Improving the Spam Filter on Office 365

The spam filter on Office 365 comes in for quite a bit of criticism. Although Microsoft regularly introduces new features to improve its spam detection rates, many of these are paid-for features or only available as part of an Advanced Threat Protection (APT) subscription. Others (for example “IP throttling”) cause users more distress than the spam emails the feature is meant to prevent.

One of the reasons why the spam filter on Office 365 fails to detect spam is that Microsoft spam filters work retrospectively. Only after a customer has reported a spam email will Microsoft add the IP address to its “real-time block lists” and include the blacklisted IP address in the next software update. With spammers frequently changing IP address, retrospective updating is generally ineffective.

IP throttling was supposed to resolve this issue by blocking emails or giving a low Spam Confidence score to emails originating from sources with no “IP reputation”. This resulted in emails from legitimate businesses with new IP addresses being flagged as spam; and, when Microsoft launched a self-service IP Delist Portal to help businesses with new IP addresses get around their lack of IP reputation, it gave spammers the opportunity to delist their blocked IP addresses as well – exacerbating the problem.

Email Attacks are Increasing and Office 365 Users are Being Targeted

Research conducted by IBM Security shows the extent to which ransomware has been adopted by cybercriminals and is being used in email attacks. Between 2016 and 2017 there was a 6,000% increase in emails containing ransomware. The increase in attacks have slowed as some threat actors have started to concentrate on cryptojacking, although the threat from ransomware is still very real, with a 2018 report from Europol warning that ransomware is still the main malware threat. Ransomware gangs have adopted different techniques to attack businesses and many now favor brute force attacks on RDP, but there has been an increase in ransomware attacks via email in 2020 and dangerous malware variants such as TrickBot are still primarily spread via email. The TrickBot operators have paired their Trojan with Ryuk ransomware, which is delivered as a secondary payload once the Trickbot Trojan has achieved its aims.

Many users of Office 365 find the level of spam filtering is nowhere near good enough and many phishing emails are delivered to inboxes, while zero day malware threats are similarly not blocked. An report from SE Labs suggests Office 365 only offers protection in the low-middle end of the market, even though Office 365 includes two layers of protection: Exchange Online Protection and Advanced Threat Protection. Research conducted by Osterman research suggests that while Office 365 is good at blocking known malware threats – 100% of known malware is blocked – unknown (0day) malware often makes it past Office 365 defenses.

Basic threats and standard spam email are usually blocked by Office 365, but spear phishing threats often make it past Office 365 defenses and are delivered to end users’ inboxes. For this reason, many businesses choose to improve the spam filter on Office 365 with third-party antispam software.

Greylisting Could Improve the Spam Filter on Office 365

Greylisting would be an ideal feature to improve the spam filter on Office 365. It is a process that returns emails to their originating server with a request for the email to be resent. Most mail servers resend the returned email within minutes. However, spammers’ mail servers – being too busy sending out new spam emails – fail to respond and the request times out.

Whereas real-time block lists block inbound emails from previously reported sources of spam, the Greylisting process eliminates inbound emails from as-yet-unreported sources of spam. Spam filters with a Greylisting feature are therefore more effective at preventing spam from evading detection and reduce the risk of a business falling victim to a phishing attack, or malware or ransomware download.

It is not known why Microsoft has declined to include Greylisting as a feature of the spam filter on Office 365. Verifiable tests have recorded spam filters with a Greylisting feature as having spam detection rates as high as 99.97%. The difference between this spam detection rate and a spam filter with a 99% detection rate can be substantial for a business with a significant volume of inbound email.

Advanced Features of SpamTitan Compliment the Office 365 Spam Filter

Greylisting has some issues of its own. Because of the way in which the process works, the receipt of business-critical emails can be delayed if they originate from genuine sources with a large mail output. We acknowledge this can happen, and consequently – as well as including Greylisting as an optional feature in our SpamTitan email filters – we also include a whitelisting feature to allow business-critical emails from trusted sources to bypass the front-end spam detection mechanisms. This ensures that mission-critical emails are not delayed, while the benefits of greylisting are not lost.

SpamTitan´s email filter has SURBL filtering and malicious URL detection mechanisms to minimize the likelihood that a phishing email evades detection, and dual anti-virus software engines to inspect the content of email attachments for malware and ransomware. SpamTitan also includes sandboxing for detecting zero-day malware threats. If the front end checks are passed, and the dual antivirus engines do not detect malicious attachments, they are sent to the sandbox for in-depth analysis. This feature is vital for detecting zero-day malware that has not had a signature uploaded to the virus definition lists used by the AV engines.

These mechanisms complement the default mechanisms found on an Office 365 spam filter (Recipient Verification Protocols, Sender Policy Frameworks, Content Filter Agents) to maximize spam detection while minimizing false positives.

