In July last year, Microsoft took down a massive fraud campaign that used knock-off domains and malicious applications to scam its customers in 62 countries around the world.

But this wasn’t the first time a successful phishing attack was carried out against Office 365 (O365) customers. In December 2019, the same hackers gained unauthorized access to hundreds of Microsoft customers’ business email accounts.

According to Microsoft, this scheme “enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website…as they would in a more traditional phishing campaign.”

Why are O365 accounts so vulnerable to attacks?

Exchange Online/Outlook – the cloud email application for O365 users – has always been a breeding ground for phishing, malware, and very targeted data breaches.

Though Microsoft has been ramping up its O365 email security features with Advanced Threat Protection (ATP) as an additional layer to Exchange Online Protection (EOP), both tools have failed to meet expectations because of their inability to stop newer and more innovative social engineering attacks, business email compromise (BEC), and impersonations.

One of the biggest challenges with ATP in particular is its time-of-click approach, which requires the user to click on URLs within emails to activate analysis and remediation.

Is O365 ATP enough to protect my email?

We believe that O365’s native security controls do protect users against bulk phishing scams, spam, malware, and domain spoofing. And these tools are great when it comes to stopping broad-based, high-volume, low-effort attacks – they offer a baseline protection.

For example, you don’t need to add signature-based malware protection if you have EOP/ATP for your email, as these are proven to be quite efficient against such attacks. These tools employ the same approach used by network firewalls and email gateways – they rely on a repository of millions of signatures to identify ‘known’ malware.

But, this is a big problem because the threat landscape has changed in the last several years.

Email attacks have mutated to become more sophisticated and targeted and  hackers exploit user behavior to launch surgical and highly damaging campaigns on people and organizations. Attackers use automation to make small, random modifications to existing malware signatures and use transformation techniques to bypass these native O365 security tools. Unsuspecting – and often untrained – users fall prey to socially engineered attacks that mimic O365 protocols, domains, notifications, and more.  See below for a convincing example.

It is because such loopholes exist in O365 email security that Microsoft continues to be one of the most breached brands in the world.

What are the consequences of a compromised account?

There is a lot at stake if an account is compromised. With ~180 million O365 active email accounts, organizations could find themselves at risk of data loss or a breach, which means revenue loss, damaged reputation, customer churn, disrupted productivity, regulatory fines, and penalties for non-compliance. This means they need to quickly move beyond relying on largely rule- and reputation-based O365 email filters to more dynamic ways of detecting and mitigating email-originated risks.

Enter machine learning and behavioral analysis.

There has been a surge in the availability of platforms that use machine learning algorithms. Why? Because these platforms detect and mitigate threats in ways other solutions can’t and help enterprises improve their overall security posture.

Instead of relying on static rules to predict human behavior, solutions powered by machine learning actually adapt and evolve in tandem with relationships and circumstances.Machine learning algorithms “study” the email behavior of users, learn from it, and – finally – draw conclusions from it.

But, not all of ML platforms are created equal. There are varying levels of complexity (going beyond IP addresses and metadata to natural language processing); algorithms learn to detect behavior anomalies at different speeds (static vs. in real-time); and they can achieve different scales (the number of data points they can simultaneously study and analyze).

How does Tessian prevent threats that O365 security controls miss?

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. It is designed to offset the rule-based and sandbox approaches of O365 ATP to detect and stop newer and previously unknown attacks from external sources, domain / brand / service impersonations, and data exfiltration by internal actors.

By dynamically analyzing current and historical data, communication styles, language patterns, and employee project relationships both within and outside the organization, Tessian generates contextual employee relationship graphs to establish a baseline normal behavior. By doing this, Tessian turns both your employees and the email data into an organization’s biggest defenses against inbound and outbound email threats.

Conventional tools focus on just securing the machine layer – the network, applications, and devices. Tessian can make clear distinctions between legitimate and malicious email interactions and warn users in real-time to reinforce training and policies to promote safer behavior.

How can O365 ATP and Tessian work together?

Often, customers ask us which approach is better: the conventional, rule-based approach of the O365 native tools, or Tessian’s powered by machine learning?

The answer is, each has their unique place in building a comprehensive email security strategy for O365. But, no organization that deals with sensitive, critical, and personal data can afford to overlook the benefits of an approach based on machine learning and behavioral analysis.

A layered approach that leverages the tools offered by O365 for high-volume attacks, reinforced with next-gen tools for detecting the unknown and evasive ones, would be your best bet.

A very short implementation time coupled with the algorithm’s ability to ‘learn’ from historical email data over the last year – all within 24 hours of deployment – means Tessian could give O365 users just the edge they need to combat modern day email threats.