Does Microsoft 365 have built in security? Is Microsoft 365 email secure?

Microsoft 365 is the de facto cloud-based email and collaboration platform for many organizations, a trend that has only been magnified in this remote work environment brought on by the pandemic. While Microsoft 365 offers a selection of native security controls, built-in email protection is simply not good enough to protect against impersonation, phishing, and sophisticated modern attacks.

Despite the existing email protection provided by Microsoft Exchange Online Protection (EOP) in Microsoft 365, 85% of users have experienced an email data breach over the past year. In a recent Gartner report “Determine If Email Security in Office 365 Meets Your Organization’s Needs,” leading industry analysts highlight the need for additional cloud email security capabilities to make Microsoft 365 email safe for business. This article will explain why Microsoft 365 default email security alone is not enough to protect against damaging attacks and breaches, and what is required to close these dangerous email security gaps in Microsoft 365.

Recent Gartner Report Highlights Critical Security Gaps in Microsoft 365 Default Email Protection

Remote working has led to an increase in the usage of messaging and collaboration tools that have introduced new threats to many organizations. Microsoft Exchange Online Protection (EOP) - Microsoft’s default email security capability - lacks advanced anti-phishing and other threat protection capabilities. This increase requires additional, layered protection provided by a third-party email security solution. According to Gartner, “Organizations should strongly consider integrating third-party solutions to strengthen their email security.”

Capabilities of Default Microsoft 365 Email Security Are Limited

While built-in email protection in Microsoft 365 is a great start, these safeguards alone are insufficient in protecting against modern threats. EOP takes a retrospective approach to identify phishing and malware attacks. This type of protection is static, single-layered, does not safeguard against human error, and is ineffective in anticipating emerging zero-day attacks and malicious URLs and attachments that are not included in its static lists. 

EOP also lacks customizable options for each business’s unique security needs, thus resulting in limited abilities to identify anomalous emails and social engineering attacks. This leaves businesses at risk of account takeovers, targeted spear-phishing attacks, and potential credential theft. Reports conducted by The Radicati Group state that while Microsoft has been investing heavily in its anti-malware, antispam, anti-phishing, and zero-day protection capabilities, users continue to report high degrees of spam, malware, and other attacks.

Additionally, the homogeneous architecture of the Microsoft 365 security system makes it easier for attackers to bypass security defenses and because of this, cyber thieves are able to open virtually every account, test their methods until they are able to bypass default filters, and reuse these techniques in attacks that will be used to target thousands of different accounts.

Microsoft 365 also presents significant configuration and management challenges. The platform is complex to configure and manage securely, as the process requires IT expertise that many businesses - especially SMBs - typically lack. Microsoft fails to provide assistance with the setup process and the ongoing system monitoring and maintenance required to ensure users and key business assets remain secure. Without this support misconfiguration vulnerabilities, develop and Microsoft 365 customers are at risk of attacks exploiting these flaws. Research from the Radicati Group reveals that users continue to report that customer support from Microsoft 365 is insufficiently knowledgeable about security issues.

Customers with hybrid work environments face the added challenge of acquiring and managing a separate set of security services for non-Microsoft 365 workloads and data due to Microsoft 365's incomplete support for hybrid architectures. These businesses often find it difficult to understand how to effectively layer and combine the many different Microsoft security solutions available. Osterman Research states, "Organizations that operate hybrid environments should use third-party solutions to meet the challenges that will be posed by hybrid environments."

Next Steps: What Is Required to Make Microsoft 365 Email Safe for Business?

To bolster built-in email protection and reap the benefits of Microsoft 365 without sacrificing security, businesses should implement a proactive, multi-layered third-party Microsoft 365 email security solution engineered to close the critical security gaps that exist in default Microsoft 365 email protection. An effective solution should provide complete phishing and malware protection, account takeover (ATO) protection, and expert ongoing system monitoring, maintenance, and support. With layered supplementary email security defenses in place in Microsoft 365, you can rest easy knowing that your users, your critical data, and your hard-earned reputation are safe and secure.