Improving the Spam Filter on Office 365

Although the Office 365 spam filter offers a reasonable level of security, many businesses find it lacking when it comes to preventing highly-sophisticated cyber threats – especially advanced and persistent spear phishing attacks. Although Microsoft frequently introduces new features to improve spam detection rates, many of these are paid-for features or only available as part of an Advanced Threat Protection (APT) subscription. Others (for example “IP throttling”) can cause users more distress than the spam emails this feature is meant to prevent.

One of the reasons why the spam filter on Office 365 fails to detect all spam emails spam is that Microsoft´s “real-time blocklists” (RBLs) are updated retrospectively. Only after a customer has reported a spam email will Microsoft add the IP address to the RBLs and include the blacklisted IP address in the next software update. With spammers frequently changing IP address, retrospective updating is generally ineffective.

IP throttling was supposed to resolve this issue by blocking emails or giving a low Spam Confidence score to emails originating from sources with no “IP reputation”.This resulted in emails from legitimate businesses with new IP addresses being flagged as spam; and, when Microsoft launched a self-service IP Delist Portal to help businesses with new IP addresses get around their lack of IP reputation, it gave spammers the opportunity to delist their blocked IP addresses as well – exacerbating the problem.

Spam Email Attacks are Increasing and Office 365 Users are Being Targeted

Research shows the extent to which ransomware has been adopted by cybercriminals and is increasingly being used in email attacks. It is reported that in 2021 the number of ransomware attacks almost doubled due to users falling for phishing scams and/or clicking on malicious links related to the COVID-19 pandemic. There has also been an increase in cybercriminals “cryptojacking” business networks via malware-laden emails in order to mine cryptocurrencies – something that Office 365 was unable to prevent happening to a Georgia school system in 2018.

Many users of Office 365 find the level of spam filtering is nowhere near good enough and many phishing emails are delivered to inboxes, while zero day malware threats are similarly not blocked. An report from SE Labs suggests Office 365 only offers protection in the low-middle end of the market, even though Office 365 includes two layers of protection: Exchange Online Protection and Advanced Threat Protection. Research conducted by Osterman research suggests that while Office 365 is good at blocking known malware threats – 100% of known malware is blocked – unknown (0day) malware often makes it past Office 365 defenses.

Basic threats and 99% of spam email are usually blocked by Office 365, but spear phishing threats often make it past Office 365 defenses and are delivered to end users’ inboxes. For this reason, many businesses choose to improve the spam filter on Office 365 with third-party antispam software.

Greylisting Improves the Spam Filter on Office 365

Greylisting would be an ideal feature to improve the spam filter on Office 365. It is a process that returns non-whitelisted emails to their originating server, and most are resubmitted within minutes. However, spammers’ mail servers often have the mail retry capability disabled due to the volume of emails returned to them, so the spam email is never returned to the intended recipient´s server.

Whereas real-time blocklists block inbound emails from previously reported sources of spam, the Greylisting process eliminates inbound emails from as-yet-unreported sources of spam. Spam filters with a Greylisting feature are therefore more effective at preventing spam from evading detection and reduce the risk of a business falling victim to a phishing attack, or malware or ransomware download.

Microsoft feels the Greylisting feature is unnecessary for the spam filter on Office 365, and claims that the filter´s sender authentication processes can identify inbound emails from as-yet-unreported sources of spam. Clearly this is not the case, as verifiable tests have recorded spam filters with a Greylisting feature as having spam detection rates as high as 99.97%. The difference between this detection rate and a spam filter with a 99% detection rate can be substantial for a business with a significant volume of inbound email.

Advanced Features of SpamTitan Compliment the Office 365 Spam Filter

Greylisting has some issues of its own. Because of the way in which the process works, the receipt of business-critical emails can be delayed if they originate from genuine sources with a large mail output. We acknowledge this can happen, and consequently – as well as including Greylisting as an optional feature in our SpamTitan email filters – we also include a whitelisting feature to allow business-critical emails from trusted sources to bypass the front-end spam detection mechanisms. This ensures that mission-critical emails are not delayed, while the benefits of greylisting are not lost.

SpamTitan´s email filter has SURBL filtering and malicious URL detection mechanisms to minimize the likelihood that a phishing email evades detection, and dual anti-virus software engines to inspect the content of email attachments for malware and ransomware. SpamTitan also includes sandboxing for detecting zero-day malware threats. If the front end checks are passed, and the dual antivirus engines do not detect malicious attachments, they are sent to the sandbox for in-depth analysis. This feature is vital for detecting zero-day malware that has not had a signature uploaded to the virus definition lists used by the AV engines.

These mechanisms complement the default mechanisms found on an Office 365 spam filter (Recipient Verification Protocols, Sender Policy Frameworks, Content Filter Agents) to maximize spam detection while minimizing false positives.

SpamTitan also incorporates pattern learning to identify zero-day threats – attacks that have previously not been seen. Predictive techniques such as Bayesian analysis, heuristics, and machine learning are capable of anticipating new attack methods and blocking threats to prevent them from reaching inboxes.

