Reading this blog title, you might think I’m going to condemn Microsoft and its efforts to secure Office 365. But in fact, Office 365 Security is Microsoft’s best—especially compared to its 30 year challenge to secure the Windows OS. They have spent billions of dollars, acquired some great companies, but still miss each new wave of phishing attacks and malicious files.

Here are a few blogs from Microsoft that demonstrate the challenge: 

Reasons why Microsoft can't secure Office 365 like Avanan can

So, the question remains: with great engineers and huge budgets, why does Microsoft fail to secure Office 365? The reasons have nothing to do with any particular Microsoft failure but a lot to do with the success of its Office 365 business suite. Here's why.


Are you concerned with Phishing and Malware in Office 365? Get a free personalized demo of the Avanan platform.



Reason 1: Every hacker has their own Office 365 account to figure out how to circumvent its security.

Put a safe in the hands of motivated safecrackers and eventually they’ll break it. Microsoft’s default security is a little bit like that. At about $35 a month, anyone in the world can get their own Office 365 account and all the time in the world to work on it until they find a way to bypass its security. Analyzing new pieces of malware, we see the creativity and amount of code put in by the hackers to specifically evade Microsoft’s default security. For example, most attackers know that Microsoft's Advanced Threat Protection does not monitor outbound or internal email, which is why so many attacks use compromised accounts.  

In short, the reason more and more zero-day malware is able to bypass Office 365 default security is not because Microsoft is getting worse, but because the popularity of the service motivates hackers to verify that they are able to bypass it before they launch their attacks.

Reason 2: To stay ahead of hackers, you have to play dirty.

Over the years, hackers have learned how to monetize their illegal activity. And when the money started flowing, an ecosystem was built wherein some people find a vulnerability, sell it to others that execute an attack campaign, leveraging others who can "collect." To be ahead of the hackers, many security companies are using CIA-like teams that infiltrate the darknet to know about attacks before they happen. Obviously, hacker networks are not easy to infiltrate and this method requires time, trust-building, not exposing sources, and more. To build a team of this nature with the white-hat hacker mentality is almost impossible in a corporation like Microsoft.

Reason 3: Some of Microsoft’s security layers are version 1.0.

Microsoft acknowledges that antivirus is not enough, and that sandboxing technology is required to identify zero-day malware. This is why they offer their version of a sandboxing technology for $2/user/month. But sandboxing is a cat-and-mouse game: the hackers are constantly trying to write their malware so it goes through, while the security experts behind the sandbox keep improving their heuristics to fix those gaps. This is a bit like reason #1 above: every hacker has their own Office 365 sandbox to figure out how to circumvent its filters. This is also reminiscent of reason #2: the security companies behind sandboxes are constantly on top of new pieces of malware to stay ahead.

The problem with Microsoft’s Advanced Threat Protection is that it’s a version 1.0 of what other companies have been doing and improving for several years. The intellectual property that is incorporated into Sandboxing technologies from companies like FireEye, PaloAlto, or CheckPoint are several years ahead with their ability to successfully catch evasive malware.

Reason 4: Stand in line with everyone else.

The overwhelming adoption of Office 365 is part of Microsoft’s challenge. Microsoft does not offer its sandboxing technology by default to all Office 365 users because it just doesn’t scale. To keep the number of sandbox users under control, Microsoft charges additionally for this feature.  But even if you are purchasing the Office 365 built-in sandbox, your emails will stand in line with millions of others. We’ve heard reports from our customers that it often takes 30 minutes to complete the sandboxing detonation, and in some cases, emails are delayed for as much as an unacceptable 3-5 hours before being delivered to end-users.

The result is that customers either choose the risky option of not using a sandbox and exposing the organization to zero-day attacks, or they look for alternatives to Microsoft ATP so they can have a dedicated sandbox service and can get all their emails scanned and cleared in a timely manner.

Reason 5: Office 365 can’t afford false positives.

Microsoft will surpass 100 million Exchange-Online (Office 365 email) corporate mailboxes in 2017. Once again, it’s the success and scale of Office 365 that limits what its default security can block. Deciding if a file is actually malware has a statistical aspect to it. There are many clear cases but there are many grey examples as well.

Here’s a recent example:  A quote generated by the popular Oracle (Siebel) CRM came in MS-Word format with a 12,000 line script that downloads an executable and executes it in a shell command. The email it comes in is very similar to many phishing attacks we’ve all received:  “Attached is your 2017 quote for product X”. White-listing these files across the board is super risky—a small deviation in the script and you’re opening the door for pretty nasty malware. But blocking it is also super risky for a company with 100 million mailboxes—even a 1% false-positive rate would result in one million angry customers calling Microsoft support.

The default security from Office 365 has to prefer the risk of missing a piece of malware (false negative) over blocking a legitimate file (false positive). This approach is good for the masses but is not the right choice for security-conscious companies. For them, playing it safe and quarantining the file, so long as there's an easy workflow for end-users to release from quarantine, is normally the option of choice. But if they rely on Microsoft’s default security, they need to get the same security as everyone else, where the policy is tuned for the masses and not for their needs.


Office 365 security is not good enough for many organizations. It is not because of a Microsoft failure, it is because any default security is like a static wall: the bad guys eventually find a way around. The huge success of Office 365 is actually a big part of the problem—security scalability is part of the issue, but the bigger issue is the bad-guys skyrocketing motivation to crack it. And that is only going to get worse.

What can I do?

If you have decided not to rely on Microsoft's built-in security, you should consider additional layers from a third party vendor. Until recently, the only option for securing email was an MTA gateway that monitored inbound email. Today, however, it is possible to protect inbound, outbound and internal email.

Read our recent blog post about why today's threats should no longer be considered an external threat and why you should monitor all email, including those between your employees. A single compromised account becomes an insider threat. While you are at it, remember that Office 365 is not just email and look for a solution that will give you the same protection for OneDrive, Sharepoint and other Office 365 services. 


Are you concerned with Phishing and Malware in Office 365? Get a free personalized demo and see how Avanan can secure your Office 365 environment: