Why does spam and phishing get through Office 365? And what can be done about it?

Introduction

As a filtering service, Office 365 (Exchange Online Protection, or EOP) is dedicated to providing the best antispam filtering possible, and we take this task seriously:

  • We are working hard to keep spam out of your inbox
  • We are working hard to ensure we don’t mistakenly mark good email as spam

The question we regularly get from customers is this: Why does spam/phishing/malware get through? Why aren’t you blocking it?

Why spam gets through

Spammers and phishers create malware and send spam because it is profitable. They are always working up new ways to work around spam filters and get messages delivered to user inboxes. Because of the number of unique spammers in the world and the rate at which they create new content, the spam you see in your inbox today is new. It is different than what it was yesterday, or the day before, or the day before that. It looks similar, and may use the same technique, but it is not the same message. It is slightly (or greatly) different and has been designed to evade filters.

Spam campaigns vary in duration. There are some that last many hours, and some that last a few minutes. We have tracked campaigns that send thousands, hundreds of thousands, or even millions of spam messages in under 15 minutes.

When you see spam in your inbox, it is usually because it is a new campaign from a spammer and we do not yet have signatures for it. During this window, a spammer can get some spam through our filter defenses to the inbox. However, our filters catch up and the rest of the campaign is marked as spam.

image

Image not drawn to scale – we don’t actually miss half the spams

Thus, it is true that some spam gets through. However, a large percentage of it is subsequently caught by one of our anti-spam technologies [1]. End users perceive that we did not catch the spam, but what happens is that the users that are affected are the ones that generate spam complaints, while the ones for whom the filter caught it are unaware that anything was wrong [2].

What you (our customers) can do about it

Office 365 already does several things for spam and phishing filtering [3], but there are a few things that customers can do to help cut down on these types of messages:

1.
Submit spam and phishing samples back to Office 365
This is important!

The reason to submit spam back to us is that it greatly assists in speeding up the discovery of new campaigns as well as the replication of updated signatures. Abuse submissions are combined with multiple other data sources as confirmation signals for faster signature updates. This is true even if we are currently catching the campaign (i.e., user received spam and our signatures subsequently updated, and then the user submits it to us).  
  
[![image](https://msdnshared.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/68/90/metablogapi/0310.image_thumb_1E43CEA6.png "image")](https://msdnshared.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/68/90/metablogapi/2783.image_50A7A225.png)  
  
To submit spam to Office 365, please refer to this blog post:  
  
\* Submitting spam to Office 365  
[http://blogs.msdn.com/b/tzink/archive/2014/09/12/submitting-spam-back-to-office-365.aspx](../tzink/submitting-spam-back-to-office-365 "http://blogs.msdn.com/b/tzink/archive/2014/09/12/submitting-spam-back-to-office-365.aspx")  
        
     
  1. Submit malware to Microsoft

    If the message is malware and not spam, you can submit it to Microsoft:

    * Microsoft Malware Protection Center submission portal
    https://www.microsoft.com/security/portal/submission/submit.aspx

    Microsoft and Office 365 use these samples to update our anti-malware engines. You can also submit to VirusTotal. Office 365 uses 3 anti-malware engines and all of them are on VirusTotal, who shares samples amongst the other anti-malware companies.

  2. Enable Bulk mail filtering

    While neither spam nor phishing, many customers often identify bulk email as spam. The bulk mail feature should be enabled as it can help cut down on the overall level of spam complaints, even if the content is bulk rather than explicitly malicious. For more information, see my previous blog post:

    * Different Levels of Bulk Mail Filtering in Office 365
    http://blogs.msdn.com/b/tzink/archive/2014/08/25/different-levels-of-bulk-mail-filtering-in-office-365.aspx

  3. Invest in User Education

    User education is one of the most important aspects of anti-phishing. While technology is one component, users need to be aware of the risks. There are several free resources:

    * OnlineGuard.gov’s Antiphishing Page
    http://www.onguardonline.gov/articles/0003-phishing

    * The Anti-Phishing Working Group’s advice to avoid phishing scams
    http://apwg.org/resources/overview/avoid-phishing-scams

    For larger organizations, they may want the services of companies that provide anti-phishing education, conducting campaigns to help train users to become more aware of the phishing problem. Two of the ones I am aware of are:

    * PhishMe
    http://phishme.com/

    * PhishGuru
    http://www.wombatsecurity.com/phishguru

    A combination of technology plus user education is the best method of preventing falling for phishing scams.

What is Office 365 doing to improve detection of spam and phishing?

There are several different methods that Office 365 is either currently working on or actively investigating to improve our spam, phishing and malware detection capabilities as of Sept 2014. Here is a summary:

1.
Increasing the coverage of URL filtering
EOP currently uses 750,000 URLs in its antispam and antiphishing detection. If a message contains this URL, it is used as a heavy weight in the spam filter.

We are working on increasing this list to well over a million URLs.  
  
**Update: As of December 15, 2014, this is now over 1.7 million URLs\!**  
  
  1. Inbound DKIM verification in IPv4 and IPv6

    DKIM is a technology that verifies digital signatures inserted into a message. It is useful for identifying good senders and plays an important role in sorting out good senders from malicious senders.

    image

    For more information, see http://tools.ietf.org/html/rfc6376.

    Update: As of May 6, 2015, inbound DKIM verification is supported.

  2. Outbound DKIM signing

    Office 365 will be giving customers the ability to DKIM-sign all of their outbound email. This will be true of fully hosted customers, hybrid customers or on-premise customers. Customers can either upload their own DKIM keys or let Office 365 generate them.

    Update: As of June 2, 2015, outbound DKIM support is under development and should be ready by Q3 2015.

  3. DMARC support
    DMARC is a major revolution in spam filtering because it combines both authentication and a feedback loop to help senders improve their authentication practices. But it also was a major step forward in terms of the amount of cross-organization collaboration to come up with a common protocol, and then have everyone implement it.

    It works by inspecting the From: address, the one that users can inspect, and if it is forged it marks the message as spam or rejects it. Many large brands have implemented DMARC and seen a significant decrease in email spoofing.

    DMARC is very useful for detecting phishing and especially spear-phishing.

    Update: As of May 6, 2015, inbound DMARC verification is supported. We're still rolling out DMARC reporting.

  4. Faster updates

    As you can read above, many of our existing technologies work to catch spam but unfortunately, some of it leaks through before the signatures update. We are currently working on infrastructure to reduce the time start-of-spam-campaign to campaign-detection, and campaign-detection to signature-update.

    Update: As of December 15, 2014, the URLs replication has been sped up by 30 minutes!

    image

    image

  5. “New-ness” Inspection
    One of the techniques that modern spammers and phishers is to rapidly generate new domains and compromise new machines with IP addresses that have no previous reputation.

    One technique that Office 365 is investigating is detecting whether or not a given domain or IP is new to the service or new to the Internet. If it is, it can take action by either rejecting the message, temporarily deferring the message or using it as a weight in the spam filter (this is more complicated than graylisting). Good senders will return but many bad senders will not, and that includes spammers and phishers.

    Update: As of January 7, 2015, we now do basic IP throttling!

  6. Time-of-Click URL protection
    Time-of-Click URL protection involves rewriting the URL of a message to proxy through a service to determine if the destination URL is bad. This occurs when a message has been filtered and deemed non-spam, but after the message is delivered but before the user clicks, the phisher or spammer has uploaded malicious content.

    In other words, the URL is changed from this:

    http://www.somedomain.com

    To this:

    http://proxy.example.com/hash/?originalURL=http://www.somedomain.com

    The advantage of this feature is that a user is protected even after the message has been filtered and given the wrong categorization (it should be spam instead of good email).

    **Update: As of June 2, 2015, time of click URL protection (Safe links) is available for general purchase, see:
    - Getting started with Advanced Threat Protection in Office 365, http://www.c7solutions.com/2015/06/getting-started-with-office-365-advanced-threat-protection**- Advanced Threat Protection via Powershell, http://www.c7solutions.com/2015/06/advanced-threat-protection-via-powershell

  7. Zeroday-protection against malware
    Similar to Time-of-Click URL protection, zeroday-protection looks for malware attachments in email that are not caught using standard signature-detection in regular antimalware engines.

    This is a complex feature that involves multiple moving part components, but suffice to say, it will result in better antimalware detection.

    Update: As of May 6, 2015, this type of protection (Safe attachments) is available for general purchase, see:
    - Getting started with Advanced Threat Protection in Office 365, http://www.c7solutions.com/2015/06/getting-started-with-office-365-advanced-threat-protection

    - Advanced Threat Protection via Powershell, http://www.c7solutions.com/2015/06/advanced-threat-protection-via-powershell

Conclusion
We understand the negative experience customers have when they get spam in their inbox. We feel it, too! However, we are working to improve this to ensure that your mailbox stays clean.

 


[1] The are three types of spam campaigns and their subsequent catch rates:

  1. 100% catch – these are spam campaigns where we have existing rules and even though the campaign is new, we catch all (or nearly all) of it. This constitutes the largest set of spam campaigns.
  2. Partial catch – these are spam campaigns where we miss part of it but the filters catch up and catch the rest.
  3. Total miss – spam campaigns where virtually all of it is missed by the filters. This is the smallest set.

Customer complaints are mostly in #2 and #3.

[2] For an overview of how we currently handle spam and phishing, please see the following blog post

* Combating Phishing
http://blogs.msdn.com/b/tzink/archive/2012/08/30/combating-phishing.aspx

 

[3] To review some of our existing anti-spam documentation:

* How to set up the Office 365 spam filter settings to help block spam
https://support.office.com/en-US/article/How-to-set-up-the-Office-365-spam-filter-settings-to-help-block-spam-da21c0b6-e8f0-4cc8-af2e-5029a9433d59

* Office 365 Email Anti-Spam Protection
https://support.office.com/en-us/article/Office-365-Email-Anti-Spam-Protection-6a601501-a6a8-4559-b2e7-56b59c96a586?ui=en-US&rs=en-US&ad=US