What Microsoft's Exchange Online and Defender Do Well, and What They Miss

What Microsoft's Exchange Online and Defender Do Well, and What They Miss

By Matthew Vulpis

There are pros and cons to being the world’s most popular email service provider for businesses. The good news is massive distribution and related profitable revenue. The bad news is being the number one target for cyber attacks. When those attacks are mounted on an unprecedented scale, using more sophisticated and well-funded, fast-moving criminal campaigns, organizations that thought they were fully protected against attacks like phishing can suffer dramatic losses.

After thoroughly analyzing nearly three million emails for its latest report, Check Point Software Technologies research team found that Microsoft Defender missed nearly 19% of phishing emails –a 74% increase in missed attacks compared to the previous period.

Check Point provides cyber security solutions to governments and corporate enterprises globally, protecting customers from 5th generation cyber attacks with what they refer to as “an industry leading catch rate of malware, ransomware, and advanced targeted threats.” The company offers a multilevel security architecture combined with a product architecture designed to protect an enterprise’s cloud, network, and mobile devices and serves over 100,000 organizations of all sizes.

“Findings from our latest report shine the light on the dramatic increase in hacker sophistication with attacks engineered specifically to bypass Microsoft Defender,” said Jeremy Fuchs, Cybersecurity Researcher at Avanan, a Check Point Software Technologies Company. “Hackers, in other words, have stepped up their game faster than Defender can respond. Therefore, we recommend a ‘defense in depth’ strategy for all layers of the security stack and all applications, including email, which has always been the main target.”

Layering an additional level of protection on top of the default, whether Microsoft or Google, is recommended as a best practice for email security, Fuchs explained.

“It is essential as hackers continue to target and find ways to bypass the layers of protection included in the service, especially given the rapid move to the cloud following the pandemic, which forced organizations to move to cloud computing, communications, storage, applications and more, which has also been a double-edged sword,” he said.

 Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against advanced threats to email and collaboration tools, like phishing, business email compromise, and malware attacks, according to the company’s own description, which can be consumed across three pricing plans, depending on each organization’s needs.

Defender for Office 365 provides investigation, hunting, and remediation capabilities designed for security teams, enabling them to identify, prioritize, investigate, and respond to threats, according to Microsoft’s most recent post describing the service.

In a Defender for Office 365 filtering-only scenario, cloud-based email protection for on-premises Exchange Server environments (or any other on-premises SMTP email solution) is available.

Defender for Office 365 can be enabled to protect Exchange Online cloud-hosted mailboxes as well, with basic anti-spam and anti-malware protection built in (using multiple anti-malware engines to scan inbound, outbound, and internal messages for malware), customized anti-spam and anti-malware policies, and quarantine features available to administrators and end-users for self-management.

Hybrid deployments can also be configured with inbound email filtering. Yet, despite the enormous amount of investment Microsoft continues to make in Defender, Check Point’s research team reported a whopping 74 percent increase in phishing emails missed by Defender compared to it’s report from February 2020, where a similar analysis found that only 10.8 percent of phishing emails were missed.

For the 2022 report, Check Point analyzed nearly three million emails scanned by Microsoft Defender during one week across four organizations, ranging from 500 to 20,000 users in major industries and located in all parts of the United States.

“Our unique architecture allows our software to learn from the specific emails Microsoft misses,” Fuchs said. “These are often highly targeted attacks explicitly designed to bypass Microsoft’s protections. Our Email and Collaboration Security (HEC) architecture, based on Avanan technology, sits behind Microsoft. When Microsoft blocks an attack, the attack is blocked, entirely stopped. When it doesn’t, however, HEC sits between it and the inbox, sending our cloud-based platform a final analysis.”

The key is in the Artificial Intelligence (AI) Check Point has developed to be trained on specific, sophisticated, and evasive attacks, a capability Check Point claims is the only security solution that can prevent malicious content from reaching a user’s inbox.

HEC operates inline, meaning the platform scans all emails and attachments before they hit a user’s account. The platform scans for potentially malicious content using AI and Machine Learning algorithms, alerts SOC staff when an issue is found and quarantines the harmful content.

“Defender does an excellent job with malware,” Fuchs said. “We have found that, with unknown malware, Microsoft catches 90%. Microsoft Defender includes URL rewriting, a key feature to prevent time-of-click attacks and, in our analysis, we’ve observed that in the environments sampled, Defender limited the amount of phishing in DMARC spoofing and Business Email Compromise (BEC) among other areas.”

Business Email Compromise (BEC) is one of the fastest-growing and most successful attack vectors because it uses social engineering and doesn’t include any malware or malicious links. BEC often targets senior-level executives asking for urgent favors. Since 2016, BEC-related losses have totaled over $43 billion, according to The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3).

“In our analysis, Microsoft did an excellent job limiting these attacks from reaching the inbox, allowing just two percent to pass,” Fuchs said. “At the same time, in one study analyzing 300 million emails, we found that Microsoft is in the middle of the pack compared to other Secure Email Gateways. Per every 100,000 emails, Microsoft’s catch rate of phishing emails is better than some Secure Email Gateways and worse than others.”

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Content Contributor

Related Articles

LogMeIn Rescue, to the Rescue: Forrester Studies GoTo's Support Capabilities

By: Alex Passett    9/22/2023

Over a period of three years, a Forrester Total Economic Impact (TEI) study examined the business and financial benefits of LogMeIn Rescue, a flagship…

Read More

Canadian Managed IT Services Gear Up for Cybersecurity Awareness Month

By: Contributing Writer    9/22/2023

October, prominently known as Cybersecurity Awareness Month, is an annual observance and an intensified rally for Canada's premier IT service provider…

Read More

ITEXPO Exhibitor RingLogix Looks to TeamMate to Open New Possibilities for MSPs

By: Greg Tavarez    9/21/2023

The RingLogix and TeamMate collaboration enables MSPs to get the most out of Microsoft Teams as a collaboration solution.

Read More

Acronis Introduces Advanced Automation for MSPs

By: Stefania Viscusi    9/21/2023

Acronis Advanced Automation addresses a common challenge faced by MSPs, the increasing complexities businesses face with so many different initiatives…

Read More

Comprehensive Cybersecurity Solutions: Rackspace Taps Palo Alto Networks

By: Alex Passett    9/20/2023

Strengthening organizations' abilities to stay ahead of progressively evolving cyber threats and attackers is key. That's why Rackspace Technology has…

Read More