Around 3.4 billion phishing emails are sent every day. Are you Properly Protecting Your business against this ever-increasing threat?
According to Cofense, a phishing email gets delivered every 45 seconds. Having a safeguard in place to protect your email is more crucial than ever. In our previous blog post, we provided an in-depth guide on how to configure Microsoft Defender for Office 365. It is vital to properly set up Microsoft’s built-in tool for phishing. However, Defender for Office 365 is not sufficient on its own to secure your email. Moreover, if you have not configured Defender’s intricate settings correctly, bad actors could entirely bypass your third-party phishing filter. Microsoft’s anti-phishing policy is designed to prevent any external phishing filter from overriding it. We will outline below why you need a third-party phishing filter for your organization. Treat this post as a companion-piece to our Defender for Office 365 configuration guide.
The Necessity of a Third-Party Phishing Filter:
Why Defender for Office 365 Isn't Enough
Overall, Defender allows delivery of emails that third-party filers would typically classify as phishing. We have personally seen emails with suspicious domains, unsafe attachments, and malicious links bypass Defender for Office 365. Ironically, we have even received alerts from Defender itself about the delivery of these phishing emails. Without a third-party phishing filter in place, those emails would wreak havoc in users’ inboxes.
Not only is Defender’s failure to contain malicious emails a major security risk, but their standard policies also pose major disruptions to business operations. Their Anti-Phishing (aka High Confidence Phishing policy) overrides any third-party phishing filter in place and will send emails directly to quarantine in Microsoft 365. This is regardless of whether or not you have a quarantine policy setup with your third-party phishing filter. Essentially, there could be a lot of important emails hiding in Microsoft’s quarantine unbeknownst to any user.
Interested in a Step-by-Step Microsoft 365 SOP Checklist?
If you’re looking to simplify and standardize your Microsoft 365 setup, our detailed Microsoft 365 SOPs offer step-by-step checklists and templates to guide you through every aspect of configuration.
Contact us using the button below for access to these comprehensive resources designed to ensure security and efficiency in your Microsoft 365 environment.
Our Experiences with Third-Party Phishing Filters
As managed service providers ourselves, we use Avanan as our third-party phishing filter. A lot of emails are able to make it through Microsoft Defender. According to their reports, Avanan can catch 99.9% of advanced attacks that slip through both of Microsoft’s security features. Office 365 is the primary focus of the research of attack analysts at Avanan, so it is a great compliment to organizations that run on Microsoft.
A company that we had worked with recently told us they were using a third-party phishing filter. They were confident it was responsible for blocking all threats as opposed to Defender for Office 365. Rather than taking that information at face value, we went and double-checked their anti-phishing settings. What we found was that emails were not routing to their third-party phishing filter. In fact, their external filter was not even functioning at all.
By ignoring Microsoft Defender and depending solely on an (inactive) third-party program, their organization was incredibly vulnerable to threats. On top of this misconfiguration, Defender was not alerting them of any incidents that were occurring in their environment. That means if users were interacting with phishing emails, downloading malicious files, etc., nobody was being notified of these incidents. They were lucky not to have a data breach or malware running rampant through their organization; especially when 93% of breaches result from phishing attacks.
We have a feeling that cases like this are more common than you think. There is a lot that can go wrong or slip through the cracks when securing an organization’s email. Defender’s default anti-phishing settings de-activate third-party phishing filters. Proper initial setup and regular auditing of both your external phishing filter and Microsoft Defender can help prevent misconfigurations.
Where to Start with Third-Party Phishing Filters
Some industries are more frequent targets of phishing attacks than others. Healthcare, education, finance, and small-to-medium sized businesses are the most common victims. This is not to say that some sectors can ignore phishing protections entirely. Rather, the strength and policies necessary in a third-party phishing filter vary depending on the scope of work. As mentioned in our post covering Defender for 365, this will determine the strength of the filter and whether or not restoring a quarantined email requires admin approval. Companies in high-risk industries should pursue the strictest quarantine and filter policies they can that would not greatly disrupt their operations.
Another good way to gauge what kind of anti-phishing filter is necessary is by performing a phishing simulation. You can execute an attack simulation through Microsoft Defender.
To do so, navigate to
Security.microsoft.com > Email & Collaboration > Attack simulation training > Simulations > + Launch a simulation
You will then see a prompt to select the form of phishing you would like to imitate. There are 7 different techniques to choose from:
- Credential Harvest
- Malware Attachment
- Link in Attachment
- Link to Malware
- Drive-by URL
- OAuth Consent Grant
- How-to Guide
Microsoft provides descriptions and details of different phishing techniques so you can choose one most applicable to your organization. Additionally, you can customize what payload you want your phishing simulator to include. For example, to ensure your users are on their toes, you could perform a Link in Attachment simulation. Choose the “payment detail” payload and perform this simulation after year-end reviews that would result in pay changes. You can even design your own payload.
Once you have selected the technique and payload, you can choose which users or groups will receive the phishing simulator. You can also choose whether or not to assign a phishing training to users who fail the test. Then, launch the simulation and wait to analyze the results.
You can monitor the simulation coverage, training completion, repeat offenders (if multiple simulations have occurred), and behavior impact from the simulation in Defender. Once most users have experienced the simulation, you can judge what strength of filter your organization might need. 917 Solutions recommends only a 3% maximum compromise rate as our baseline cybersecurity standard.
Setting Up a Phishing Filter Can Be a Lot
You don’t have to go it alone.
A trusted cybersecurity partner is an invaluable resource. You can have peace of mind that a dedicated team, on call when you need it, is securing and protecting your tenant. A good MSP will not only manage services you have, but will help create a work environment that best suits your needs. A standard risk assessment could provide the necessary information to configure a third-party phishing filter that best suits your organization. Cybersecurity firms also routinely perform phishing simulations to monitor users vigilance and knowledge of how to report phishing.
