Introduction to Email Threats & Defense

How to protect your email on Office 365.

There’s a constant threat to your organization. Email is one of the most common ways hackers attempt to breach your organization’s security. Over half of the messages received are spam, phishing campaigns, and malicious. Staying up-to-date with the latest email related threats isn’t an easy task. It’s virtually every company uses third-party email hosting with built-in spam protection or opts for third-party spam protection in front of on-premise servers. Like its competitors, Office 365 comes with built-in protection for your environment, Microsoft’s Information Protection team is staying up-to-date and evolving the email security of Office 365 to protect Microsoft customers from threats. The default configuration isn’t always enough to keep your organization secure and compliant.

Why is Spam Still a Problem?

Source: ICSI

Despite years of combating spam, the campaigns are still relentless. To understand why there’s so much spam we have to ask, How successful is a spam campaign? Since spammers typically work in the shadows it’s a difficult question to answer. Fortunately, the International Computer Science Institute (ICSI) performed an interesting and surprising study. The ICSI hijacked an existing botnet to determine how successful these campaigns truly are. By redirecting the botnet to a fake pharmacy website and throwing an error instead of completing a purchase the ICSI was able to provide insight into the spam plague that has troubled us for so long.

By emailing 200 million email addresses the fake pharmacy site led to over 10,000 people visiting the site with 28 purchases. This would have led to almost $9500 a day in sales.

What’s Phishing?

“Phishing is a cybercrime in which a target or targets are contacted by email by someone posing as a legitimate institution to lure individuals into providing sensitive data such as credit card details and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.” — phishing.org

30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link. — verizon.com

How a Phishing Attack Affected U.S. Elections

In September of 2015, the FBI contacted the Democratic National Committee (DNC) to inform them that at least one of their computers has been compromised and sending information to Russian based computers. Six months later a campaign chairman receives a phishing email masked as a fake alert stating another user attempted to breach his account and he needs to change his password. The DNC chairman clicks the link that directs his browser to a fake website where he types in his password giving Russian hackers access to his account.

The average cost of a phishing attack for a mid-sized company is $1.6 million.

On July 22, 2016, WikiLeaks posts emails that were stolen through the phishing attack. For weeks, the emails consumed the media. No one can say for certain how much the phishing attack affected the election but the damage was done.

What is Malware?

Malware is any form of malicious code that is often distributed via email. It can be distributed using a direct attachment, stored in a Word or PDF document, or can be downloaded once a person clicks a link in an email.

The 1st Email Virus

In January 1999, a new threat emerged. Codenamed Happy99, it was one of the first known viruses spread through email. The malicious code would attach itself as an email attachment and send an email with fireworks saying Happy New Year. Unknown to the user, the code would install itself on the computer and begin spreading again.

Unlike today, the Happy99 virus wouldn’t do anything other than send itself to the next computer. Today, malicious code is used to steal identities, financial information, and other private corporate information.

How is Spam Detected in Office 365?

Office 365 uses a multi-layered spam protection system. Every email is scanned using a number of different algorithms to detect and block unwanted messages.

Content Filters

Source: Microsoft

Content filters are used to detect words and phrases that are known to be related to spam. It’s a constant struggle because content continues to change. Microsoft handles the content filtering behind the scenes but you can create a transport rule in EOP to add words and phrases your company would like to block.

See the section “Custom Content Filtering in Office 365” below to customize your tenant.

Connection Filters

Screenshot of EAC Connection FIltering Customizations

Connection filters block emails from known bad IP addresses. Spammers will typically use botnets and hijack legitimate companies to send spam. Microsoft will detect an IP address that has an infected device and immediately blocks the bad email from your organization. Once the issue is resolved by the sender, Microsoft will remove the IP address from the block lists and allow email to reach the destination. Additionally, your organization can add IP addresses to a block list or allow list from the EAC.

See the section “Custom Connection Filtering” below to customize your tenant.

Domain Filtering

A domain is the second part of your email address, everything after the @ symbol. For example, the domain of [email protected] is gitbit.org.

Domain filtering is a broad term used to determine the authenticity of the email senders. If a particular domain continues to send unwanted or malicious emails, the entire domain may be blocked. Microsoft uses a number of complex algorithms to determine the validity of a domain.

For example, many spammers will create a new domain and immediately start sending spam and malicious code. Since most organizations are established and have had an email system for years, Office 365 is more likely to block an email from a new domain.

