Enhancing Office 365 Spam Filter

The Office 365 spam filter is constantly under scrutiny from cyber security experts.

Regardless of the fact that Microsoft regularly introduces new features to improve its spam detection rates, a lot of these are paid-for features or only available when you purchase an Advanced Threat Protection (APT) subscription. Others (for example “IP throttling”) lead to users experiencing more distress than the spam emails the feature is meant to stop.

One of the reasons why the spam filter on Office 365 does not spot spam is that Microsoft spam filters work retrospectively. Only after a customer has labelled a spam email will Microsoft add the IP address to its “real-time block lists” and incorporate the blacklisted IP address in the next software update. With spammers often changing IP addresses, retrospective updating is generally ineffective.

IP throttling was intended to resolve this issue by blocking emails or giving a low Spam Confidence score to emails coming from sources with no “IP reputation”. This resulted in emails from legitimate businesses with new IP addresses being flagged as spam; and, when Microsoft launched a self-service IP Delist Portal to assist businesses with new IP addresses get around their lack of IP reputation, it gave spammers the chance to delist their blocked IP addresses as well – exacerbating the problem.

Research carried out by IBM Security shows the extent to which ransomware has been implemented by hackers and is being deployed in email attacks. Between 2016 and 2017 there was a 6,000% increase in emails including ransomware. The increase in attacks have slowed as some threat actors have started to focus on cryptojacking, although the threat from ransomware is still current, with a 2018 report from Europol warning that ransomware is still the main malware danger. Ransomware gangs have used different techniques to attack businesses and many now favor brute force attacks on RDP, but there has been a rise in ransomware attacks via email in 2020 and dangerous malware variants like TrickBot are still primarily spread using email. The TrickBot operators have paired their Trojan with Ryuk ransomware, which is sent as a secondary payload once the Trickbot Trojan has completed its attack..

Greylisting would be an ideal feature to enhance the spam filter on Office 365. It is a process that returns emails to their originating server with a request for the email to be sent again. Most mail servers send the returned email again within minutes. However, hackers’ mail servers – being too busy sending out new spam emails – fail to respond and the request timed out.

Whereas real-time block lists block inbound emails from previously reported sources of spam, the Greylisting process prevents inbound emails from as-yet-unreported sources of spam. Spam filters with a Greylisting feature are therefore better at stopping spam from evading detection and lessen the risk of a business falling victim to a phishing attack, or malware or ransomware download.

It is not known why Microsoft has not included Greylisting as a feature of the spam filter on Office 365. Verifiable tests have tracked spam filters with a Greylisting feature as having spam detection rates as high as 99.97%. The difference between this spam detection rate and a spam filter with a 99% detection rate can be massive for a business with a significant volume of inbound email.

Most users of Office 365 find the level of spam filtering is nowhere near good enough and many phishing emails are sent to inboxes, while zero day malware threats are similarly not prevented. A report from SE Labs suggests Office 365 only offers security in the low-middle end of the market, even though Office 365 includes two tiers of protection: Exchange Online Protection and Advanced Threat Protection. Research carried out by Osterman research suggests that while Office 365 is good at blocking known malware attacks – 100% of known malware is blocked – unknown (0day) malware often makes it past Office 365 security features.

Basic attacks and standard spam email are normally blocked by Office 365, but spear phishing threats often make it past Office 365 defenses and are sent to end users’ inboxes. For this reason, many companies opt to enhance the spam filter on Office 365 with third-party anti spam software.