SpamTitan also includes data leak protection technology, allowing sensitive information such as Social Security numbers to be tagged. Tags can also be added for specific keywords. This is an important additional control to protect against internal data loss – a problem prevalent in the healthcare industry in the United States. Such controls are only present in advanced spam filtering solutions such as SpamTitan.

Other features of our email filters to improve the spam filter on Office 365 include:

  • Quick deployment as a gateway or cloud-based solution.
  • Easy synchronization with Active Directory and LDAP.
  • Administered via a web-based portal. No agents required.
  • Spam Confidence Levels can be applied by user, user-group and domain.
  • Greylist, whitelist or blacklist senders/IP addresses.
  • SpamTitan Cloud is highly scalable and universally compatible.

How SpamTitan Filters Out Spam and Malicious Emails

To significantly improve spam filtering on Office 365 it is necessary to adopt a defense in depth approach. The security settings of Office 365 can be tweaked, but this can be a complicated process and even if the optimal settings are found, the level of protection is often found to be inferior to a third party Office 365 spam filtering solution.

SpamTitan is an advanced email filtering solution that works seamlessly with Office 365 to improve spam detection rates and block more threats. SpamTitan uses predictive techniques to block new malware variants, spear phishing, and zero-day attacks to prevent these threats from being delivered to end users’ inboxes.

office 365 spam filter


Compliment the Office 365 Spam Filter with SpamTitan

If, despite Microsoft´s best efforts, you are unhappy with the volume of spam emails being delivered to your inboxes, you are invited to take advantage of a free demo of SpamTitan. Our free demo gives you the opportunity to see the difference in spam detection rates when the Greylisting process is both activated and deactivated.

Our team of Sales Technicians will also be happy to answer any questions you have about improving the spam filter on Office 365 with our software, will discuss which deployment option is best suited to your specific circumstances and explain how you can place a SpamTitan email filter in front of Office 365 to better protect users´ inboxes.

FAQs about Improving the Spam Filter on Office 365

Do I need to replace the Office 365 spam filter?

You do not need to replace the Office 365 spam filter to improve your protection against spam, phishing, and malware, you just need to layer an extra level of protection on top with a third-party solution to block more sophisticated spam and phishing emails.

SpamTitan for Office 365 allows you to supplement Office 365’s native email security with award-winning phishing protection from a dedicated security provider. As ransomware and phishing attacks increase, Office 365 has become a primary target, making it vital for IT professionals to take proactive steps with Office 365 email security and “hack-proof” their environments.

Will a spam filter detect compromised email accounts?

A spam filter can detect compromised email accounts if it is configured to scan outbound emails and rules are applied to detect spam, phishing signatures, malware, and attempts to send certain types of data outside the organization. Rule violations should trigger alerts for the security team, who will be able to determine whether an email account is compromised or not.

How does a spam filter block malware and ransomware?

A spam filter blocks malware and ransomware by checking URLs included in – or embedded into – each email against blacklists of known malware and ransomware. Some filters also support URL rewriting and time-of-click analysis to protect against links to websites that appear to be safe on delivery, but are later weaponized with malware.

What does defense in depth mean?

Defense in depth means implementing overlapping security layers to ensure that if one mechanism fails to provide protection, others exist to stop an attack succeeding. A defense in depth approach provides the key elements needed to secure assets: prevention, detection, and response. SpamTitan email security uses a defense in depth approach and incorporates many different detection mechanisms to block email threats.

How much does SpamTitan cost?

The best way to determine how much does SpamTitan cost is to use our cost calculator or contact our sales team for a no obligation quote. SpamTitan pricing is highly competitive, but it is not possible to give a general cost as the price depends on the number of users and the length of the license period.

Why is my business suddenly getting more spam emails?

If your business is suddenly getting more spam emails, it is likely your business email addresses have been recently harvested by a bot and added to a “mailing list”. If your mail filter is configured to the optimum settings, you can reduce the volume of spam evading detection by reporting spam emails to Microsoft and/or adding the spammer’s IP address to your business’s mail blacklist.

What is a sender policy framework?

A sender policy framework is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender’s domain. The reason sender policy frameworks are checked by email filters is to prevent spoofing – a threat that involves cybercriminals and spammers sending email messages with a fake sender address.

How does tagging prevent internal data loss?

Tagging prevents internal data loss when rules are applied to prevent specific types of data leaving the corporate network via email. When the outbound mail filter identifies tagged data in an outbound email, it will flag the event to the security team and usually hold the email until such time as the email is manually okayed – or blocked – by the security team.

Is it possible to block emails from specific locations?

It is possible to block emails from specific locations either by adding individual IP addresses to the mail blacklist – if, for example, you wanted to block spam emails from an individual source – or by geo-blocking an entire IP range. If you have contacts in the geo-blocked range, you can allow their emails to circumnavigate the mail filter by adding their IP addresses to the mail whitelist.

What is the optimal setting for a mail filter?

The optimal setting for a mail filter varies depending on the requirements of the organizations, the roles of individuals within the organization, and individual susceptibility to threats. Therefore, a finance organization is likely to use a mail filter with more aggressive optimal settings than a sales organization. Similarly, administrators may want to block all but whitelisted emails for individuals with access to sensitive information or who have shown themselves to be a risk to security.