At first glance, Microsoft’s Office 365 suite seems to be pretty…sweet, right? Not only do you get a whole host of productivity apps, cloud storage, and an email service, but you’re also protected from spam with Microsoft’s own email security solutions. No wonder it’s the most widely adopted enterprise email solution available, with a 54% market share and over 155 million active users. You’re probably one of them, too.
But if a cybersecurity company’s writing a blog about Office 365, there’s got to be something more to it, right? Well, yeah. There is. So let’s talk about what exactly the issue is with Office 365’s security options, and why you really need to know about this.
What Microsoft Office 365 Security is Good At
Before we talk about the problems with it, let’s first quickly get this out of the way: Microsoft Office 365 Advanced Threat Protection (what a mouthful) is quite effective at basic email security. It will be able to stop spam emails, malware, and viruses from making their way into you inbox.
This is good enough if you’re only looking for some basic anti-spam protection. But that’s the problem: low-level spam like this usually doesn’t pose the biggest threat. Most email providers offer some form of basic protection by blocking email from suspicious sources. The real threat—the kind that can make your organization lose money, data and brand integrity—are emails carefully engineered so you don’t realize that they’re fake.
This is when you get into serious cybercrime territory.
What Microsoft Office 365 Can’t Protect You From
Microsoft Office 365’s security solution works like an anti-spam filter, using algorithms to determine if an email is similar to other spam or phishing emails. But what happens when you’re hit with a far more sophisticated attack using social engineering, or targeted at a specific employee or group of employees?
These aren’t your run-of-the-mill spam emails sent out to tens of thousands of people at once. Business Email Compromise (BEC) and Vendor Email Compromise (VEC) are examples of how attackers carefully select a target, learn more information about their organization by spying on their emails, and at a strategic point, send a fake invoice or request via email, asking for money to be transferred or data to be shared.
This tactic, broadly known as spear phishing, makes it appear that email is coming from someone within your own organization, or a trusted partner or vendor. Even under careful inspection, these emails can look very realistic and are nearly impossible to detect, even for seasoned cybersecurity experts.
If an attacker pretends to be your boss or the CEO of your organization and sends you an email, it’s unlikely that you’ll check to see if the email looks genuine or not. This is exactly what makes BEC and CEO fraud so dangerous. Office 365 will not be able to protect you against this sort of attack because these are ostensibly coming from a real person, and the algorithms will not consider it to be a spam email.
How Can You Secure Office 365 Against BEC and Spear Phishing?
Domain-based Message Authentication, Reporting & Conformance, or DMARC, is an email security protocol that uses information provided by the domain owner to protect receivers from spoofed email. When you implement DMARC on your organization’s domain, receiving servers will check each and every email coming from your domain against the DNS records you published.
But if Office 365 ATP couldn’t prevent targeted spoofing attacks, how does DMARC do it?
Well, DMARC functions very differently than an anti-spam filter. While spam filters check incoming email entering your inbox, DMARC authenticates outgoing email sent by your organization’s domain. What this means is that if someone is trying to impersonate your organization and send you phishing emails, as long as you’re DMARC-enforced, those emails will be dumped in the spam folder or blocked entirely.
And get this — it also means that if a cybercriminal was using your trusted brand to send phishing emails, even your customers wouldn’t have to deal with them, either. DMARC actually helps protect your business, too.
But there’s more: Office 365 doesn’t actually give your organization any visibility on a phishing attack, it just blocks spam email. But if you want to properly secure your domain, you need to know exactly who or what is trying to impersonate your brand, and take immediate action. DMARC provides this data, including the IP addresses of abusive sending sources, as well as the number of emails they send. PowerDMARC takes this to the next level with advanced DMARC analytics right on your dashboard.