Office 365 increases its malicious URL coverage

Over the past two weeks, Office 365 (Exchange Online Protection) has improved its detection of spam, phishing and malware by increasing the number of URLs in its reputation lists. Two months ago we were at 750,000 URLs, we are now at 1.7 million – an increase of almost 100%!

Secondly, we decreased the amount of time between refresh intervals; that is, the time between when we download a new list and when those first are replicated across the network has shrunk. I don’t have the exact before and after numbers (i.e, I could be off on the numbers by a wide margin), but it’s something like this - We used to be at 30-45 minutes, now we are 15-17 minutes. We are going to be shrinking that window even further.

If you’re a customer, you’ll notice a change immediately be seeing fewer spam messages in your inbox. You may have even noticed it a couple of weeks ago.

That’s not all the changes that are coming, though:

  • Even more URL reputation lists.

    We’re at 1.7 million URLs, and we’re always checking to see if new lists can help us even more.

  • Reducing the replication time even more.

    We’ve made great strides in how fast we can distribute new lists, and we want to make sure we can push out the data even faster to shrink the window of when a new malicious URL appears to when our customers are protected.

  • Changes to the email client to identify phishing and malware.

    One of the things we are working on is making the mail client (e.g., Outlook, Outlook Web Access) work better with the spam filter. One of the problems that companies face is that even when a message is detected as spam or phishing, users can still dig into their junk folders or spam quarantines, think the message is real but mistakenly marked as spam, and then take action on it. “Why is that message from Bank of America in my junk folder? I better check it out.”

    Well, it turns out there is something we can do. Two of the URL lists we use – Spamhaus’s Domain Block List (DBL) and the SURBL list – divide up their lists into categories. Both of these have sub-categories of malware and phish. We can make the mail client understand that the spam filter thinks these messages contain links to malware or phishing links and then disable the links in the message.

    Your Outlook and OWA mail clients disable messages if they are marked as spam and sent to the quarantine. But, you can still rescue them and inspect them. By modifying the mail client, users can still go into their junk folders and quarantines and rescue the message but the mail client still prevents them from taking action as if to say “We know you think it’s legitimate but trust us – it’s not.”

    This is still in the early stages but we think that getting your email client to work together with the mail filter will help add an additional layer of security to protect users and organizations better.

Those are some of the recent changes to Office 365, as of December 2014. As always, if you have problems or want to say “Hey, good to see this!”, let us know.


Comments (1)

  1. Andrew Stobart says:

    Hey, good to see this!  🙂

Skip to main content