Nearly every organization utilizing Microsoft 365 for their email service is eventually faced with a question: are Exchange Online Protection and the tools available within Microsoft enough to prevent spam, phishing, and other unwanted emails from reaching user mailboxes?
While there are a few tools available to organizations and MSPs within Microsoft 365 that can help protect user mailboxes, the most commonly known option is Exchange Online Protection (EOP). A feature that was once a paid add-on for most licensing levels offered by Microsoft, EOP is now included across all license types within the annual or monthly subscription price.
EOP has come a long way since its inception. Initially focused on filtering out spam and bulk email, it is now designed to use a variety of detection techniques to identify phishing and spear phishing emails as well as emails containing malicious payloads intending to deliver malware. This is largely accomplished through multi-scanning and anti-virus scanning with Microsoft undoubtedly drawing largely upon the corpus of data available from its worldwide email traffic and corporate end users reporting of false positives and false negatives.
If organizations do begin to ask themselves or their MSP if Exchance Online Protection is doing enough, it usually stems from these unwanted threats and spam too frequently reaching users.
Give credit where credit is due: Microsoft’s detection rates have improved over time. But their struggles with more targeted, personalized attacks (often in the form of impersonating recipients’ colleagues) and phishing campaigns occurring at lower volumes make EOP more susceptible to misses when their corpus of data cannot account for the threats or user reporting does not rise to a level that shifts the classification from clean to malicious. This leads to increased risk, and the solutions within Microsoft are usually manually intensive and involved for the organization or its MSP.
If EOP is deemed insufficient, what other options exist for organizations and MSPs, and what should be sought out in alternatives?
Before getting into specific options, most would agree that email security solutions should be simple to implement, require limited administrative overhead, and be more effective at detecting threats than predecessor technologies. Organizations and MSPs today expect quick time-to-deployment and, in turn, quick time-to-value without the need to invest significant time in ongoing operation and maintenance without reductions or lapses in efficacy.
One well-known technology implemented to address email security is a Secure Email Gateway (SEG or gateway). SEGs have been around for about two decades and their architectural design reflects this fact: they operate by having mail flow redirected to their service which is delivered in the form of a hosted or cloud-based appliance. This architectural approach often limits the efficacy of gateways, but more on that in a moment.
From a detection perspective, gateways utilize threat intelligence feeds, heuristic rules, and in some cases sandboxing to identify and prevent or quarantine malicious traffic from reaching end users’ mailboxes. Note that this approach should sound familiar: it is very similar to the detection methodologies already employed by Exchange Online Protection. Users are often able to release some of this quarantined traffic back via a web-based portal.
The overall time-to-value of SEGs is long as deployment, initial tuning, and ongoing administrative review of quarantined emails can take up significant time for MSPs or organizations tasked with managing the tool. Another consideration here is the required work associated with the altered mail flow if new services and/or domains are added.
Within the past few years, there have been new entrants into the email security market making use of the various APIs available through Microsoft 365. Each specific approach will of course differ on a vendor-by-vendor basis, but some of these technologies are designed to extract data from emails, perform analysis, and take automated action via APIs, all without changing the mail flow. Usually the time-to-deployment for these solutions is relatively short, and thus MSPs can quickly operationalize across their entire client base.
There are also few ongoing considerations from a maintenance perspective. Many of these technologies are able to employ similar detection methodologies that have been present in SEGs for some time now: threat intelligence feeds, heuristic rules, URL/attachment sandboxing and analysis.
Where the API-based architecture becomes a significant advantage from a detection perspective is in the system’s ability to perform real-time analysis in ways not possible with the SEGs’ architecture. This means that detection should be more accurate due to being less reliant upon static intelligence and instead analyzing each email more dynamically, which aids in identifying those threats occurring at lower volumes.
Beyond improved detection methodologies and detection rates, administrators and end users alike usually have much more seamless experiences that require fewer third-party apps or portals with more robust and easy to use tools.
Vade for Microsoft 365 is an API-based solution that layers with and complements EOP. Designed for busy MSPs, the solution can be deployed in minutes, without the need for an MX record change. Unlike SEGs, Vade for Microsoft 365 performs real-time analysis of emails, with no quarantine or sandboxing—a low-maintenance solution for MSPs looking for an alternative to Exchange Online Protection that catches what Microsoft misses, while increasing margins for Microsoft 365.