What Microsoft's Exchange Online and Defender Do Well, and What They Miss

What Microsoft's Exchange Online and Defender Do Well, and What They Miss

By Matthew Vulpis

There are pros and cons to being the world’s most popular email service provider for businesses. The good news is massive distribution and related profitable revenue. The bad news is being the number one target for cyber attacks. When those attacks are mounted on an unprecedented scale, using more sophisticated and well-funded, fast-moving criminal campaigns, organizations that thought they were fully protected against attacks like phishing can suffer dramatic losses.

After thoroughly analyzing nearly three million emails for its latest report, Check Point Software Technologies research team found that Microsoft Defender missed nearly 19% of phishing emails –a 74% increase in missed attacks compared to the previous period.

Check Point provides cyber security solutions to governments and corporate enterprises globally, protecting customers from 5th generation cyber attacks with what they refer to as “an industry leading catch rate of malware, ransomware, and advanced targeted threats.” The company offers a multilevel security architecture combined with a product architecture designed to protect an enterprise’s cloud, network, and mobile devices and serves over 100,000 organizations of all sizes.

“Findings from our latest report shine the light on the dramatic increase in hacker sophistication with attacks engineered specifically to bypass Microsoft Defender,” said Jeremy Fuchs, Cybersecurity Researcher at Avanan, a Check Point Software Technologies Company. “Hackers, in other words, have stepped up their game faster than Defender can respond. Therefore, we recommend a ‘defense in depth’ strategy for all layers of the security stack and all applications, including email, which has always been the main target.”

Layering an additional level of protection on top of the default, whether Microsoft or Google, is recommended as a best practice for email security, Fuchs explained.

“It is essential as hackers continue to target and find ways to bypass the layers of protection included in the service, especially given the rapid move to the cloud following the pandemic, which forced organizations to move to cloud computing, communications, storage, applications and more, which has also been a double-edged sword,” he said.

 Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against advanced threats to email and collaboration tools, like phishing, business email compromise, and malware attacks, according to the company’s own description, which can be consumed across three pricing plans, depending on each organization’s needs.

Defender for Office 365 provides investigation, hunting, and remediation capabilities designed for security teams, enabling them to identify, prioritize, investigate, and respond to threats, according to Microsoft’s most recent post describing the service.

In a Defender for Office 365 filtering-only scenario, cloud-based email protection for on-premises Exchange Server environments (or any other on-premises SMTP email solution) is available.

Defender for Office 365 can be enabled to protect Exchange Online cloud-hosted mailboxes as well, with basic anti-spam and anti-malware protection built in (using multiple anti-malware engines to scan inbound, outbound, and internal messages for malware), customized anti-spam and anti-malware policies, and quarantine features available to administrators and end-users for self-management.

Hybrid deployments can also be configured with inbound email filtering. Yet, despite the enormous amount of investment Microsoft continues to make in Defender, Check Point’s research team reported a whopping 74 percent increase in phishing emails missed by Defender compared to it’s report from February 2020, where a similar analysis found that only 10.8 percent of phishing emails were missed.

For the 2022 report, Check Point analyzed nearly three million emails scanned by Microsoft Defender during one week across four organizations, ranging from 500 to 20,000 users in major industries and located in all parts of the United States.

“Our unique architecture allows our software to learn from the specific emails Microsoft misses,” Fuchs said. “These are often highly targeted attacks explicitly designed to bypass Microsoft’s protections. Our Email and Collaboration Security (HEC) architecture, based on Avanan technology, sits behind Microsoft. When Microsoft blocks an attack, the attack is blocked, entirely stopped. When it doesn’t, however, HEC sits between it and the inbox, sending our cloud-based platform a final analysis.”

The key is in the Artificial Intelligence (AI) Check Point has developed to be trained on specific, sophisticated, and evasive attacks, a capability Check Point claims is the only security solution that can prevent malicious content from reaching a user’s inbox.

HEC operates inline, meaning the platform scans all emails and attachments before they hit a user’s account. The platform scans for potentially malicious content using AI and Machine Learning algorithms, alerts SOC staff when an issue is found and quarantines the harmful content.

“Defender does an excellent job with malware,” Fuchs said. “We have found that, with unknown malware, Microsoft catches 90%. Microsoft Defender includes URL rewriting, a key feature to prevent time-of-click attacks and, in our analysis, we’ve observed that in the environments sampled, Defender limited the amount of phishing in DMARC spoofing and Business Email Compromise (BEC) among other areas.”

Business Email Compromise (BEC) is one of the fastest-growing and most successful attack vectors because it uses social engineering and doesn’t include any malware or malicious links. BEC often targets senior-level executives asking for urgent favors. Since 2016, BEC-related losses have totaled over $43 billion, according to The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3).

“In our analysis, Microsoft did an excellent job limiting these attacks from reaching the inbox, allowing just two percent to pass,” Fuchs said. “At the same time, in one study analyzing 300 million emails, we found that Microsoft is in the middle of the pack compared to other Secure Email Gateways. Per every 100,000 emails, Microsoft’s catch rate of phishing emails is better than some Secure Email Gateways and worse than others.”

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Content Contributor

Related Articles

Wildix Integrates into HubSpot App Marketplace

By: Greg Tavarez    2/23/2024

Wildix announced their official listing in the HubSpot App Marketplace, an ecosystem of valuable third-party integrations.

Read More

1Password Locks Down Anywhere Workforce with Kolide Acquisition

By: Greg Tavarez    2/23/2024

1Password acquired Kolide, known for device health and contextual access management, to strengthen its position in securing the modern, hybrid workfor…

Read More

Partner Confidence and Fast Support: Why MSPs Choose Wildix

By: Greg Tavarez    2/21/2024

At MSP Expo 2024, a meeting with Tim TrueLove in the exhibit hall led to a discussion of what Wildix brings to MSPs.

Read More

MSPs Must Better Educate Clients Against Cyber Threats

By: Greg Tavarez    2/20/2024

Walt Czerminski, partner, Fortium Partners, led a panel discussion at MSP Expo 2024 featuring Ragav Khosla, manager, channel solutions consultants Ame…

Read More

Cybersecurity Preparedness Gaps Remain

By: Stefania Viscusi    2/20/2024

More than half of companies faced significant security incidents in the past year.

Read More