SpamTitan also incorporates pattern learning to identify zero-day threats – attacks that have previously not been seen. Predictive techniques such as Bayesian analysis, heuristics, and machine learning are capable of anticipating new attack methods and blocking threats to prevent them from reaching inboxes.

SpamTitan also includes data leak protection technology, allowing sensitive information such as Social Security numbers to be tagged. Tags can also be added for specific keywords. This is an important additional control to protect against internal data loss – a problem prevalent in the healthcare industry in the United States. Such controls are only present in advanced spam filtering solutions such as SpamTitan.

Other features of our email filters to complement the spam filter on Office 365 include:

  • Quick deployment as a gateway or cloud-based solution.
  • Easy synchronization with Active Directory and LDAP.
  • Administered via a web-based portal. No agents required.
  • Spam Confidence Levels can be applied by user, user-group and domain.
  • Greylist, whitelist or blacklist senders/IP addresses.
  • SpamTitan Cloud is highly scalable and universally compatible.

How SpamTitan Filters Out Spam and Malicious Emails

To significantly enhance Office 365 security it is necessary to adopt a defense in depth approach. The security settings of Office 365 can be tweaked, but this can be a complicated process and even if the optimal settings are found, the level of protection is often found to be inferior to a third party Office 365 spam filtering solution.

SpamTitan is an advanced email filtering solution that works seamlessly with Office 365 to improve spam detection rates and block more threats.  SpamTitan uses predictive techniques to block new malware variants, spear phishing, and zero-day attacks to prevent these threats from being delivered to end users’ inboxes.

How SpamTitan Spam Filtering Works

Office365 and SpamTitan Comparison

Office 365 incorporates security features to block spam and phishing emails and those features have improved in recent years; however, Office 365 still lacks many important features that are necessary for detecting increasingly sophisticated malware and ransomware variants and phishing attempts.  SpamTitan uses SURBL filtering, Bayesian analysis, heuristics, machine learning, and malicious URL detection mechanisms on each incoming email. The result is superior protection from all email threats. SpamTitan also scans outbound email to protect against data leaks and detect mailboxes being used for nefarious purposes by insiders and cybercriminals that have compromised mailboxes using stolen credentials.

Comparison of Office365 and SpamTitan

Compliment the Office 365 Spam Filter with SpamTitan

If, despite Microsoft´s best efforts, you are unhappy with the volume of spam emails being delivered to your inboxes, you are invited to take advantage of a free trial of SpamTitan. Our free trial gives you the opportunity to try our email filters with the greylisting process both activated and deactivated so you can monitor the impact this feature has on the detection of spam emails and message delays.

To find out more about this opportunity, do not hesitate to get in touch. Our team of Sales Technicians will be happy to answer any questions you have about improving the spam filter on Office 365 with our software, will discuss which deployment option is best suited to your specific circumstances and will guide you through the registration and implementation process to start your free trial of SpamTitan.

Should you find SpamTitan substantially reduces the amount of spam email your business receives and you wish to continue using our service after your free trial has ended, we offer a range of competitive subscription options depending on the number of mailboxes you wish to protect from phishing, malware and ransomware. Contact us today to find out more.

Improving the Spam Filter on Office 365 FAQ

Do I need to replace the Office 365 spam filter?

The default Office 365 spam filter provides basic protection against spam, phishing, and malware, but more sophisticated spam and phishing emails are unlikely to be blocked. To improve protection, you do not need to replace the Office 365 spam filer, you just need to layer an extra level of protection on top with a third-party solution.

Will a spam filter detect compromised email accounts?

Spam filters are primarily concerned with blocking incoming spam and malicious emails. A spam filter with outbound scanning will detect compromised email accounts by scanning outbound emails for spam and phishing signatures, malware, and attempts to send certain types of data outside the organization. Any rule violations will trigger alerts for the security team.

How does a spam filter block malware and ransomware?

At the heart of a spam filter is an antivirus engine that scans all inbound attachments for signatures of known malware. Multiple antivirus engines will provide greater protection from known malware threats. Sandboxing is used to subject suspicious email attachments to in-depth analysis to identify new malware threats.

What does defense in depth mean?

No single cybersecurity solution will provide total protection against all threats. Defense in depth means implementing overlapping security layers to ensure that if one mechanism fails to provide protection, others exist to stop an attack succeeding. SpamTitan email security uses a defense in depth approach and incorporates many different detection mechanisms to block email threats.

How much does SpamTitan cost?

SpamTitan pricing is highly competitive, but it is not possible to give a general cost as the price depends on the number of users and the length of the license period. The best way to determine how much SpamTitan will cost your organization is to use our cost calculator or contact the sales team for a no obligation quote.