Why does spam and phishing get through Office 365? And what can be done about it?


Introduction

As a filtering service, Office 365 (Exchange Online Protection, or EOP) is dedicated to providing the best antispam filtering possible, and we take this task seriously:

  • We are working hard to keep spam out of your inbox
  • We are working hard to ensure we don’t mistakenly mark good email as spam

The question we regularly get from customers is this: Why does spam/phishing/malware get through? Why aren’t you blocking it?

Why spam gets through

Spammers and phishers create malware and send spam because it is profitable. They are always working up new ways to work around spam filters and get messages delivered to user inboxes. Because of the number of unique spammers in the world and the rate at which they create new content, the spam you see in your inbox today is new. It is different than what it was yesterday, or the day before, or the day before that. It looks similar, and may use the same technique, but it is not the same message. It is slightly (or greatly) different and has been designed to evade filters.

Spam campaigns vary in duration. There are some that last many hours, and some that last a few minutes. We have tracked campaigns that send thousands, hundreds of thousands, or even millions of spam messages in under 15 minutes.

When you see spam in your inbox, it is usually because it is a new campaign from a spammer and we do not yet have signatures for it. During this window, a spammer can get some spam through our filter defenses to the inbox. However, our filters catch up and the rest of the campaign is marked as spam.

image

Image not drawn to scale – we don’t actually miss half the spams

Thus, it is true that some spam gets through. However, a large percentage of it is subsequently caught by one of our anti-spam technologies [1]. End users perceive that we did not catch the spam, but what happens is that the users that are affected are the ones that generate spam complaints, while the ones for whom the filter caught it are unaware that anything was wrong [2].

What you (our customers) can do about it

Office 365 already does several things for spam and phishing filtering [3], but there are a few things that customers can do to help cut down on these types of messages:

  1. Submit spam and phishing samples back to Office 365

    This is important!

    The reason to submit spam back to us is that it greatly assists in speeding up the discovery of new campaigns as well as the replication of updated signatures. Abuse submissions are combined with multiple other data sources as confirmation signals for faster signature updates. This is true even if we are currently catching the campaign (i.e., user received spam and our signatures subsequently updated, and then the user submits it to us).

    image

    To submit spam to Office 365, please refer to this blog post:

    * Submitting spam to Office 365
    http://blogs.msdn.com/b/tzink/archive/2014/09/12/submitting-spam-back-to-office-365.aspx
          
         

  2. Submit malware to Microsoft

    If the message is malware and not spam, you can submit it to Microsoft:

    * Microsoft Malware Protection Center submission portal
    https://www.microsoft.com/security/portal/submission/submit.aspx

    Microsoft and Office 365 use these samples to update our anti-malware engines. You can also submit to VirusTotal. Office 365 uses 3 anti-malware engines and all of them are on VirusTotal, who shares samples amongst the other anti-malware companies.

  3. Enable Bulk mail filtering

    While neither spam nor phishing, many customers often identify bulk email as spam. The bulk mail feature should be enabled as it can help cut down on the overall level of spam complaints, even if the content is bulk rather than explicitly malicious. For more information, see my previous blog post:

    * Different Levels of Bulk Mail Filtering in Office 365
    http://blogs.msdn.com/b/tzink/archive/2014/08/25/different-levels-of-bulk-mail-filtering-in-office-365.aspx

  4. Invest in User Education

    User education is one of the most important aspects of anti-phishing. While technology is one component, users need to be aware of the risks. There are several free resources:

    * OnlineGuard.gov’s Antiphishing Page
    http://www.onguardonline.gov/articles/0003-phishing

    * The Anti-Phishing Working Group’s advice to avoid phishing scams
    http://apwg.org/resources/overview/avoid-phishing-scams

    For larger organizations, they may want the services of companies that provide anti-phishing education, conducting campaigns to help train users to become more aware of the phishing problem. Two of the ones I am aware of are:

    * PhishMe
    http://phishme.com/

    * PhishGuru
    http://www.wombatsecurity.com/phishguru

    A combination of technology plus user education is the best method of preventing falling for phishing scams.

