suspicious programs and files. SpamTitan checks every URL in an email against known blacklists – with 100% active web coverage.

What does defense in depth mean?

No single cybersecurity solution will provide total protection against all threats. Defense in depth means implementing overlapping security layers to ensure that if one mechanism fails to provide protection, others exist to stop an attack succeeding. A defense in depth approach provides the key elements needed to secure assets: prevention, detection, and response. SpamTitan email security uses a defense in depth approach and incorporates many different detection mechanisms to block email threats.

How much does SpamTitan cost?

SpamTitan pricing is highly competitive, but it is not possible to give a general cost as the price depends on the number of users and the length of the license period. The best way to determine how much SpamTitan will cost your organization is to use our cost calculator or contact our sales team for a no obligation quote.