Microsoft Office 365 is the most popular target and vector for email phishing attacks. Office 365 Security is Microsoft’s best — especially compared to its 30-year challenge to secure the Windows OS. They have spent billions of dollars and acquired some great companies.  

  • So, why do they still miss each new wave of phishing attacks and malicious files?
  • How can organizations use the most prolific collaboration suite ever invented in the most secure manner possible?  
  • Consider these advantages and drawbacks of the security offered by Microsoft.

Exchange Online Protection (EOP) is the default security for Office 365. Advanced Threat Protection (ATP) is an add-on service available for an additional cost, or included with higher-priced enterprise options, such as the E5 license package.

Pricing aside, Microsoft demonstrates a commitment to security across the collaboration suite by updating the artificial intelligence (AI) EOP with the threat signatures of attacks caught by ATP. ATP boasts all the standard security functionalities on the market, making it a one-stop-shop for many Chief Information Security Officers (CISOs).

Microsoft is the center of the security universe

Each of the 180 million Exchange Online corporate mailboxes protected by Microsoft has different security needs, communication patterns, sensitive data, and collaboration styles. Because of how large and diverse the Office 365 user base is, Microsoft must keep the false positive rate low to guarantee deliverability and business continuity.

Deciding if content is malicious has a statistical aspect to it. There are many obvious cases of phishing, but also many grey examples. As such, the default security in Microsoft (EOP) must prefer the risk of missing an attack — a false negative — over blocking a legitimate message or file — a false positive. This hedging approach is necessary to reliably secure the masses, but means that the threat protection can not be fully tailored to each organization using Office 365.

At the same time, Microsoft Office 365 is both a security provider and the target of advanced cyber attacks. This complicated identity informs why ATP has certain weaknesses that require supplemental security.

Three advantages

To leverage ATP, it’s important to know about three strengths of its threat intelligence when compared to the market — specifically in the antiphishing space.

  1. URL rewriting. A feature available in ATP for Office 365, Safe Links provides time-of-click verification of URLs in emails and Office documents. When activated, it rewrites every domain to route users through ATP Safe Links protection before redirecting the end-user's browser to the webpage. It checks if that destination domain is not on a custom blacklist of malicious URLs created by the organization, or on the Microsoft blacklist.
  2. Attachment sandboxing. ATP calls this feature Safe Attachments, which detonates malware in a secure environment to learn its behavior. (Google’s G Suite doesn’t have attachment sandboxing yet, but it is in beta at the time of this writing.) Millions of Office 365 users whose files have been sandboxed benefit from the scale at which the catch rate is honed. Better yet, this feature deploys in one click.
  3. Easy integration. ATP integrates into Office 365 without requiring special configurations or adding a mailflow hop — the complicated path email secured by conventional solutions takes when it travels from one server to another and then back. It’s a simple checkbox to turn on, requiring no mailflow rules or connectors required. With conventional email security solutions, such as a Secure Email Gateway or Mail Transfer Agent, this is not the case, and can become a time-consuming prospect during deployment and tune-ups.

Three Drawbacks

The accessibility of Office 365 presents another problem.

  1. Predictable circumvention.  For about $35 per month, any hacker in the world can create an Office 365 account to figure out how to circumvent the security. When analyzing new pieces of malware, Avanan security analysts see the creativity and complexity of code put in by the hackers to specifically evade Microsoft’s default security.
  2. ATP is Version 1. Introduced in 2015, its features and functionality is relatively immature when compared to solutions established security companies have been honing for decades. The intellectual property incorporated into technology companies focusing purely on sandboxing — like FireEye, PaloAlto, or CheckPoint — are years ahead in their ability to consistently catch evasive malware.
  3. Opaque reporting and forensics functionality. Visibility and control in the Microsoft security interface is limited. This makes it difficult to deep-dive into a specific incident, find the root cause, which users are impacted, if a user account was compromised, if data was lost, etc. At the same time, ATP limits reporting based on time constraints. For example, it takes a few hours to return a mail protection detail reports for messages older than 7 days. For data older than 90 days, reports are inaccessible.


With the world’s most talented engineers and a seemingly infinite budget, why does Microsoft fall victim to phishing attacks that get past ATP and Exchange Online Protection (EOP) for Office 365?

The reasons have nothing to do with any particular Microsoft failure, but much to do with the widespread adoption of Office 365 as an enterprise collaboration suite. Because Office 365 is the most used platform, it is also the most attacked. This creates strengths and weaknesses in ATP.

Organizations should use Microsoft as a primary security provider and layer additional security solutions from third-parties that have more tailored AI, security that is invisible to hackers, and expansive reporting.

Knowing this ATP empowers Office 365 admins to use the platform responsibly and optimally.