Spam Filter Office 365

The spam filter used on Office 365 gets quite a bit of criticism. Although Microsoft introduces new features often to improve overall spam detection rates, many of these paid features are only given to you as part of an Advanced Threat Protection (ATP) subscription.

Others, (for example, IP throttling) cause its subscribers more distress than the actual spam-mail their consumers pay to prevent.

One of the reasons why Office 365’s spam filters fails to detect spam is that Microsoft spam filters work retrospectively. Only prior to a customer complaint to a spam email will Microsoft add the new IP address to its “Real-time Block List” and include the blacklist IP address in its next software update. But with spammers regularly changing IP addresses, retrospective updating is generally ineffective.

IP throttling was supposed to solve this issue by blocking emails or giving a low Spam Confidence score to emails coming from sources of no “IP reputation”. This resulted with emails with completely legitimate businesses with new IP addresses being marked as spam; and, when Microsoft launched a self-service IP Delist Portal to assist businesses with new IP addresses get around their lack of IP reputation, it gave spammers the chance to delist their own IP addresses as well – exacerbating the problem.

Research conducted by IBM security shows the extent to which ransomware has been created and used by cybercriminals everywhere. Between 2016 and 2017 alone there was a 6000% increase in emails containing ransomware. This increase in attacks has slowed as some threat actors have started putting their focus on cryptojacking. Although the threat from ransomware is still very serious, with a 2018 report from Europol stating that ransomware is still the biggest malware threat. Ransomware gangs have adopted new methods to target businesses and many now favour brute force attacks on RDP, however, an increase in ransomware attacks via email in 2020 and threatening malware such as TrickBot are still primarily sent out by malicious cybercriminals. The TrickBot operators have paired their Trojan with Ryuk ransomware, which is delivered as a secondary payload once the TrickBot Trojan has achieved its aims.

Greylisting is an ideal feature that will improve the spam filter on the Office 365. It is a simple process that returns emails back to their original server with a request for said emails to be resent. Most mail servers will send the emails back within minutes. A spammers server – being too busy sending spam mail out – will fail to send the emails back.

Whereas real-time block lists block inbound emails from previously known sources of spam, the greylisting process will eliminate inbound emails from as-yet previously unreported spam sources. Spam filters with a greylisting feature are there for more effective at preventing spam from evading detection and reduce risk of a business falling victim to a possible phishing attack or malware/ransomware download.

It is unknown why Microsoft has so far neglected using greylisting as a feature on their Office 365 spam filter. Verifiable tests have recorded spam filters with a greylisting feature have detection rates as high as 99.7%. The difference between this and a spam filter with a 99% detection rate can be substantial for a business with a significant volume of inbound mail.

Many users of Officers 365 find that the level of spam filtering is nowhere near good enough and many phishing emails are sent to inboxes, while zero day malware threats are similarly not blocked. A report from SE labs suggests Office 365 only offers protection from the low middle end of the software market, even though Office 365 offers two layers of spam protection: Exchange Online Protection and Advanced Threat Protection.

Research given by Osterman research suggests that while Office 365 is good at blocking already known malware threats – 100% of malware is blocked – unknown (0 day) malware often breaches Office 365’s defences. Standard threats and usual spam are usually blocked by Office 365, but spear phishing threats regularly make it past Office 365 defences and are delivered to end users’ inboxes. Because of this, many businesses will improve their spam filter on Office 365 with third party anti-spam software.