Shoring up email security in Office 365 and Google

Danny Bradbury

Putting your email in the cloud has its advantages. Administrators like not having to pay for email servers, and can also avoid the software licenses that they may otherwise have to pay for enterprise-class email management software. Office 365 and Gmail have both provided users with relatively inexpensive and easy-to-deploy cloud-based email services but business email security has not always been their strong point.

What is Office 365 email security like? Google enhanced its email security with technology from Postini, which it purchased in 2007. Microsoft initially handled all of its email data protection via Forefront Online Protection for Exchange (FOPE), a service that developed out of its Sybari acquisition in 2005. FOPE was discontinued, and replaced by Exchange Online Protection (EOP). That service improved on FOPE, but still has some significant shortcomings.

For example, EOP uses signature-only scanning to detect spam and malware, meaning that email phishing scams can still get through Office 365 security. Some users estimate that 3-4 suspicious emails make it through to their inboxes every week. For a company with thousands of users, many of whom will happily click on attractive-looking links, any spam that attracts a click is a disaster.

Another issue for IT administrators using Office 365 cloud email lies on the outbound side: the inability to recall emails. It has email encryption capability, meaning that readership of emails can be restricted only to those people within the same user domain or with one-time passwords. What you can’t do with Office 365 email security is to recall emails sent to an individual in error. Gmail, at least, now offers recalls within a restricted time window.

There are other shortcomings in EOP, including an inability to ‘sandbox’ email attachments, which would enable them to be tested for malicious activity before being made available to the user. Mature email management systems would also enable real-time dynamic link following, so that malicious links could not only be blocked before they impacted the user, but could also be rechecked whenever an email was accessed, thus protecting a company from attackers that use link forwarders to alter the destination of a link after the fact.

Microsoft has taken steps to fix some of the security issues in Exchange Online, the service that underpins Office 365 cloud email. In particular, it finally gave users the chance to view quarantined emails in 2014. This feature – which many would consider a basic feature in any email security system - had been lacking before.

In mid-2015, Microsoft also bought out an enhancement to Office 365 email security, which it calls Advanced Threat Protection. This provides a ‘safe attachments’ feature that sandboxes attached files, checking them in a bid to provide users with secure email attachments, and also follows links in real time. This will provide an additional level of protection against email security threats for some users, but not all; education, government community cloud (GCC), and nonprofit customers are still unable to access this feature, and Microsoft has given no deployment timeframe for those groups.

Those firms who are eligible for ATP must pay an extra $2 per user to deploy it. This fee will effectively elevate the email security in Office 365 to a basic level of maturity for those customers, but it still doesn’t give them access to some useful tools which should ideally be available in any advanced solution. These include greylisting, a service that asks a sender’s email server to resend a message. RFC-compliant servers will comply, and resend. Spammers’ servers rarely do, because resending to the millions of addresses they normally target eats into their profits.

While cloud providers have made some advances in email security, companies still need a second layer of defense when securing emails sent via these services. Taking the money that you’d pay for Exchange ATP and using it for a more comprehensive third party security add-on may be a better use of your budget.