Why email is safer in Office 365 than on your Exchange server

Running your own email servers doesn’t do anything to differentiate your business from the competition (except in a bad way, if you get hacked). But avoiding the effort of managing and monitoring your own mail server isn’t the only advantage of a cloud service. The scale of a cloud mail provider like Office 365 means that malware and phishing attacks are easier to spot — and the protections extend beyond your inbox.

Email protection isn’t just about blocking spam anymore. It’s about blocking malicious messages aimed at infecting computers and stealing credentials. Traditional antivirus scanning isn’t the solution either, because attachments aren’t just executable files you can recognize with a signature. Often, scammers use JavaScript and macros (including PowerShell) to trigger a secondary download with the malicious payload. And embedded links often go to legitimate but compromised sites, so you also can’t rely on site reputation.

Even as malicious messaging is evolving, attacks are increasing. According to security firm Proofpoint, the largest malicious email campaign in Q4 of 2016 was almost seven times larger than the largest campaign from Q3 of that year. And corporate email continues to bear the brunt of the attacks (Google recently noted that attackers send four times more malware and six times more phishing attacks to corporate inboxes than to personal email addresses.) Of the 80 billion messages sent to Office 365 inboxes in a month; 55 billion are spam and bulk emails and over 20 million contain malware or phishing messages that could cause a data breach.

Even with training, relying on users to spot phishing emails is problematic. In a Microsoft Ingnite presentation, Jason Rogers and Phil Newman, both Office 365 program managers, noted that targeted messages in particular are often so plausible that users report spearphishing messages that have been correctly blocked by Office 365 as false positives.

Can cloud email give you better protection? Yes, says Rudra Mitra, partner director for information protection on the Office 365 team. “On premise, you’re one enterprise battling these security issues by yourself; your network is a perimeter and you try to see what comes in.” That might be difficult with the scarcity of security talent, Mitra notes. But the real advantage of cloud email is just how much information Microsoft can gather to detect attacks, using the scale of Office 365 and other Microsoft services.

“We bring millions of organizations into the cloud so the view we get into attacks is aggregated over those millions of organizations,” says Mitra. “You start with the patterns, the newest ways of attacking that show up, whether that’s generally or just for the U.S. or the U.K., or specifically in the financial sector…. The malware one organization may be receiving is clear to us, as is whether they are the only organization getting it or it’s showing up across the service in different geographies and sectors. The view you have of the threat landscape dramatically increases, and that intelligence and inference flows back into our security products.”

That information powers new security features in Office 365 aimed at helping you see exactly what threats you’re facing, as well as offering you more tools to protect yourself.

Some of those protections are only in the Office 365 Advanced Threat Protection (ATP) service (which is included in the E5 tenant and available as an add-on subscription for other Office 365 tenants and — for some features — is even available for on-premises Exchange servers, for $2 per user per month).

Attachments and links

Email sent to Office 365 inboxes already goes through several stages of detection and protection. Messages from IP addresses with a poor reputation or that match known delivery patterns for malicious messages will be blocked before they ever get into Office 365, and antivirus scanning (using three different antivirus engines) removes what Microsoft calculates is around 80 percent of malware in emails, although fast-changing malware variants can get through that stage.

In addition, Office 365 lets admins block specific executables and script files they know hackers are using to target their organization, and reputation blocking looks for those problematic files across the service. Microsoft also picks messages with a suspicious pattern of delivery and executes their attachments in a ‘detonation chamber,’ a sandbox with a set of hypervisors, each with a slightly different configuration, all instrumented to detect the behavior of the attachment.

It doesn’t matter if the file is marked as being a document, says Mitra. “If it’s .TXT but it has a macro, it’s going to execute in the detonation chamber.” The detonation chamber can also cope with nested files. “We do recursive checks. If you have an email with an attachment that has an attachment that has an attachment that has a payload — we catch that.”

