Office 365 Users…

The booming popularity of the Office 365 solution from Microsoft has brought with it a nasty side effect – unwanted phishing emails.  By default, Microsoft offers an email filtering service to eliminate spam and malware called “Exchange Online Protection,” or EOP for short.  In 2019, security firm Avanan released a report that studied a total of 52 million emails sent to Office 365 users.  The EOP email security solution was successful in blocking 69.7% of phishing emails.  While this solution clearly adds value, EOP unfortunately permitted 30.3% of phishing emails to the end-user’s inbox.

Upgrade your Email Security

Eagle recommends that system administrators using Office 365 upgrade to a higher level of protection.  The easiest option is to use Microsoft’s “Advanced Threat Protection,” or ATP.  It is built into the Office 365 E5 license level, and is also available at lower license levels as an add-on.  Purchasing an add-on is a good solution for smaller organizations who don’t need all of the features of the E5 license.

Unfortunately, we don’t have reliable statistical information available regarding the level of improvement, but from personal experience, ATP is significantly more effective at reducing the level of phishing attacks that arrive at the inbox.  Anecdotely, we estimate that ATP successfully blocks between 85% and 90% of phishing attacks.  For organizations with fewer than 50 employees, Eagle recommends Microsoft ATP.

Third-Party Solutions

Larger organizations may want to consider a third-party solution, which may be more effective.  Leading email security vendors whose solutions work with Office 365 include:

  • Avanan
  • Mimecast
  • Proofpoint
  • Fireeye

The vendors itemized above are not intended to be a comprehensive list, and none are explicitly recommended by Eagle Consulting Partners.  All of these solutions scan your email before it reaches Office 365.  The disadvantage is that administrators need to learn and manage another vendor.

Regardless of which of these upgrades you pursue, none are perfect and some volume of phishing emails will be delivered to your end users.  This is why additional layers of security are important, especially Security Awareness Training.


See also:

Microsoft #1 Brand in Phishing Attacks

Pin It on Pinterest