What is Office 365 doing to improve detection of spam and phishing?

There are several different methods that Office 365 is either currently working on or actively investigating to improve our spam, phishing and malware detection capabilities as of Sept 2014. Here is a summary:

  1. Increasing the coverage of URL filtering

    EOP currently uses 750,000 URLs in its antispam and antiphishing detection. If a message contains this URL, it is used as a heavy weight in the spam filter.

    We are working on increasing this list to well over a million URLs.

    Update: As of December 15, 2014, this is now over 1.7 million URLs!

  2. Inbound DKIM verification in IPv4 and IPv6

    DKIM is a technology that verifies digital signatures inserted into a message. It is useful for identifying good senders and plays an important role in sorting out good senders from malicious senders.

    image

    For more information, see http://tools.ietf.org/html/rfc6376.

    Update: As of May 6, 2015, inbound DKIM verification is supported.

  3. Outbound DKIM signing

    Office 365 will be giving customers the ability to DKIM-sign all of their outbound email. This will be true of fully hosted customers, hybrid customers or on-premise customers. Customers can either upload their own DKIM keys or let Office 365 generate them.

    Update: As of June 2, 2015, outbound DKIM support is under development and should be ready by Q3 2015.

  4. DMARC support

    DMARC is a major revolution in spam filtering because it combines both authentication and a feedback loop to help senders improve their authentication practices.  But it also was a major step forward in terms of the amount of cross-organization collaboration to come up with a common protocol, and then have everyone implement it.

    It works by inspecting the From: address, the one that users can inspect, and if it is forged it marks the message as spam or rejects it. Many large brands have implemented DMARC and seen a significant decrease in email spoofing.

    DMARC is very useful for detecting phishing and especially spear-phishing.

    Update: As of May 6, 2015, inbound DMARC verification is supported. We're still rolling out DMARC reporting.

  5. Faster updates

    As you can read above, many of our existing technologies work to catch spam but unfortunately, some of it leaks through before the signatures update. We are currently working on infrastructure to reduce the time start-of-spam-campaign to campaign-detection, and campaign-detection to signature-update.

    Update: As of December 15, 2014, the URLs replication has been sped up by 30 minutes!

    image

    image

  6. “New-ness” Inspection

    One of the techniques that modern spammers and phishers is to rapidly generate new domains and compromise new machines with IP addresses that have no previous reputation.

    One technique that Office 365 is investigating is detecting whether or not a given domain or IP is new to the service or new to the Internet. If it is, it can take action by either rejecting the message, temporarily deferring the message or using it as a weight in the spam filter (this is more complicated than graylisting). Good senders will return but many bad senders will not, and that includes spammers and phishers.

    Update: As of January 7, 2015, we now do basic IP throttling!

  7. Time-of-Click URL protection

    Time-of-Click URL protection involves rewriting the URL of a message to proxy through a service to determine if the destination URL is bad. This occurs when a message has been filtered and deemed non-spam, but after the message is delivered but before the user clicks, the phisher or spammer has uploaded malicious content.

    In other words, the URL is changed from this:

    http://www.somedomain.com

    To this:

    http://proxy.example.com/hash/?originalURL=http://www.somedomain.com

    The advantage of this feature is that a user is protected even after the message has been filtered and given the wrong categorization (it should be spam instead of good email).

    Update: As of June 2, 2015, time of click URL protection (Safe links) is available for general purchase, see:

    - Getting started with Advanced Threat Protection in Office 365, http://www.c7solutions.com/2015/06/getting-started-with-office-365-advanced-threat-protection

    - Advanced Threat Protection via Powershell, http://www.c7solutions.com/2015/06/advanced-threat-protection-via-powershell

  8. Zeroday-protection against malware

    Similar to Time-of-Click URL protection, zeroday-protection looks for malware attachments in email that are not caught using standard signature-detection in regular antimalware engines.

    This is a complex feature that involves multiple moving part components, but suffice to say, it will result in better antimalware detection.

