Microsoft has now focused on trying to make Microsoft 365 (previously Office365) impenetrable to security attacks. So, why do they keep missing new waves of phishing attacks?
The great suite of Office productivity products, together with their other coupled applications, including Microsoft Exchange - the standard Email Server for a large majority of users - made Office extremely popular. Precisely because Exchange is so prevalent and so wrapped up in the Microsoft universe of interoperability, Exchange became the most popular target for email phishing attacks as well as the number 1 source for spammers that find it very easy to set up (or steal) user accounts to deliver massive amounts of Spam, Phishing and Malware.
MS Exchange Online Protection (EOP) system is the Email security system for Microsoft 365 but companies can purchase an add-on called Advanced Threat Protection (ATP).
Microsoft protects around 180 million corporate mailboxes of a vast and diverse Microsoft 365 user base and, In order to continue making it a success, Microsoft had to ensure universal access and ease of use, as well as distinct plans in order to up-sell their products to the users and companies willing to pay more to get more. For these reasons, Microsoft Exchange (Office365) comes with limited features and configuration options for security and control over usage. Their (correct) claim is that top security ("Advanced Threat Protection") should come at a price, as it is tailored for high-end customers but not simple enough to be used on all their user base, which must settle with the the one-size-fits-all Office365' Exchange, an Email System focused on usability, and with just enough Online Protection to catch a great portion of Spam and Malware..
MS365 / O365 can't be tailored to every organization
Determining if sent content is malicious has a statistical angle to it. There are countless apparent cases of phishing attacks, but there are also some grey examples. Therefore, the default Exchange Online Protection has to prefer the risk of missing an attack over blocking a legitimate message (false negative>false positive). This approach is needed to secure the masses, but it also points out that threat protection can't be fully tailored to every organization.
Unclear reporting and forensics functionality
Securing the masses also requires that Microsoft keeps configurations at a minimum, as most of their operators will not be security experts. Therefore, Visibility and control in the Microsoft EOP interface are limited, making it difficult to deep-dive into a specific incident, find the root cause, discover the impacted users, figure out if the user account is compromised or if data is lost, etc. Additionally, ATP limits reporting based on time constraints.
One of the major problems is the fact that by subscribing to an Office account, an attacker will have resolved their IP reputation issues, as well as figuring out how to circumvent its security.
ATP holds good functionalities and is increasingly advancing in its quality. However, and because it was introduced just five years ago, Some features and functionality are missing, if compared to solutions from reliable security companies.
The necessity of an additional email security
Unlike what was expected, once Microsoft added a security component to their Office365 Exchange, (now Microsoft 365) the Email Security Gateway market (of Cybersecurity solutions just for filtering and control emails standing between the internet and the Email server) kept growing! It became true that EOP was sufficient for a certain segment of businesses, but soon companies realized they should be considering the gaps in this system, upgrading their email security and control - for example, known malware recognition, audited quarantine management, support for external threat intelligence, and content disarm and reconstruction - which were only filled by dedicated, separated Email Sec Gateways.
The reason why Microsoft suffers from so many phishing attacks has nothing to do with any particular system failure, but more to do with its widespread adoption.
Reliable solutions that can meet current as well as future concerns and that work as an additional and separated layer of security should be considered by advanced organizations .
Source: Anubis Networks