Improving the Spam Filter on Office 365

The spam filter on Office 365 comes in for quite a bit of criticism. Although Microsoft regularly introduces new features to improve its spam detection rates, many of these are paid-for features or only available as part of an Exchange Online Protection subscription. Others (for example “IP throttling”) cause users more distress than the spam emails the feature is meant to prevent.

One of the reasons why the spam filter on Office 365 fails to detect spam is that Microsoft spam filters work retrospectively. Only after a customer has reported a spam email will Microsoft add the IP address to its “real-time block lists” and include the blacklisted IP address in the next software update. With spammers frequently changing IP address, retrospective updating is generally ineffective.

IP throttling was supposed to resolve this issue by blocking emails or giving a low Spam Confidence score to emails originating from sources with no “IP reputation”. This resulted in emails from legitimate businesses with new IP addresses being flagged as spam; and, when Microsoft launched a self-service IP Delist Portal to help businesses with new IP addresses get around their lack of IP reputation, it gave spammers the opportunity to delist their blocked IP addresses – exacerbating the problem.

Email Attacks Increasing and Flaws in Office 365 are Being Targeted

Research conducted by IBM Security shows the extent to which ransomware has been adopted by cybercriminals and is being used in email attacks. Between 2016 and 2017 there was a 6,000% increase in emails containing ransomware. The increase in attacks have slowed as some threat actors have started to concentrate on cryptojacking, although the threat from ransomware is still severe. A recent 2018 report from Europol warned that ransomware is still the main malware threat.

Further, 2018 has seen new ransomware threats appear that are specifically targeting the Office 365 environment, such as ShurL0ckr. ShurL0ckr is not detected by the spam filters in Office 365.

Many users of Office 365 find the level of spam filtering is nowhere near good enough. An August 2017 report from SE Labs – “Email-hosted Protection” – suggests Office 365 only offers protection in the low-middle end of the market, even though Office 365 includes two layers of protection: Exchange Online Protection and Advanced Threat Protection. Research conducted by Osterman shows that Office 365 is good at blocking known malware threats. 100% of known malware is blocked but unknown (new) malware often makes it past Office 365 defenses.

Basic threats and standard spam email are usually blocked, but advanced and persistent spear phishing threats often make it past Office 365 defenses and are delivered to end users’ inboxes. For this reason, many businesses choose to improve the spam filter on Office 365 with third-party antispam software.

Greylisting Could Improve the Spam Filter on Office 365

Greylisting would be an ideal feature to improve the spam filter on Office 365. It is a process that returns every email to its originating server – regardless of its IP reputation – with a request for the email to be resent. Most mail servers resend the returned email within minutes. However, spammers´ mail servers – being too busy sending out new spam emails – fail to respond and the request times out.

Whereas real-time block lists block inbound emails from previously reported sources of spam, the Greylisting process eliminates inbound emails from as-yet-unreported sources of spam. Spam filters with a Greylisting feature are therefore more effective at preventing spam from evading detection and reduce the risk of a business falling victim to a phishing attack, or malware or ransomware download.

It is not known why Microsoft has declined to include Greylisting as a feature of the spam filter on Office 365. Verifiable tests have recorded spam filters with a Greylisting feature as having spam detection rates of 99.97%. The difference between this spam detection rate and a spam filter with a 99% detection rate can be substantial for a business with a significant volume of inbound email

SpamTitan Email Filters with Optional Greylisting Feature

Greylisting has some issues of its own. Because of the way in which the process works, the receipt of business-critical emails can be delayed if they originate from genuine sources with a large mail output. We acknowledge this can happen, and consequently – as well as including Greylisting as an optional feature in our SpamTitan email filters – we also include a whitelisting feature to allow business-critical emails from trusted sources to bypass the front-end mechanisms.

SpamTitan´s email filter has SURBL filtering and malicious URL detection mechanisms to minimize the likelihood that a phishing email avoids detection, and dual anti-virus software engines to inspect the content of inbound emails and their attachments for malware and ransomware. These mechanisms complement the default mechanisms found on an Office 365 spam filter (Recipient Verification Protocols, Sender Policy Frameworks, Content Filter Agents) to maximize spam detection while minimizing false positives.

