A little while ago, a long time customer of Avanan was acquired by another company that had been using Mimecast for their email security. Shortly after, the mother-company made the MX-record change to direct all email going to their new subsidiary go through Mimecast. What happened next was quite shocking to our customer—but less so to us.
The customer immediately reported that the number of attacks they saw in Avanan went up, not down. “How is that possible?” they asked, puzzled. “We added a layer of security in Mimecast, and somehow we are seeing more attacks not less.”
Before explaining the reason, we went to check the numbers. We counted the number of attacks on the week before enabling Mimecast, where before Avanan they only had Microsoft EOP running, and also the week after enabling Mimecast, where before Avanan they had both Mimecast and Microsoft EOP. Once Mimecast was enabled:
Phishing attacks went up 3%
Spam went up 53%
How Does Turning On Mimecast Make Me Less Secure?
The reason you are less secure with Mimecast is because when you install a Secure Email Gateway (SEG) in front of Microsoft 365, you need to Allow List the IP address of the SEG in Microsoft 365. That means that you disable the Microsoft 365 built-in security called EOP (Exchange Online Protection) in favor of the security provided by Mimecast. This is a fundamental flaw with all SEG architecture—we demonstrated this with an attack that bypassed Proofpoint and Microsoft, even though Microsoft alone would have blocked it.
You are more secure if you turn Mimecast off because, at least at the time of testing, Microsoft built-in security was performing better than Mimecast.
Yes EOP is missing a lot.
Mimecast misses more.
Here’s an example of an attack that Microsoft blocks. In fact EOP gives it an SCL score of 9, the highest possible spam score. But if you have Mimecast and Microsoft, then the message goes to the end-user inbox.
The example attack we chose is pretty common. If you’re in email security you surely have seen similar emails.
It is basically a fake email of a voice-message, pretending to be from Microsoft. For customers that have EOP, this emails scores SCL=9 and gets quarantined or sent to junk, depending on the policy you set in Microsoft 365.
But for the customer described above, that now has both Mimecast and EOP, Mimecast misses the attack. Because Mimecast's IP is Allow Listed in Microsoft 365, the SCL=-1 (the value designated for Allow Lists). The email would have gotten to the inbox, if Avanan didn't block it:
This is why Mimecast in front of Microsoft 365 gets you worse security than without it. This is why we consider the Secure Email Gateway architecture to be the following formula:
How Is Avanan Different?
Fortunately, for this customer, they were also running Avanan behind Mimecast and Microsoft, so even though Mimecast caused Microsoft to miss the attack, Avanan detected and blocked it before it ever reached the end-user. Here are some of the indicators our machine-learning identified in the email to help flag is as malicious:
The fundamental difference in Avanan’s architecture is that we add a layer after EOP, the default layer Microsoft provides, and after ATP, Microsoft’s advanced layer for customers that purchased that, too. What it means is that whatever Microsoft detects will always get blocked. What Microsoft fails to detect is what Avanan will scan and block. This is indeed the best practice in security—a layered approach, because another independent layer means:
But what is really unique about Avanan’s AI is that it has been built specifically to catch the attacks Microsoft 365 is missing (or Gmail for G-Suite customers).
- The machine learning is specifically trained and tuned on real attacks that Microsoft default security misses. It allows the algorithm to truly focus on more sophisticated phishing scams, making it extremely effective at catching those attacks
- Many of the attacks that bypass Microsoft include obfuscation methods to bypass EOP/ATP malicious URL analysis or Natural Language Processing. Avanan implements those methods into the AI as indications of attack, so when hackers use methods to bypass EOP/ATP, they also incriminate themselves in Avanan and get blocked.
This is how Avanan catches what everyone else is missing. This is why with Avanan you get:
If you are a Mimecast customer, consider turning it off. You will save money and you will probably get better filtering for phishing and spam from Microsoft’s EOP.
If you really need to secure your end-users’ email, install the Avanan app today. It takes one minute, with no MX-record changes or other complex configurations. Just approve our app once for the entire company.
We will protect Office 365 from the inside and the problem will go away.