There are ways in which the effectiveness of a Office 365 spam filter can be improved.
Office 365 spam filter is a key element of Exchange Online Protection (EOP) – a suite of tools that protects organizations against spam, malware, phishing, and spoofing. Microsoft claims its spam filter captures more than 99% of junk mail and detects more than five billion threats each month. These are very impressive statistics when they are taken out of context.
When you put the statistics into context, they don´t look so good. It has been estimated around 120 billion spam emails are sent each day (as of January 2021). Although Microsoft won´t reveal how many mailboxes are protected by Microsoft 365 spam filters, it is known by industry experts that 43% of phishing attempts are sent to Microsoft accounts.
If we assume that 43% of 120 billion spam emails are also sent to Microsoft accounts, and the spam filter in Office 365 captures 99% of them, this implies more than 50 million spam emails avoid detection – every day. Not all of these 50 million spam emails will harbor malware or seek to obtain login credentials, but it only takes an interaction with one of them for there to be potentially disastrous consequences.
How Microsoft 365 Email Spam Filtering Works
Microsoft 365 email spam filtering works by comparing inbound mail against IP block lists of known sources of spam and by using proprietary machine learning technologies to identify junk mail that does not yet appear on an IP block list. Emails and their attachments are subsequently scanned for malware, and emails from senders that are not authenticated or whitelisted are reviewed for compliance with an organization´s anti-phishing and anti-spoofing policies.
Organizations can enhance the way in which Office 365 email spam filtering works by subscribing to a plan that includes Defender for Office 365. This service - which is also available as a premium add-on for less comprehensive plans – can be configured to check attachments for malware and verify embedded URLs in sandboxed environments. Defender for Office 365 also rewrites URLs embedded into the content of emails to provide time-of-click URL verification.
Although the tools in both Exchange Online Protection and Defender for Office 365 can improve the effectiveness of a Microsoft 365 email spam filter, the degree of effectiveness is subject to how the filter is configured. For example, Microsoft 365 spam filters have to be configured with spam confidence levels (per user, department, etc.) and policies that stipulate what actions should be taken when a spam email or threat is identified, and how the intended recipient should be notified.
The management overhead of the Microsoft 365 spam filter can be significant – especially in hybrid environments where EOP protects on-premises Exchange mailboxes. In this scenario, organizations have to configure two sets of transport rules for on-premises Exchange mailboxes to recognize EOP spam headers. If errors are made in any configuration process, it can substantially impact the Microsoft 365 spam filter detection rate or result in legitimate emails being sent to junk folders.
Did You Know?
99.99%
SpamTitan's spam catch rate
11 Seconds
a ransomware attack occurs
$285
the average cost to manage spam per person without an email filter
56.50%
of all email is spam
What Microsoft 365 Spam Filtering is Lacking
Office 365 has many built-in security features however for organizations accustomed to dedicated security solutions with advanced filtering and advanced reporting, Microsoft’s default security offering is likely to fall short.
One noticeable absentee from the range of Microsoft 365 spam filtering tools is greylisting. Greylisting is a front-end operation in which emails from all non-whitelisted senders are automatically returned to their originating mail servers with a request for the email to be sent again. Spammers´ mail servers are typically too busy to respond to the request before it times out, and therefore the spam email is never returned - and never enters the organization´s mail server.
Greylisting fills the gap in the Microsoft 365 spam filtering process between IP block lists of known sources of spam and machine learning technologies to identify junk mail that does not yet appear on an IP block list. While greylisting wouldn´t increase the spam detection rate (because unreturned emails cannot be identified as junk mail), it would reduce the pressure on busy Microsoft 365 email spam filters and accelerate the delivery of legitimate emails.
In theory, greylisting should also reduce the management overhead of configuring the spam filter for Microsoft 365 because fewer spam emails and emails harboring threats will be entering the mail server. Consequently, an organization should not need to apply a lower spam confidence score to (for example) sales department emails to prevent sales leads being identified as junk. The same spam confidence scores can be applied universally throughout the organization.
Therefore, the best way to improve the effectiveness of a Microsoft 365 spam filter is to place it behind a second spam filter with greylisting capabilities. The secondary spam filter can run all the front-end operations such as greylisting, IP block checks, invalid recipient checks, and Sender Policy Framework checks; and – depending on its capabilities - continue with the back-end checks such as scanning emails for malware and compliance with anti-phishing and anti-spoofing policies.
What Makes the Best Spam Filter for Microsoft 365?
The best spam filter for Microsoft 365 will be one with greylisting capabilities that is easy to use – although if it is capable of the same back-end checks as the Microsoft 365 email spam filter and supports integration with Microsoft Active Directory, so much the better. In this case, system administrators will only have to configure one set of policies for the secondary, easier-to-use spam filter and keep the default settings of the Microsoft 365 email spam filter as they are.
