Security and Email Security

What are Microsoft 365's email security strengths and weaknesses?

by Egress
Published on 13th Jul 2022

Microsoft 365 has cemented itself as a leader amongst cloud email providers by offering a solid foundation of protection from advanced attacks. However, it's becoming increasingly apparent that Microsoft 365's defenses alone are often not enough to ensure the security of sensitive data.  

Cybersecurity experts' views on email risk within Microsoft 365 is our most recent report identifying the security risks that Microsoft 365 users face. We spoke with three experts to gain insights into some of Microsoft 365's key email security strengths and weaknesses. 

In this article, we have featured some key quotes from the report from Lisa Forte, Co-founder, Red Goat Cyber Security LLP; Robin Bell, CISO, Egress Software Technologies; and Jack Chapman, VP of Threat Intelligence, Egress Software Technologies. 

It’s still too easy to send an email to the wrong person

Lisa Forte explains, "Microsoft 365 has a lot of great, native security features. There are, understandably, some potentially serious email risks that still remain." 

Forte continues, "One of the risks I often see play out as either a concern or actually going further and manifesting as a breach is the difficulty in protecting sensitive or regulated data – for instance, weaving in a user-friendly solution for encryption." 

She adds, "The second one is even simpler – that is autocomplete. This feature, which undoubtedly is excellent for productivity, has caused organizations of all sizes a headache when it comes to sending emails to the wrong person because the recipient has been incorrectly added."

Some organizations have even disabled autocomplete in an attempt to reduce this security risk. Unfortunately, reducing the probability of one risk often ends up increasing the chances of another. For instance, in January 2019, a union watchdog accidentally leaked emails from a confidential whistleblower after they entered an incorrect character in an email address and forwarded it to someone with the same last name but a different first initial. 

Phishing, replay attacks, and human error are still causing huge issues

A single phishing or replay attack is all it takes for an attacker to get hold of an organization's sensitive data. Our recent findings show that 84% of organizations were victims of phishing last year. That's a 15% increase from our 2021 research. 

Jack Chapman explains, "There are a broad range of threats facing users on Microsoft 365, partially because it's such a broad platform! The top family of threats, though, would be any that involve the user – such as inbound threats that target and exploit people, like phishing and replay attacks. This family of threats also includes risks arising from human error, like accidental sends, as well as deliberate acts of data exfiltration."

No matter how careful and tech-savvy your users are, it is impossible to stop people from making mistakes altogether. Implementing overly strict controls can make things even worse, forcing users to look for risky workarounds that will allow them to get their work done. 

The most effective way to reduce human error is to work alongside users to empower them to understand what abnormal email behaviors look like and how to spot errors before they happen. 

A key strength of Microsoft is its resources to invest in security at an enormous scale

Robin Bell says, "Microsoft 365 has been widely adopted by many organizations globally, from sole-trader businesses up to multi-national conglomerates. It, therefore, has to cater to the needs of all these organizations with advanced features in an easy-to-use package."

Today, over a million companies are using Microsoft 365, and Microsoft Teams has over 250 million daily active users (DAU). Microsoft 365 currently controls almost half of the office productivity software market. 

"A key strength of it being so widely used is that the Microsoft engineering teams have visibility of a high volume of attack strategies and have the resources to invest at an enormous scale. If there are potential security incidents, then Microsoft 365 administrators are notified and can investigate," Bell explains.

Despite these benefits, Bell also admits that the platform has some weaknesses that still need to be addressed, "Microsoft 365 does provide some user notifications, but they are not very rich in information when it comes to things like phishing emails. Reporting is also somewhat limited to understanding the level of risk to a business from phishing emails."

To bolster their email security further and reduce the chances of falling victim to these issues, many organizations choose to augment their Microsoft 365 defenses with additional software that helps to empower their users. 

You can download our full report to learn more about augmenting your Microsoft 365 defenses and access the full range of insights from the experts.