Your Office 365 Emails May Have Been Contaminated

Dan Gunderman

Microsoft Office 365 appears to have been somewhat lax in its gatekeeping duties.

Of all the emails Microsoft’s productivity software let in between September and October, nearly 10% of the messages, sent through Office 365, were spam, phishing messages and known or zero-day malware.

To be precise, 9.3% of the messages contained the intrusive content or software, according to researchers at Cyren, a threat intelligence firm, which utilized a sample of 10.7 million emails to draw its conclusion. These results were relayed through

Studied messages were filtered through inboxes to automated analytics tools over the course of the research. It was determined that of the 10.7 million September messages, 9.75 million (90.7%) were clean. Nearly half of these (4.6 million) were newsletter emails.

Approximately one million (9.3%) were spam or malicious emails that failed to be flagged by Office 365. Under proper functionality, Office 365 turns malicious content away, using its Exchange Online Protection (EOP) technology.

The findings also show that 957,039 emails (8.93%) were spam, which should typically be filtered out based on content analysis and pattern detection.

Over 34,000 emails delivered to users were phishing messages – 18,052 of which were financial and requested personal information; 5,424 were password phishing emails and 10,601 were general phishing messages.

See related: Case Studies: Cyber Security Protects Sensitive Data

Breaking the numbers down further, the research uncovered 3,900 emails containing malware (0.04%). Close to 1,500 of said emails were also zero-day attachments, meaning they had no previous paper trail and utilized some undetected vulnerability. Elements of 2,462 malware messages derived from flagged sources – signatures which should have been detected by the personal information manager (PIM) tool.

Microsoft’s censoring reportedly hinges on reputation-based practices, meaning it can intervene when sources from its database cross its path. But problematic IP addresses are popping up all over the place – many of which carry aggressive malware. What that boils down to is a series of devices flying under the radar, posing distributed denial of service (DDoS) threats.

At the organization level, there are a couple of tips CISOs can take, and it just might begin with whitelists, or an organization’s library of approved domain names. If censors are far too liberal with their allowances, there are bound to be troublesome URLs slipping through the cracks.

This means that moving forward, organizations must enforce a system that is both comprehensive and adaptive, meaning it can handle zero-day malware threats and target a broader demographic. As threats grow, so must enterprise blacklists.

Perhaps the most troubling aspect of this research, though, is that enterprise officials adopted well-known subscription software whose task it was to flush out a variety of threats. Yet a provider as large and revered as Windows failed to turn away 34,000 phishing emails. The findings go to show that with each passing year – or even week – attacks are becoming increasingly well-oiled and functional operations.