Other features of our email filters to complement the spam filter on Office 365 include:

  • Quick deployment as a gateway or cloud-based solution.
  • Easy synchronization with Active Directory and LDAP.
  • Administered via a web-based portal. No agents required.
  • Spam Confidence Levels can be applied by user, user-group and domain.
  • Greylist, whitelist or blacklist senders/IP addresses.
  • Infinitely scalable and universally compatible.

SpamTitan Protects Against Zero-Day Attacks

Another area where the Office 365 spam filter often fails is blocking zero-day attacks. Zero-day attacks involve the exploitation of previously unknown vulnerabilities, or vulnerabilities that have yet to be patched by Microsoft. Recently, a security researcher discovered a flaw in the Advanced Local Procedure Call (ALPC) function of the Windows Task Scheduler.

Out of frustration with the vulnerability reporting process, the exploit was published on GitHub. Within a few days it had been incorporated into email attacks by at least one threat group (PowerPool). The flaw allowed programs to be exploited with SYSTEM privileges. It took two weeks before a patch was released.

Zero-day threats such as these are often not detected by Office 365 spam filtering mechanisms as they lack machine learning capabilities to predict new attack methods.

Third party spam filters, such as SpamTitan, include pattern learning and intelligence and are much more effective at blocking new malware threats. Predictive techniques such as Bayesian analysis, heuristics, and machine learning are capable of anticipating new attack methods and blocking threats to prevent them from reaching inboxes.

SpamTitan also includes data leak protection technology, allowing sensitive information such as Social Security numbers to be tagged. Tags can also be added for specific keywords. This is an important additional control to protect against internal data loss – a problem prevalent in the healthcare industry in the United States. Such controls are only present in advanced spam filtering solutions such as SpamTitan.

How SpamTitan Filters Out Spam and Malicious Emails

To significantly enhance Office 365 security it is necessary to adopt a defense in depth approach. The security settings of Office 365 can be tweaked, but this can be a complicated process and even if the optimal settings are found, the level of protection will be inferior to using an additional spam filtering solution on top of Office 365.

SpamTitan is an advanced email filtering solution that works seamlessly with Office 365 to improve spam detection rates and block more threats.  SpamTitan uses predictive techniques to block new malware variants, spear phishing, and zero-day attacks to prevent these threats from being delivered to end users’ inboxes.

How SpamTitan Spam Filtering Works

Office365 and SpamTitan Comparison

Office 365 incorporates security features to block spam and phishing emails and those features have improved in recent years. However, Office 365 still lacks many important features that are necessary for detecting increasingly sophisticated malware and ransomware variants and phishing attempts.  SpamTitan uses SURBL filtering, Bayesian analysis, heuristics, machine learning, and malicious URL detection mechanisms on each incoming email. The result is superior protection from all email threats.

Comparison of Office365 and SpamTitan

Compliment the Spam Filter on Office 365 with SpamTitan

If, despite Microsoft´s best efforts, you are unhappy with the volume of spam emails that are avoiding detection by the spam filter on Office 365, you are invited to take advantage of a free trial of SpamTitan. Our free trial gives you the opportunity to try our email filters with the Greylisting process both activated and deactivated so you can monitor the impact this feature has on the detection of spam emails and message delays.

To find out more about this opportunity, do not hesitate to get in touch. Our team of Sales Technicians will be happy to answer any questions you have about improving the spam filter on Office 365 with our software, will discuss which deployment option is best suited to your specific circumstances and guide you through the registration and implementation process to start your free trial of SpamTitan.

Should you find SpamTitan substantially reduces the amount of spam email your business receives and you wish to continue using our service after your free trial has ended, we offer a range of competitive subscription options depending on the number of mailboxes you wish to protect from phishing, malware and ransomware. Contact us today to find out more.