If the file writes to the registry when it runs, tries to encrypt the hard drive, pulls down information from the network, reaches out to a botnet command and control server or performs tests to see if it’s running in a sandbox (like checking whether the IP address of the machine it’s running on is one allocated to a Microsoft data center), it’s likely to be malware.

Because those patterns of behavior change, Microsoft uses a machine learning system to determine whether a file is just suspicious or is malicious. That machine learning system can even factor in details about your specific tenant (without sharing that information with anyone else). For example, if you’re an engineering firm and you start to get messages that don’t seem to be malicious but are otherwise similar to malicious emails sent to other engineering businesses, they might contain malware that hasn’t yet been identified.

Zero day or zero hour

ATP adds more protections. It already includes Safe Links for URL checking and Safe Attachments, which, as of January 2017 puts every attachment (of any file type) on every email message you receive through the same detonation chamber.

The aim is to catch zero-day attacks with brand new malware, even in mail that doesn’t look suspicious.

Safe Links looks at the reputation of any URL in an email when you click on it, rather than when the mail first arrives. That’s important because attackers can change where the URL takes you after the message has been delivered; it might redirect to an innocent site when the mail system first receives it, but to an infected site by the time you get around to reading the message.

The reputation of a newly infected site also takes time to change, so Safe Links also looks at the reputation of the sender and whether the message matches the ‘fingerprints’ of known malicious emails. And if the link goes to a document or executable file rather than a web page, that gets downloaded to the sandbox and executed in the detonation chamber. “We follow nested links, we crawl the destination,” says Mitra

If a message isn’t immediately detected as being malicious but the mail delivery pattern or the attachment behavior is later found to be malicious, Office 365 can retroactively ‘undeliver’ that message. “That’s something the cloud can do that’s almost impossible on premise,” Mitra points out. “If something is missed, we’ll pick it up a few minutes later and we can do a Zero-hour Auto-Purge (ZAP) — internally, we call it time travel. You can only do that if you have the combination of the intelligence you’ve picked up, the integration with the mailbox to pluck it out and the customer breadth to see small blips at the global scale.” (ZAP is one of the options that only works for inboxes on Office 365.)

If you don’t have ATP (perhaps because you don’t feel your business is the target of enough attacks to need it), you’ll still get extra protection in Office 365 thanks to the customers who do subscribe to that service. “We don’t reserve that understanding that this is malware to ATP; as soon as those detonations are happening and we understand that a particular piece of content  or mail is starting to look like malware, we turn that into protection for all our customers right away. If we stop targeted malware, we don’t leave it at that; we push that through our cloud so that any customer, whether they have ATP or they’re just a traditional mailflow customer, is getting the benefit of our targeted understanding of malware. We can find things happening at very small scale through the cloud and use that to feed the flywheel so all our customers are getting intelligent protection.”

Now in real time

Safe Links and Safe Attachments are both admin options you can turn on in Office 365, because they do change the email experience for users. Detonating attachments takes time (it can delay an email by about five minutes) and Safe Links wraps all URLs in a link that redirects them through Microsoft’s Safe Link server, users you to look carefully at the URL that is displayed when you hover over the link to see where it actually goes — something many IT departments have tried to train users to do before they click.

In practice, you will rarely see the Safe Links server in action, but if the reputation check takes longer than usual they’ll see an interstitial page notifying them the link is being scanned. If the site’s reputation says it’s malicious, they see a page telling them it’s blocked. You can choose whether users can load the page anyway, or track which users are clicking through.

To avoid delays while attachments are being scanned, Dynamic Delivery (currently in public preview for Office 365 customers) lets you read and reply to a mail before the scan is finished — instead of the attachment you get a placeholder telling you it’s being scanned, which is then replaced by the real file once it passes the scan.

