How Secure is Email on Microsoft Office 365?

Author: Craig Pollack Date: Sep 25, 2018 Topics: Cloud, Technology Trends, Cybersecurity

Microsoft Office 365 is among one of the most popular and widely-used office suites for small to mid-size businesses (SMBs). The cloud-based Office 365 subscription software and services, for which Microsoft guarantees 99.9% uptime, enable employees to communicate collaboratively and effectively using a variety of business-focused tools such as email, shared documents, calendars, and web conferencing.

However, the popularity of Microsoft Office 365 makes it a prime target for hackers and other malicious users who wish to exploit cybersecurity vulnerabilities and threats. They frequently do this via social engineering attacks, ransomware, viruses, and other methods of cyber attack.

So, this brings up the question: Just how secure is Microsoft’s Office 365 email service? And what are a few email security best practices users can keep in mind when navigating their inboxes?

Office 365 Security Concerns and Email Security Threats

Although no single technology or brand can prevent 100% of all cyber threats (because you can only mitigate risk through technology, education, and by following cybersecurity and email security best practices), Microsoft Office 365 is still viewed as a leader in email service. Even with this in mind, here are a few of the recent cybersecurity vulnerabilities and threats that have been identified as affecting the Office 365 email services.  

Hackers Use Phishing Tactics to Bypass Office 365 Protections

In recent months, several Office 365 email security concerns came to light over a period of several months when it was discovered that the advanced threat protection (ATP) mechanism used by Microsoft Office 365 and other popular email services is susceptible to a specific type of phishing attack called the ZeroFont technique. The way it works is that the scammer mimics a popular company to trick users into giving up their personal and account information.   

Hackers also found a way around Microsoft’s Dubbed Safe Links protection feature, which replaces all website links in an incoming email with secure Microsoft-owned URLs, by using something called a “baseStriker attack.” This method of phishing attack replaces the default base URL with a different one than Microsoft intended, splitting and disguising malicious links to enable scammers to direct links to their phishing websites.

It also was discovered that cybercriminals were exploiting a vulnerability in Microsoft Office 365’s built-in security protections by inserting malicious links into SharePoint documents. Because Microsoft doesn’t scan the links within shared documents for phishing URLs, those links were able to bypass the company’s email security protections.  This is where having an additional layer of internet threat protection (like our standard Cisco Umbrella) will help secure your network.

A Few Email Security Best Practices for Microsoft Office 365

A few email security best practices include being overly cautious of URLs that are included in the body copy of emails, in particular, those that are sent with subject lines that read “Action Required” or “Urgent.” When presented with a login page, it’s vital to check your web browser’s address bar to determine whether it is hosted by the legitimate service or if it is a phishing page. However, the downside of clicking on the link to make this determination is that it creates an additional danger if the link directs users to a web page that triggers malware to download onto their device.

From a business perspective, it also is beneficial to have a formal cybersecurity user awareness training program for your employees — everyone from the CEO on down. The reason this is so important is that, no matter what cybersecurity technologies you have in place, your employees are either your organization’s biggest weakness or best defense concerning cybersecurity vulnerabilities and threats. The determining factor is their knowledge and awareness of these risks and how to respond to them.

Bottom Line

Despite the recent Office 365 security concerns from email security threats, Microsoft Office 365 is an invaluable resource for small to mid-size businesses for which the benefits overwhelmingly outweigh the risks. The IT expert corporation is quick to respond to and address any email security threats in their Office 365 email service when they arise.

In addition to implementing other IT security solutions, our team at FPA always recommends to clients the use of Microsoft Office 365’s customizable email filters as part of our solution to help strengthen their cybersecurity defenses. Some of Office 365’s email anti-spam protection features include filters for connections, spam, and outbound emails.

As a Microsoft Value-Added Reseller (VAR) and a Microsoft Partner Silver Midmarket Solution Provider, FPA is equipped and experienced with helping clients enjoy the benefits of the Office 365 email service.

What email service are you using for your business and why? Share your thoughts in the comments section below, or send me an email to continue this discussion more in depth.



Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.