Proofpoint and Mimecast have been the best email security solutions for our legacy on-premise email platforms—Exchange, Lotus Notes, etc. But to use them for Office 365 or Gmail actually blinds Microsoft and Google's default security. In some cases you are better off without them!
We summarized in a prior blog why MTA is not the right solution for SaaS email, but in recent weeks, we detected something quite amazing: phishing attacks that would have been blocked by Office 365 or Gmail are able to bypass all security because you deployed an MTA from Mimecast or Proofpoint. This is mind blowing: you spend money on a security solution that makes your security posture worse.
We did some analysis to investigate why this happens—why emails that would be blocked by the default security of the SaaS email make it through when customers add another security layer in front of them. Here's what we found.
When 1 + 1 = 0
The root issue is that MTA based email security solutions like Mimecast and Proofpoint change certain indicators in the email's header that make some critical aspects of the default security layers in Office 365 and Gmail blind.
The two main indicators that get lost in the email that reaches O365 and Gmail are:
1. The sender's IP address: When configuring an MTA, O365 and Gmail no longer see the original sender of the email: its IP address. Any scoring, black-listing of senders, ISPs and their reputation, and GEO info: all of this is lost and the related security becomes dysfunctional.
2. SPF (Sender Policy Framework) fails: This standard email security mechanism tells the receiver of the email that the sender IP is a legitimate sender for the domain listed in the sender. So a real and fake email from "Bank of America" are received by the SaaS email server with "SPF Failed". For this reason, MTA vendors tell you to disable the spam and phishing filtering of the email service. SPF is not fail-proof, it is an important indicator for the genuineness of the email.
So, the result is simple. If you install an MTA - Proofpoint, Mimecast, or any of the other legacy email security solutions, you are betting your security on those vendors vs the default security built into Office 365 and Gmail. The sad truth for the algorithms used by both the SaaS email and the security vendors is that they rely on Big Data. They take their heuristics from the old days of spam, when attackers were spreading emails at a high rate across numerous unrelated account. Microsoft and Google became very good at spam-like phishing filtering; therefore, the value of Proofpoint and Mimecast in a SaaS email environment has diminished. For Big Data Analytics, we are seeing that Microsoft and Google are actually better than Proofpoint and Mimecast, probably because they see more inboxes.
But more importantly, the hackers have changed their behavior to bypass Office 365 and Gmail default security. Instead of sending magnitude of similar emails and spamming every account they can, they build more intelligent and targeted attacks against specific people in the organization with content specifically built for them. And the attacks that bypass Microsoft and Google also bypass Proofpoint and Mimecast.
So, Microsoft and Google's service has a big gap: phishing, which you can feel every day. But Proofpoint and Mimecast are not making things better; in some cases, they are making things worse.
What Can I Do?
Avanan secures all SaaS, email and phishing included. Our phishing solution is different than your legacy email GW in several aspects:
1. We deploy as an app in O365 or G-Suite app store. What it means is that all of Microsoft's and Google's security do their best, then we scan the email, and present it in the inbox after it's cleared. So, you don't replace one security layer with another but you add another security layer to the default security in the platform.
2. Our novel phishing algorithm relies on NLP (Natural Language Processing) and Machine Learning, combining 300+ indicators ("features" in the language of data scientists) to make a decision. You have to see the results for yourself, you wouldn't believe the things it can catch: no longer does the system rely on the magnitude of similar emails. We've caught super targeted attacks with a single fake emails sent from the "CEO" to the CFO, and blocked them before they ever show in the CFO's inbox.
3. "Warning" mode: being an app integrated into the service, our solution can add a warning to the end-user, very naturally integrated into the message they receive, that will present to them why this email is suspicious—messages like "We have never seen this sender," or "We normally see this user from this email address"—and they can choose to trust the sender or report it as phishing. Our platform will learn their decision and will take it into account in it's algorithm.
In a recent customer advisory meeting, several of our customers said they knew they needed a solution and thought about looking at the legacy email security vendors, but once they deployed us and saw how easy it was, plus saw the results, they just stopped looking. So, whether you have tried an MTA-based solution and are frustrated with all the phishing it misses, or if you haven't tried it yet, please reach out. We'll get you going in less than 5 minutes: it's literally as easy as installing an app on your iPhone—no MX-Record change, and starting in visibility-only. We also scan all historical email so very quickly, you'll see all the attacks that get through Office 365 and Gmail default security, and how Avanan can block them.
See Avanan's security capabilities for yourself.