These protections are also being extended beyond email; SharePoint does the same Safe Attachment scanning for uploads, and Word, Excel and PowerPoint will soon be getting Safe Links protection for links you include in documents (without the URL looking any different). And the upcoming Threat Intelligence service will let you ‘close the loop’ with other areas of IT, says Mitra. “With Threat Intelligence, you can see the IPs that are zero-day originators. You can take that IP list and plug it into filtering solutions that you have for other services, or into your cloud access security broker (CASB) or use it for filtering some on-premise infrastructure. Once you know these IPs, you can update your gateways for other systems so you don’t let content in from that IP address. Or you can plug them into your security investigation and forensics tools and ask did anyone get in?”

Threat Intelligence gives you ‘a more holistic view’ suggests Mitra. “It used to be that what was happening in email didn’t connect to what was happening in your browser or your proxy server.” Office 365 draws on Microsoft’s Intelligent Security Graph, which combines information from Windows Defender with attacks on Azure and consumer services like Xbox Live, and many other sources of information.

“We’re giving you visibility of what’s happening to your mailbox, what’s happening at a tenant level and what’s happening as a result of the security settings you’ve chosen, and providing that as intelligence back to the IT admin.”

Threat Intelligence also gives you a broader view of the threat landscape outside your organization. “You can see over time the IP addresses that are targeting your tenant. You can also see the IP addresses targeting your sector in general.  At the same time, you can see what’s going on in malware in your organization and generally, for the whole month, so you can see whether it’s on the increase or decrease. You get the close-up view, but you can step back and see the trends.” (If you haven’t noted your industry sector in your tenant profile, Office 365 will use clues like what Data Leak Protection rules you’ve set up to check information isn’t being leaked through email.)

“We can enrich that over time, so the IT admin or security professional who is used to looking at the security landscape on premises can move up the stack, up the food chain and get smarter about the type of attacks going on generally. That means you can think about ‘what user education should I do? do I need more protection?’ If you’re a financial business and you know that attacks on financial organizations come from these regions of the world, you can educate folks that if you’re travelling there, you should be careful.”

Admins can also look at the specifics of user behavior. “You can get a 30-day view for just one person. Are you as a person more susceptible to malware than the rest of your colleagues? Maybe that means more education or enrolling that mailbox for ATP, because if you’re getting more malware, you should get more protection.”

Security you can live with

In the future, Office 365 will move towards more personalized security, although Mitra notes that it’s important to balance security with productivity. “More personalized security, more intelligent security around content and documents is the only way to maintain security control but not give up productivity.”

“There’s so much content in Office 365 that if we use the intelligence that powers Threat Intelligence, things become very interesting …. [I]f there’s a mail flow that’s classified by data loss prevention (DLP) as having high business impact because it has high security risks — if there are credit card numbers going out of my company or requests for credit card numbers coming in — then I want security alerts. If one person is getting lots of different emails with credit card numbers in or asking for credit card numbers or for signoff on credit card numbers, maybe I’ll decided to turn on multifactor authentication (MFA), or maybe I’ll think about making sure the finance team has more locked down devices for their endpoints.”

Those patterns could look at behavior beyond email. “Imagine a user has been getting more targeted attacks … and then they log into a SharePoint site that’s classified as high business impact and they look at a document that they haven’t accessed before that has interesting content … that’s a great signal,” says Mitra.

The data classification tools in Azure Information Protection can do some of that document labeling for you automatically by policy, and Mitra says “very soon you’ll see that model being natively part of the Office clients.” Over time, Office 365 might also suggest content to protect. “We might say ‘other organizations are seeing this type of content as having high business impact.’ If you haven’t classified it or set it as sensitive content to be encrypted on download, we’ll suggest doing that.”

Another new service currently in preview, Office 365 Advanced Data Governance, could help you find the important data while winnowing out redundant and obsolete information. “These signals could broadly inform what content you should keep in the cloud or maybe not keep over time at all, as part of a policy to manage your overall data security surface and your overall surface area of risk.”

Using that intelligence could decrease the cost of data management, Mitra suggests, but it also makes your data more valuable. “The first order value of cloud services is that they can give quick and tangible savings; the second order benefit is the intelligence, understanding and knowledge that comes from it.”