Hear from our customers
An even better scenario would be if the secondary spam filter had some of the capabilities included in Defender for Office 365 such as the ability to check attachments for malware and verify embedded URLs in sandboxed environments. This would mean the cost of the secondary spam filter service would be covered by not having to pay for a premium add-on. A secondary spam filter with AD integration would also ensure email continuity in the event of a Microsoft 365 outage.
Ultimately, the best spam filter for Microsoft 365 is the one which ticks all the boxes for your organization without the need to reinvent the wheel, implement complex software, or retrain staff. For this reason, SpamTitan could be your best option. SpamTitan has been a leading choice for improving the effectiveness of Microsoft spam filters for almost twenty years and is trusted by more than 12,000 customers for their email security.
How SpamTitan Improves the Effectiveness of Microsoft 365 Spam Filters
SpamTitan improves the effectiveness of Microsoft 365 spam filters by providing organizations with a choice of easy-to-deploy and easy-to-use spam filtering options – SpamTitan Cloud and SpamTitan Gateway for organizations that would prefer their email filtering service to be on-premises. Both options have greylisting capabilities and similar features to Microsoft 365 spam filters:
- Once returned from the greylisting operation, emails are checked against six real time blacklists to identify any from known sources of spam, malware, phishing, and spoofing.
- Content filters developed using Bayesian analysis, heuristics, and machine learning detect new sources of malware, phishing, and spoofing.
- Further checks for malware are conducted by BitDefender and ClamAV anti-virus engines with sandboxing available at no extra charge.
- Granular filtering rules and policies for both inbound and outbound mail enables organizations to protect users against internal and external threats.
- Multiple web authentication settings including directory synchronization with Active Directory.
- Extensive reporting suite, compatible with all operating systems, and unlimited scalability.
SpamTitan´s ease of use significantly reduces the potential for misconfigurations and potentially disastrous consequences; and, if you would like to know more about how SpamTitan improves the effectiveness of Microsoft 365 spam filters, do not hesitate to contact us. Our team will be happy to answer your questions and will invite you to take advantage of a free trial of the SpamTitan solution most suitable for your requirements (i.e., SpamTitan Cloud or SpamTitan Gateway).
Our free trial gives you the opportunity to evaluate our Microsoft 365 email spam filter in your own environment so you can experience the effectiveness of greylisting. At the end of the free trial, there is no obligation on you to continue using our service; but should you choose to do so, we offer a competitive range of subscription options based on the number of mailboxes SpamTitan will protect, your preferred deployment option, and the frequency of payment.
Detailed instructions about how to lock down your office 365 mail server here
Articles Related to Office 365 Spam Filtering
https://www.spamtitan.com/spam-filter-office-365/
https://www.spamtitan.com/email-spam-filter-for-exchange/
https://www.spamtitan.com/microsoft-exchange-spam-filter/
Frequently Asked Questions (FAQs)
How does the Microsoft 365 spam filter use machine learning algorithms to improve its effectiveness over time?
The Microsoft 365 spam filter uses machine learning algorithms to continuously enhance its spam detection capabilities. These algorithms are designed to analyze vast amounts of email data, including content, sender information, and user behavior, to identify patterns and characteristics associated with spam messages. By learning from user feedback and data across millions of email accounts, the machine learning models adapt and improve their accuracy in distinguishing between legitimate emails and spam.
Can administrators customize the sensitivity level of the spam filter in Microsoft 365?
Administrators can customize the sensitivity level of the spam filter in Microsoft 365 for all users, for groups of users, or for individual users. The sensitivity settings allow administrators to fine-tune the aggressiveness of the spam filter to match specific needs and preferences. Higher sensitivity settings will lead to a more robust filtering approach, while lower sensitivity settings might allow some spam emails to pass through, but could also reduce the likelihood of legitimate emails being mistakenly marked as spam (false negatives).
What are the advanced threat protection mechanisms utilized by the Microsoft 365 spam filter to identify and block malicious email content?
The advanced threat protection mechanisms utilized by the Microsoft 365 spam filter to identify and block malicious email content include a comprehensive threat intelligence database that contains information about known spammers, suspicious IP addresses, and domains. Additionally, the Microsoft 365 spam filter uses machine learning algorithms to analyze links and attachments in incoming emails, searching for signs of malware, phishing attempts, or other malicious content.
How can you prevent false positives where legitimate emails are mistakenly marked as spam?
You can prevent false positives in two ways. The first is to whitelist trusted sources so emails from these sources bypass the filtering mechanisms. The second is mark any legitimate email incorrectly flagged as spam using the “Not Junk” button. This will help the Microsoft 365 spam filter learn from its mistake and improve its accuracy – reducing the likelihood of future false positives.
What best practices are recommended by Microsoft for optimizing the spam filter settings?
Best practices recommended by Microsoft for optimizing the spam filter settings include reviewing quarantine and junk email reports to ensure legitimate emails are not incorrectly classified as spam, using EOP policies to apply customized filtering rules, activating the built-in anti-phishing features, and educating users about reporting false positives and suspicious emails that evade detection.