    Update: As of May 6, 2015, this type of protection (Safe attachments) is available for general purchase, see:

    - Getting started with Advanced Threat Protection in Office 365, http://www.c7solutions.com/2015/06/getting-started-with-office-365-advanced-threat-protection

    - Advanced Threat Protection via Powershell, http://www.c7solutions.com/2015/06/advanced-threat-protection-via-powershell

Conclusion

We understand the negative experience customers have when they get spam in their inbox. We feel it, too! However, we are working to improve this to ensure that your mailbox stays clean.

 


[1] The are three types of spam campaigns and their subsequent catch rates:

  1. 100% catch – these are spam campaigns where we have existing rules and even though the campaign is new, we catch all (or nearly all) of it. This constitutes the largest set of spam campaigns.
  2. Partial catch – these are spam campaigns where we miss part of it but the filters catch up and catch the rest.
  3. Total miss – spam campaigns where virtually all of it is missed by the filters. This is the smallest set.

Customer complaints are mostly in #2 and #3.

[2] For an overview of how we currently handle spam and phishing, please see the following blog post

* Combating Phishing
http://blogs.msdn.com/b/tzink/archive/2012/08/30/combating-phishing.aspx

 

[3] To review some of our existing anti-spam documentation:

* How to set up the Office 365 spam filter settings to help block spam
https://support.office.com/en-US/article/How-to-set-up-the-Office-365-spam-filter-settings-to-help-block-spam-da21c0b6-e8f0-4cc8-af2e-5029a9433d59

* Office 365 Email Anti-Spam Protection
https://support.office.com/en-us/article/Office-365-Email-Anti-Spam-Protection-6a601501-a6a8-4559-b2e7-56b59c96a586?ui=en-US&rs=en-US&ad=US

Comments (25)

  1. Christian Schindler says:

    Great article, thanks! What about implementing DANE? tools.ietf.org/.../draft-ietf-dane-srv-02

  2. tzink says:

    DANE is interesting. It doesn't have wide deployment yet but it is something we would consider if there was a strong push towards it.

  3. Jmcd says:

    appreciate the forward looking enhancements in this article.  #5 is of particular interest.  any sense of timing on this process improvement?

  4. Terry Zink says:

    @Jmcd: This is on-going and will be done by the end of the calendar year, if not sooner.

  5. Andreas says:

    So as i can understand, outbound DKIM is still no supported on Office 365?

  6. tzink says:

    @Andreas: Correct, Office 365 does not yet sign outbound messages with DKIM. It's something we are working on, though.

  7. JJ Willow says:

    Terry, thank you for the informative article. I am particulary interested in #7, the Time-of-Click URL protection, as we have been looking at alternative options to EOP just to gain this feature. Is there a timeline for when this feature is likley to be available?

  8. Terry Zink says:

    @JJ Willow: JJ Willow, I can't reveal the timeline because as far as I know, our Product Marketing Group has not yet committed to a timeline.

    These next comments are unofficial because we are working through the design and things can change so don't take this as saying "Terry Zink says it will be here on Date X". We believe it will be available in 2015, and I'd like to see it out in the first half of the year.

  9. Ralf says:

    use http://www.antispameurope.com/de

    this will work properly....

  10. Shane Millsom says:

    I am regularly receiving Trojans/Viruses in my Office 365 hosted e-mail account.  I submit these to the Microsoft Malware Protection Center and receive a notification stating, "The detections listed above are included in the latest pre-release definition available for download."

    If the malware is already identified, why am I still receiveing it?  Several days later, I have received another message with the same trojan attached.

    As an administrator or reseller, I cannot update Microsoft's own servers.  How can customers have any confidence in a cloud-based service if a company as big as Microsoft can't even apply their own updates in a timely manner?

  11. Anonymous says:

    Office 365, with it's default rules, allows zipped virus executables to be submitted and received without question or warning. Like Upatre.

    Manually adding transport rules to block these, using powershell is an absolute must. But that option isn't available to people still on the old SME plans.

    Utterly inexcusable from Microsoft to allow zipped .pifs, exes and scrs through email in this day and age. Google email does the responsible thing and blocks them.

    The instructions from Nick Whittome's site

    gave the powershell suggestion to reject these

    Is there a reason not to have this as default, as Google does for all customers?

