Office 365

Leading the way in the fight against dangerous email threats

Share on Facebook Share on Twitter Share on Linkedin Share via OneNote Share via Email Print

Editor’s note 6/16/2016:
Post was updated to reflect the upcoming availability of Dynamic Delivery of Safe Attachments.

A typical month for the Microsoft Office 365 Exchange Online Protection team might be considered atypical for most. In our fight against spam and malware, we process over 200 billion emails each month and block 10 million spam messages every minute. That’s the norm for our malicious threat protection efforts—but we don’t stop there. As email attackers around the globe are getting smarter and more sophisticated, we’re making big investments in our Exchange Online Protection and Advanced Threat Protection services to proactively identify and block the most dangerous email threats, with features like:

  • Built-in protection against malicious attack vectors, with spoof and common attachment-type detection.
  • Visible protection to end-users via Safety Tips to prevent users from interacting with detected malicious emails.
  • Rich learning mechanisms for users, such as Phish Reporting and Advanced Threat Protection.

New capabilities of Exchange Online Protection and Advanced Threat Protection

It takes constant vigilance to protect against external threats without disrupting end user productivity. That’s why we’ve introduced several new capabilities in Exchange Online Protection and Advanced Threat Protection, which help protect you from unknown external threats while providing admins visibility on targets within their companies and options for mitigating or eliminating attacks.

Dynamic Delivery of Safe Attachments—Last June, we introduced Advanced Threat Protection Safe Attachments to protect against unknown threats by detecting viruses in email attachments. After going through the standard Office 365 protection process of three anti-virus engines and multiple spam filters, an email with a suspicious attachment enters the Safe Attachment sandbox environment, which has a detonation chamber to analyze the attachment and determine whether or not it’s safe—a process that typically takes 5–7 minutes.

With Dynamic Delivery of Safe Attachments, we eliminated that delay by sending the body of the email with a placeholder attachment, while the actual suspicious attachment undergoes a Safe Attachment scan. Recipients can read and respond to the message, which includes notification that the original attachment is being analyzed. If the real attachment is cleared, it replaces the placeholder; if not, the admin can filter out the unwanted and potentially malicious attachment. Dynamic Delivery of Safe Attachments is now in private preview for Advanced Threat Protection customers and is scheduled for general availability in the third quarter of 2016.

Zero-hour Auto Purge—In the event of incorrectly categorizing an unread email as spam, malicious or safe, Zero-hour Auto Purge provides the ability to change that verdict. For example, if a message is delivered to your inbox and later found to be spam, Zero-hour Auto Purge moves that message from the inbox to the spam folder; the reverse is true for messages misclassified as spam. Now in preview with approximately 50 customers and available on demand, Zero-hour Auto Purge will be rolled out for all Exchange Online Protection global tenants in the first quarter of 2016. Admins will have total control over using this feature or not since Zero-hour Auto Purge can be disabled in the admin center.

Safety Tips in Outlook on the web—This Exchange Online Protection feature proactively gives user-friendly safety tips that help you decide whether or not to open an email. For example:

  • If an email is from a trusted sender, you are notified that it’s a safe message.
  • If you receive a suspicious or phishing email, the message states that it’s from an untrusted source.

The idea behind Safety Tips in Outlook on the web is to educate users by augmenting written notification of the message status by adding a red bar at the top of suspicious or phishing emails. This added visual cue provides an alert to protect you from a potentially fraudulent request or other suspicious action. Safety Tips in Outlook on the web will be generally available to Exchange Online Protection customers in the first quarter of 2016.

Protection against insider spoofing—Yet another growth area for “spoofers” is what’s called “insider spoofing” or “peer phishing,” when a phisher impersonates high-ranking company executives by spoofing the company’s email domain. The email looks like an internal email, making it hard for existing filters to identify as malicious. Fortunately, by built-in intelligence that leverages big data, strong authentication checks and reputation filters, Exchange Online Protection has strengthened its counterfeit detection by over 500 percent.

Leading the way in the fight against dangerous email threats 1

Admins can read more about how to protect against insider spoofing here.

Phish reporting—This new feature enables Outlook on the web users to report phishing to Microsoft by clicking the Junk pulldown menu and selecting Phishing. The Report as phishing dialog is displayed and includes a link to learn more about phishing and gives you the option to send a copy of this message to Microsoft to help the research and improvement of email protection technologies by clicking the Report or Don’t report button. We hope this feature helps you better recognize phishing messages and report any that appear suspicious.

Leading the way in the fight against dangerous email threats 2

We expect to complete deployment of this feature by the end of this quarter. In the meantime, you can report missed phish by sending an email with the phish message as an attachment to our new address.

Filtering common malicious attachment types—We heard your feedback and are pleased to provide an easy-to-use feature for Exchange Online Protection admins to filter out unwanted and potentially malicious attachments by their file types within the Malware Policy. This will help consolidate attachment filtering and action for malicious content, rather than addressing these issues through Exchange transport rules and malware filtering policies. Later this quarter, you’ll find the “Common Attachment Types Filter” in the Malware Filter section of the admin center under the Protection tab on the left and the Malware Filter tab on the top. From there, your choice is to edit an existing malware policy or create a new one.

These new Office 365 Exchange Online Protection and Advanced Threat Protection features reflect our ongoing commitment to provide the most advanced security, reliability and protection of your email as well as user education and a simpler and more efficient experience for admins. We are advancing the protection we offer to proactively protect you and your organization from external attacks. Please check out these features and let us know what you think. We value your feedback!

—Shobhit Sahay, technical product manager for the Office 365 team


Join the conversation

  1. We appreciate the work being done however some of your security features are conflicting causing accounts to be blocked unnecessarily.

    We were on a cruise recently and accessing our accounts from secure locations and services. Our three accounts which we hold and held for over 15 years have all been blocked. As we were moving internationally at the time our telephone no changed. Even with good preplanning the 1 Month time lag caught UA without the ability to verify accounts.

    The net result is an extremely stressful situation which has proven very costly at the same time with no ability to contact anyone for resolution or correction.

    The only way for Microsoft to maintain good customer relations and service is to have some sort of resolution service, if not I fear a following of Microsoft haters will grow beyond your security issue. From our experience its not just switching over to gmail its a direct rejection of any Microsoft product.
    Rick and Mary

Comments are closed.