At the same time, using ‘fuzzy-match’ technology Microsoft will review the sender’s domain for suspicious activity. If someone sends an email from micros0ft.com (a zero replaces the O) it will be blocked.

See the section “How to Whitelist and Blacklist Senders as Spam” below to customize your tenant.

SPF / Spoofing Protection

Technically, SPF filtering could be part of the domain or connection filtering based on how it works. In short, a hacker can send an email from their computer and set the from address to another. While the email will appear legitimate it can be sent from another location.

To put this in real-world terms, imagine receiving a letter with your mom’s name and address in the return address field. You would immediately assume the letter originated from your mom but in reality, anyone could have sent the letter.

An organization can and should configure an SPF record from each domain they own. For example, if I send email from the IP address 1.1.1.1 using my gitbit.org domain I should create a TXT record to inform the world that 1.1.1.1 is the only IP address that is allowed to send gitbit.org email.

// Example SPF record
v=spf1 ip4:1.1.1.1/32

Office 365 automatically reviews SPF records of anyone that sends you an email to keep your organization safe. You’ll need to configure the SPF record for your organization when migrating to Office 365 to help protect your outbound email as well. Microsoft will verify your SPF record after you add it to the Office 365 tenant.

I haven’t added a section on how to set up your SPF record. Microsoft provides some assistance to their customers but I recommend asking a professional if you haven’t managed SPF records before.

Reputation Filtering

Bulk emails are a bit different than spam. A bulk email is typically a newsletter or an offer from organizations that you know. They usually appear in your inbox after signing up for a new website.

Source: Microsoft Channel 9

Some users want bulk email while others don’t. Microsoft uses a feedback loop to know when to block bulk emails. If Microsoft receives a certain amount of complaints they will start to block a bulk message.

See the section “Spam and Bulk Actions” and “Adjusting the Reputation Filter” below to customize the reputation filtering for your organization.

Malware / Attachment Filtering

Screenshot of EOP’s Malware Policies

Malware filtering is fairly straightforward. Microsoft will scan and block emails that contain known malware or suspicious code.

“Using multiple anti-malware engines, EOP offers multilayered protection that’s designed to catch all known malware. Messages transported through the service are scanned for malware (viruses and spyware). If malware is detected, the message is deleted.” — Microsoft

You can customize the attachment filter by blocking and allowing certain types of attachments. For example, most organizations don’t need VBS files so you may want to add it to your blocked attachment list. Microsoft does block the most dangerous attachments from your organization out of the box.

See the section “Protecting Office 365 from Malicious Attachments” below to customize the reputation filtering for your organization.

Defending an Organization from Email Threats

Microsoft has designed Office 365 to support all verticals and organizations. Since every organization’s requirements are different, Microsoft has provided a number of customization options to help you tailor your tenant to your specific needs. Most of these customizations are configurable using the Exchange Admin Center (EAC).

Accessing the Exchange Admin Center

Most of the customizations are provided through the Exchange Admin Center (EAC). Only administrators will be able to find and change options so be sure the account you use to log in is an admin in your Office 365 tenant.

1. Go to https://outlook.office365.com/ecp
2. Login with your admin credentials.

Customizing Office 365 SPAM Filtering

Customizing the SPAM filtering can be done from EAC > protection > spam filter.

Screenshot of Office 365 Exchange Admin Center spam filter

Typically, there is only one policy used across the organization called default. Double-clicking the policy will open the spam filter options window.

The spam settings cover a number of options included reputation filtering, block/allow email or domain, and other advanced options.

Spam and Bulk Actions

The second tab in the spam filter options window gives the most common and broad setting adjustments. These settings are used to customize the reputation filtering for your organization.

screenshot of Office 365’s spam and bulk actions

What should happen to spam/bulk email?

The first section gives you options on how to handle spam. Microsoft classifies a message as good, spam, and high confidence spam (meaning Microsoft is quite sure it’s spam). By default, spam/bulk email will appear in a users junk folder.

Another common option is to move the messages to the quarantine. Quarantined messages won’t be delivered to the user’s mailbox. Instead, they’ll be moved to a special place only accessible by administrators. Currently, the quarantine is located in EAC > protection > quarantine. An administrator will need to release an email from the quarantine prior to the user seeing the message in their mailbox.

Adjusting the Reputation Filter

Some organizations prefer more bulk emails to arrive in the junk email folder while other organizations would prefer bulk email to arrive in the inbox. Microsoft uses a rating system of 1–9. Nine meaning Microsoft is confident it’s unwanted bulk email while one means it’s probably a good email.

