What Microsoft's Exchange Online and Defender Do Well, and What They Miss

What Microsoft's Exchange Online and Defender Do Well, and What They Miss

By Matthew Vulpis

There are pros and cons to being the world’s most popular email service provider for businesses. The good news is massive distribution and related profitable revenue. The bad news is being the number one target for cyber attacks. When those attacks are mounted on an unprecedented scale, using more sophisticated and well-funded, fast-moving criminal campaigns, organizations that thought they were fully protected against attacks like phishing can suffer dramatic losses.

After thoroughly analyzing nearly three million emails for its latest report, Check Point Software Technologies research team found that Microsoft Defender missed nearly 19% of phishing emails –a 74% increase in missed attacks compared to the previous period.

Check Point provides cyber security solutions to governments and corporate enterprises globally, protecting customers from 5th generation cyber attacks with what they refer to as “an industry leading catch rate of malware, ransomware, and advanced targeted threats.” The company offers a multilevel security architecture combined with a product architecture designed to protect an enterprise’s cloud, network, and mobile devices and serves over 100,000 organizations of all sizes.

“Findings from our latest report shine the light on the dramatic increase in hacker sophistication with attacks engineered specifically to bypass Microsoft Defender,” said Jeremy Fuchs, Cybersecurity Researcher at Avanan, a Check Point Software Technologies Company. “Hackers, in other words, have stepped up their game faster than Defender can respond. Therefore, we recommend a ‘defense in depth’ strategy for all layers of the security stack and all applications, including email, which has always been the main target.”

Layering an additional level of protection on top of the default, whether Microsoft or Google, is recommended as a best practice for email security, Fuchs explained.

“It is essential as hackers continue to target and find ways to bypass the layers of protection included in the service, especially given the rapid move to the cloud following the pandemic, which forced organizations to move to cloud computing, communications, storage, applications and more, which has also been a double-edged sword,” he said.

 Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against advanced threats to email and collaboration tools, like phishing, business email compromise, and malware attacks, according to the company’s own description, which can be consumed across three pricing plans, depending on each organization’s needs.

Defender for Office 365 provides investigation, hunting, and remediation capabilities designed for security teams, enabling them to identify, prioritize, investigate, and respond to threats, according to Microsoft’s most recent post describing the service.

In a Defender for Office 365 filtering-only scenario, cloud-based email protection for on-premises Exchange Server environments (or any other on-premises SMTP email solution) is available.

Defender for Office 365 can be enabled to protect Exchange Online cloud-hosted mailboxes as well, with basic anti-spam and anti-malware protection built in (using multiple anti-malware engines to scan inbound, outbound, and internal messages for malware), customized anti-spam and anti-malware policies, and quarantine features available to administrators and end-users for self-management.

Hybrid deployments can also be configured with inbound email filtering. Yet, despite the enormous amount of investment Microsoft continues to make in Defender, Check Point’s research team reported a whopping 74 percent increase in phishing emails missed by Defender compared to it’s report from February 2020, where a similar analysis found that only 10.8 percent of phishing emails were missed.

For the 2022 report, Check Point analyzed nearly three million emails scanned by Microsoft Defender during one week across four organizations, ranging from 500 to 20,000 users in major industries and located in all parts of the United States.

“Our unique architecture allows our software to learn from the specific emails Microsoft misses,” Fuchs said. “These are often highly targeted attacks explicitly designed to bypass Microsoft’s protections. Our Email and Collaboration Security (HEC) architecture, based on Avanan technology, sits behind Microsoft. When Microsoft blocks an attack, the attack is blocked, entirely stopped. When it doesn’t, however, HEC sits between it and the inbox, sending our cloud-based platform a final analysis.”

The key is in the Artificial Intelligence (AI) Check Point has developed to be trained on specific, sophisticated, and evasive attacks, a capability Check Point claims is the only security solution that can prevent malicious content from reaching a user’s inbox.

HEC operates inline, meaning the platform scans all emails and attachments before they hit a user’s account. The platform scans for potentially malicious content using AI and Machine Learning algorithms, alerts SOC staff when an issue is found and quarantines the harmful content.

“Defender does an excellent job with malware,” Fuchs said. “We have found that, with unknown malware, Microsoft catches 90%. Microsoft Defender includes URL rewriting, a key feature to prevent time-of-click attacks and, in our analysis, we’ve observed that in the environments sampled, Defender limited the amount of phishing in DMARC spoofing and Business Email Compromise (BEC) among other areas.”

Business Email Compromise (BEC) is one of the fastest-growing and most successful attack vectors because it uses social engineering and doesn’t include any malware or malicious links. BEC often targets senior-level executives asking for urgent favors. Since 2016, BEC-related losses have totaled over $43 billion, according to The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3).

“In our analysis, Microsoft did an excellent job limiting these attacks from reaching the inbox, allowing just two percent to pass,” Fuchs said. “At the same time, in one study analyzing 300 million emails, we found that Microsoft is in the middle of the pack compared to other Secure Email Gateways. Per every 100,000 emails, Microsoft’s catch rate of phishing emails is better than some Secure Email Gateways and worse than others.”

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Content Contributor

Related Articles

Mutare Brings Together Cybersecurity Community to Raise Vishing Awareness

By: Greg Tavarez    3/28/2023

Mutare is collaborating with government agencies, business coalitions and private industry in an educational campaign to raise awareness of the risks …

Read More

Only 15% of Organizations Deemed Mature Enough to Defend Against Cybersecurity Risks

By: Greg Tavarez    3/28/2023

Fifteen percent of organizations globally have the maturity level of readiness needed to be resilient against today's modern cybersecurity risks, acco…

Read More

Opti9 Offerings Strengthen Veeam Customers' Security Stacks

By: Greg Tavarez    3/28/2023

Opti9 introduced its standalone offerings for Veeam, which are managed services for Veeam Software and its AI-based ransomware detection and remediati…

Read More

How Businesses are Navigating Migrations and Marketplace Shifts

By: Alex Passett    3/28/2023

Westcon-Comstor recently published a report that explored challenges found amongst shifting subscription and recurring revenue models for businesses.

Read More

Cybersecurity Essentials: BSA Expands Managed Security Solutions

By: Alex Passett    3/24/2023

Bridge Security Advisors (BSA) has announced an addition to its Essential Security Solution (ESS): the Managed Security Solution (MSS) offering.

Read More