How Secure is Email on Microsoft Office 365?

Author: Craig Pollack Date: Mar 17, 2022 Topics: Cloud, Technology Trends, Cybersecurity

Microsoft Office 365 is among one of the most popular and widely-used office suites for small to mid-size businesses (SMBs). The cloud-based subscription service, for which Microsoft guarantees 99.9% uptime, enables employees to communicate collaboratively and effectively using a variety of business-focused tools such as email, shared documents, calendars, and web conferencing. However, the popularity of Office 365 for email hosting makes it a prime target for hackers and other malicious users who wish to exploit cybersecurity vulnerabilities and threats.

They frequently do this via social engineering, ransomware, viruses, and other methods of cyber-attack. So, this brings up the question: Just how secure is Microsoft’s Office 365 email service? And what are a few email security best practices to keep in mind when navigating your inbox?

Office 365 Security Concerns and Email Security Threats

Although no single technology or brand can prevent 100% of all cyber threats (because you can only mitigate risk through the combination of technology, education, and by following cybersecurity and email security best practices), Microsoft Office 365 is still viewed as a leader in email service.

Even with this in mind, here are a few of the recent cybersecurity vulnerabilities and threats that have been identified as affecting the Office 365 email services.  

Hackers Use Phishing Tactics to Bypass Office 365 Protections

In recent months, several Office 365 email security concerns have come to light when it was discovered that the advanced threat protection (ATP) mechanism used by 365 and other popular email services was susceptible to a specific type of phishing attack called the ZeroFont technique. The way it works is that the scammer mimics a popular company to trick users into giving up their personal and account information.   

Hackers also found a way around Microsoft’s Dubbed Safe Links protection feature, which replaces all website links in an incoming email with secure Microsoft-owned URLs, by using something called a “baseStriker attack.” This method of phishing attack replaces the default base URL with a different one than Microsoft intended, splitting and disguising malicious links to enable scammers to direct links to their phishing websites.

It also was discovered that cybercriminals were exploiting a vulnerability in 365’s built-in security protections by inserting malicious links into SharePoint documents. Because Microsoft doesn’t scan the links within shared documents for phishing URLs, those links were able to bypass the company’s email security protections.  This is where having an additional layer of internet threat protection (like our approach for clients to leverage Cisco Umbrella) helps to secure your network from this practice.

A Few Email Security Best Practices for Microsoft Office 365

One of the first aspects we ALWAYS recommend is setting up 2FA (Dual Factor Authentication) to even access your email hosted on Microsoft Office 365. This is definitely a must.

Another critical one goes to the human element - being overly cautious of URLs that are included in the body copy of emails is certainly a best practice. In particular, be wary of emails that are sent with subject lines that read “Action Required” or “Urgent.”

When presented with a login page, it’s vital to double-check your web browser’s address bar to determine whether the URL is legitimate or if it is a phishing page. However, the downside of clicking on the link to make this determination in the first place is that by then, it could be too late - the link could direct users to a false login web page that triggers malware to download onto their machine.

From a business perspective, it's also beneficial to have a formal cybersecurity user awareness training program in place for your employees — everyone from the CEO on down. This is critical as no matter what technical protections you have in place, your employees are either your organization’s best defense or biggest weakness when it comes to cybersecurity

In addition to implementing industry standard best practices when it comes to cybersecurity, we also recommend an appropriate 3rd party anti-spam solution to further tighten up Microsoft's Office 365 email system.

Bottom Line

Despite the recent concerns with Microsoft's Office 365 email security, when properly configured it's an invaluable and secure tool for small to mid-size businesses with the benefits overwhelmingly outweighing the risks.

As a Microsoft Value-Added Reseller (VAR) and a Microsoft Partner Silver Midmarket Solution Provider, we're certified and have been working with Office 365 for years helping clients leverage the benefits of the Office 365 email service. And when you add Microsoft Teams into the mix, you have one of the most robust organizational communication solution sets out there.

What email service are you using for your business and why? Please share your thoughts in the comments section below, or shoot me an email to continue this discussion in more detail.


Subscribe here to get our "2 Minute Tuesday" email for valuable tips & tricks!


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.