Screen to adjust Office 365’s spam confidence level

You can adjust the bulk email rating for your organization to meet your needs.

How to Whitelist and Blacklist Senders as Spam

The next two tabs (block lists, and allow lists) allow you to define your organizations black and white lists.

Whitelisting an email address or domain will allow all mail from the sender through the spam filter. Microsoft refers to the whitelist as Allow List. If you are having difficulty receiving emails from a person or partner that you trust you can add their email addresses or domains to the allow list.

Blacklisting an email address or domain will block all mail from the sender through the spam filter. Microsoft refers to the blacklist as Block List. If you’re receiving a lot of spam from a particular company or person you can add them to the block lists.

In the screenshot below I’ve marked all email from [email protected] as spam. Any other email from contoso.com users will travel through the standard spam filtering policy. I’ve also marked all email from the gmail.com domain as spam. The gmail.com policy will mark any email that comes from someone using Gmail as spam.

screenshot of Office 365 block lists

A lot of CRM systems, forms, and third-party tools will have emails caught in the spam filters. To make sure people receive the emails to their inbox you should add them to the allow list.

In the screenshot below I’ve added [email protected] to the allow list. This will verify all of my email forms from [email protected] go directly to a person’s inbox even if Microsoft thinks the email is spam. I’ve also added fabrikam.com to my allow list as a domain. Fabrikam is a fictitious organization I partner with so I’ve verified any emails that come from this domain will arrive at my users’ inbox.

Protecting Office 365 from Phishing Attacks

Phishing attacks are one of the most dangerous and difficult attacks to protect your organization. The best way to protect your organization from phishing attacks is by training and testing your users.

Below is a quick list of things your users should know to help protect against phishing attacks:

• Don’t trust the Display Name in the sender information. Review the email address.
• Check the from address carefully. Verify the letter o isn’t replaced with zeros, etc.
• Don’t trust an email because it has your name or other personal information on it. A lot of information is available through social media and online that may be used to give you false confidence.
• Hover over links to verify the link is going to the correct URL.
• When in doubt, don’t click a link. Instead, go directly to the company’s website and log in.
• Ask the IT department to verify the email prior to taking any action.

Protecting Office 365 from Malicious Attachments

Out of the box, Microsoft will scan and block emails with attachments that fail a virus check. You can add extensions that you want to block to help keep your organization secure.

For example, “.VBS” files are Visual Basic Script files that can be used to pass malicious code through email. Since most organizations will never receive a good VBS file through email it’s a safe bet to block them from entering your organization.

Customizing the attachment filtering can be done from the EAC > protection > malware filter. Double click the Default policy to view your options.

Screenshot of Office 365 Exchange Admin Center malware filter

From the settings tab, you can enable Common Attachment Types Filter which will block dangerous file types. Once turned on you can add and remove file types to customize the malware filter for your organization.

screenshot of Office 365’s Common Attachment Types Filter

Custom Content Filtering in Office 365

Content filtering is difficult to customize. It’s easy for spammers to change the wording or your IT staff may get too aggressive and block good messages.

“Viagra” can typically be blocked in most organizations and it’s common for spammers to send emails about Viagra.

To block content we can create a transport rule: EAC > mail flow > rules > plus sign (+) > Create a new rule…

Create a rule with the following settings:

• Name: Block Content (or anything you want)
• Apply this rule if…: The subject or body includes.
• Add the word viagra to the list of words.
• Do the following… Delete the message without notifying anyone.
• Save your new rule.

Transport rules can take up to an hour to take effect.

If you click More options… you’ll have a number of other options. After clicking more options you can update the Do the following… selection with Reject the message with the explanation. Doing so will provide the sender with a detailed error so they know to remove the word.

Custom Connection Filtering

Connection filtering is fairly straightforward. You can allow or block IP addresses through your SPAM filter.

To access the connection filtering go to EAC > protection > connection filter > double-click Default.

Office 365 Connection Filtering

From the connection filtering tab, you add the IP address or range to the filters.

Microsoft also provides the ability to enable or disable the “safe list”. The safe list is a range of IP addresses that Microsoft knows are used by safe senders.

Any changes may take up to an hour to take effect.

There are more options that I haven’t covered. If you’d like to more about a particular feature please let me know in the comments.

Thanks,