    New-TransportRule -Name ‘Rule 2 – Block Executable Content MS Standard’ -Priority ‘0’ -Enabled $true -AttachmentHasExecutableContent $True -RejectMessageReasonText ‘Block Rule 2 – Sorry your mail was blocked because it contained executable content’ -StopRuleProcessing $true -SetAuditSeverity Low -SenderAddressLocation HeaderOrEnvelope

    #This is the rule for blocking attachments that the extension of the file matches whatever you wish below.   Each extension should be in quotes, and separates with a comma…..

    New-TransportRule -Name ‘Rule 1 – Block Attachments Rule – Extensions’ -Priority ‘0’ -Enabled $true -AttachmentExtensionMatchesWords 'ade','adp','bat','chm','cmd','com','cpl','exe','hta','ins','isp','jar','jse','lib','lnk','mde','msc','msp','mst','pif','scr','sct','shb','sys','vb','vbe','vbs','vxd','wsc','wsf','wsh'  -RejectMessageReasonText ‘Block Rule 1 – Sorry your mail was blocked because it contained executable content.’ -StopRuleProcessing $true -SetAuditSeverity Low -SenderAddressLocation HeaderOrEnvelope

  12. Anonymous says:

    Don’t get caught in a security trap by solely depending on Office 365 as your security provider. We harden our Email Protection perimeter using the Intel Spambrella service - http://www.spambrella.com they will provide you with all the reasons to add their service which integrates with Office365. I now read these comment boards knowing I do not have these issues. i spent 3 years fighting Microsoft for resolution which never came.

  13. Glen says:

    I've worked at several different companies and used different service providers for spam/virus filtering and am surprised that the Microsoft offering is by far the worst. It's annoying when they let spam through but when malicious emails and virus are let through you have to wonder if it's worth paying for.

  14. Mark says:

    I've switched from a Messagelabs provided service, to Office 365.  I've gone from zero spam to a deluge.  What are Messagelabs doing, that you cannot?

  15. o2infosystems says:

    I just want to say that I like your posting. In fact I am using your site regularly. Your articles are very effective and i am very thankful to you for sharing this site with knowledgeable content .

  16. Wadeface says:

    Customer today receiving spam from a IP listed on SORBS. Word files with malicious macros and BS... How is O365 not blocking this? Can have these huge article and crap on all you want but then things like this happen right after we migrate them to O365...

    1. tzink says:

      Office 365 does not use the SORBS IP reputation list. We leverage numerous external and internal IP and URL reputation lists, antimalware vendors, and spam signatures. For some customers, they will want to enabled Advanced Threat Protection which uses sandboxing rather than malware signatures. As always, please report these to us if we are missing them so we can see why they are getting through and make adjustments to our system.

  17. Samir says:

    Recently we are informed of massive attacks with zero-day Ransomware. Will Office365 take urgent measures towards such 'special events'?

    1. tzink says:

      Samir, I am unclear what you mean. Office 365 is always looking for ways to improve its filtering. That includes new technologies, and sometimes we issue special alerts or news bulletins. But usually we are focused on combating threats as we see them and investing in better protection.

  18. Richard says:

    Something to think about - particularly with Phishing and Spear Phishing is that there is (and never will be) a technical solution to the problem. The biggest problem is the users themselves falling for the Phish. So you need to train your users to avoid the Phish. Have a look at http://www.SpearSec.com for example.

  19. Generally I don't learn article on blogs, however I
    would like to say that this write-up very forced me to take a look at and do it!
    Your writing taste has been surprised me. Thanks, very
    great post.

  20. James Gormall says:

    Spambrella services doubled up with Office 365 will solve the phish issue.

  21. always i used to read smaller articles that
    also clear their motive, and that is also happening with this piece of writing
    which I am reading at this place.

  22. Myles says:

    I haven't had so much spam since i moved to office 365. Just left an internally hosted exchange with sophos antispam solution and received ZERO spam. i have had 8 spam items in 2 days since moving. heaven knows how much o365 is actually stopping!

Skip to main content