Exchange Online Protection and Evolution

 Aug 17, 2015

So, we all know that Monty Python loved spam, we all know that we hate receiving spam. On average, Microsoft block roughly 10,000,000 messages every single minute of every single day. However, all spam is not made equal! There are constant changes in the ways used to attack your mailbox. The good news is, Microsoft keep changing Exchange Online Protection.

The ever-changing world of spam.

Due to the evolution of spam over time and the myriad forms it takes, productivity issues are something of a concern for organisations world-wide. Most techniques have evolved the way they have in order to bypass filtering programs designed to stop them. It is a constant battle; as soon as one vector is blocked, the spammers search for the workaround. The two most common forms of spam are:

  1. Phishing campaigns - these seek to obtain control of company resources having first compromised the credentials of an employee. A standard phishing attack is spear phishing, this attempts to target the most ‘valuable’ contact.
  2. Bulk mail - these often take the form of advertising mails that you may have inadvertently subscribed to, but most assuredly do not wish to receive.

Because of the constant evolution of attacks, the spam you received last week is not the same as this week. Often, the spam you see today will be different from the spam you received yesterday. They may look identical, but they are not. They could be slightly different or massively different; the one consistent feature is they are designed to bypass filters. The campaigns themselves can vary in duration from a few minutes to multiple hours. Microsoft have recorded campaigns that exceed 1,000,000 spam message every minute.

Exchange Online Protection’s (EOPs) defences are fine-tuned as soon as unusual patterns are detected or if users submit undetected spam. In the interim period, when the defences in EOP are being tuned to protect against this new vector, a few spam messages might be able to traverse EOP’s defences and arrive in a user mailbox. However, once EOP's have caught up (which happens quickly), EOP will block the rest of the spam received during the ‘campaign’. This prompt discovery ensures that the bulk of the spam is blocked very early in the piece. A user might believe that EOP did not catch the spam in the first place; however, the majority of users will never see a single message because these defences are being fine-tuned in near real-time.

EOP utilises a layered filtering approach to facilitate protection in depth. The layers comprise:

  1. Connection filtering - This blocks emails from specific IPs that have a low ‘reputation’
  2. Sender reputation – This reputation is developed within Microsoft and also gathered from third-parties. It primarily checks the domain or user details of the sender.
  3. Headers / Metadata – This is a more complex investigation. It will check
  • The content, headers and language.
  • URLs
  • Attachments
  • Other criteria that shall generally be unknown

Additionally, EOP provides other methods for spam filtering, for example, international spam and bulk mail controls. You also have the benefit of anti-virus courtesy of 3 different AV engines and malware protection.

The future and EOP Evolution:

EOP has a cycle similar to that of Office 365 releases, this means that enhancements and features are rolled out continuously. Since its inception, EOP has received many enhancements and features from Microsoft. As part of this process, existing Forefront Online Protection for Exchange (FOPE) customers have been transitioned seamlessly to EOP. This is only the start for EOP services. Microsoft are, and continue to make, large investments in advancing and enhancing threat protection. In the long-term, EOP is the solution to protect mailboxes, whether they be in Office 365 or on-prem.

Exchange Online Protection and Evolution

Some of the main investments being made over the coming months with EOP include:

  • Advanced threat protection.
  • Fortified coverage for malicious URLs.
  • Implementation of key sender authentication technologies.
  • Improved bulk mail protection.
  • Tracking enhancements and detailed reporting.
  • Enhancements to Message Quarantining.
  • Continual expansion of datacentres across different regions.

What can you do to improve your experience?

You can further fine-tune your EOP protection by doing the following:

  • Report spam to Microsoft
  • Report malware to Microsoft
  • Enable bulk mail filtering
  • Educate your users
  • Help your users help themselves from being a bulls eye for spam.

  1. When subscribing to newsletters, always read the fine-print at the end of the form. It will often indicate that your details will be shared with third parties. Also, pay attention to the state of check boxes. Often there is a switch in the order, tricking users into opting in as opposed to opting out.
  2. If installing free-apps, choose the custom installation option. Free apps often bundle third-party products which can mine information on users behaviours and visited sites and on-sell that to spammers.
  3. Be wary of where you share your personal information and how it gets shared. If users can, they should avoid using their email address on a public-facing webpage. Spammers will crawl the web looking for email addresses listed on pages. Also, ensure users do not forward innocent looking chain-mails that have been addressed to all and sundry. All it takes it for that message to exist on an infected computer and your users email address can be mined for spam.

Staying safe is made even easier with Exchange Online Protection.

How do your Excel skills stack up?   

Test Now  

About the Author:

Steve Wiggins  

Steve is a highly experienced technical trainer with over 10 years of specialisation in Software Application Development, Project Management, VBA Solutions and Desktop Applications training. His practical experience in .NET programming, advanced solution development and project management enables him to train clients at all levels of seniority and experience. Steve also currently manages the IT infrastructure for New Horizons of Brisbane, providing him with daily hands-on experience with SCCM, Windows Server 2012 and Windows 8.

Read full bio
top
Back to top