Last month we already wrote about the recent Zero-Hour Auto Purge update (ZAP) to improve spam and phishing filtering and protection and Microsoft are again trying to improve their Office 365 platform which, even with being properly configured, allows a great deal of cyber security threat emails through to email mailboxes.
By default, Office 365 includes built-in features that help protect users from phishing attacks. Admins can set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent spoofing attacks. The default policy which applies to all users within an organisation is a single view where you can fine-tune anti-phishing protection. Again custom policies can be created and configured for specific users, groups or domains but it’s all very manual and not “out of the box” straight forward like other cyber security email filtering platforms, such as industry standard players Mimecast, Email Laundry, Sophos and Barracuda to just name a few.
So with the roll-out last year of admins being warned by email when fowarding rules have been setup on mailboxes to prevent spoofing and cyber fraud, Microsoft have stepped up further with better detection of spam and phishing. They have automatically improved spam and filtering policies with high confidence phishing email being included by default in the spam filter policy to move “almost certain” phishing emails straight to quarantine. Just like with the ZAP update mentioned above.
Microsoft do provide a more in depth protection through Anti-Phishing ATP (Advanced Threat Protection) which through manually created policies, uses machine learning together with impersonation detection algorithms to incoming messages to provide protection for standard and spear phishing attacks. For more information visit https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection
This new default feature being rolled out at the moment by Microsoft, is a method to prevent phishing messages from reaching user mailboxes on Outlook.com and Outlook on the web by verifying that the email sender is who they say they are and marking suspicious messages as junk email.
When a message is marked as a phishing scam, Outlook.com and Outlook on the web will display a warning at the top of the page to help users identify a threat and help with not only the cyber security awareness but help with a step prevention against cyber fraud, ransomware and spear phishing. Note that any links in the message can still be opened.
Examples of the unverified sender anti-spam warning banners in Outlook on the Web
Outlook.com and Outlook on the web show visual indicators when the sender of a message either can’t be identified or their identity is different from what you see in the “From” address. When Outlook.com and Outlook on the web can’t verify the identity of the sender using email authentication methods, a ‘?’ will be displayed in the sender photo.
Frequently, the email address you see in a message is different than what you see in the From address. Sometimes phishers try to trick you into thinking that the sender is someone other than who they really are. When Outlook detects a difference between the sender’s actual address and the address in the From address, it shows the actual sender using the via tag, which will be underlined to help you identify the email as a potential warning.
These Anti-Spoofing and Anti-Phishing protection and visual layers are enabled via an “AntiPhish” default enabled policy in the Office 365 Security & Compliance centre for all email subscriptions, starting with Exchange Online. Within the Security & Compliance centre are an array of other information governance, anti-spam, anti-phishing frameworks and configurable policies, as well as the Quarantine section to delete or release spam/phishing identified messages to end-user mailboxes.
Of course there will be false positives and not every message that fails to authenticate is malicious. However, you should be careful about interacting with messages that don’t authenticate if you don’t recognise the sender. If you recognise a sender that normally doesn’t have a ‘?’ in the sender image, but you suddenly start seeing it, that could be a indication the sender has been spoofed. So vigilance and management of these unverified sender emails is key to the protection of your Office 365 emails and prevention of cyber crime and cyber security incidents in your business.