Minerva Studio - Fotolia
Given the alarming statistics around damages related to ransomware in 2018, which reportedly exceeded $8 billion dollars, administrators of Office 365 might feel one email filtering system might not be enough.
Ransomware continues to evolve and evade built-in protection tools used on Exchange Online and Office 365. Administrators should investigate additional tools to block malicious content that evades common Exchange security measures, such as URL filtering from a third-party vendor.
Businesses, city and governments are being targeted and infected with ransomware without regard to their size or location. Affected organizations typically experience extended downtime when the ransomware locks all critical files and applications, leading to lost revenue and productivity. Given that a significant number of infections result from end users unknowingly opening malicious attachments or visiting infected websites, IT workers face an uphill battle to keep users protected. Despite the numerous tools in use, bad actors manage to get through some of the commonly used protections in Exchange Online on the Office 365 platform.
There are a few add-ons and optional protection methods available in the Microsoft Office 365 suite that covers email services. One that comes included in all the E-level plans of Office 365 is the Exchange Online Protection, which provides standard antispam and antimalware protection. Another protection option administrators can pick from that is able to protect against ransomware is Advanced Threat Protection (ATP) and Safe Links. These two capabilities are available as additional add-ons to the enterprise plans or can be found as part of Office 365 E5 plan or Microsoft 365 Enterprise.
How Microsoft protects Office 365 from ransomware
Administrators may find ATP and Safe Links attractive for its integration with Office 365 to protect against ransomware and other threats that slip through via email. ATP scans all inbound emails and blocks malware and viruses from reaching the users.
Unlike traditional protection systems that rely on blocking known threats through a fingerprint or unique signature, ATP uses what Microsoft calls its advanced threat intelligence system to block malicious emails based on behaviors detected by the company's security analytics platform. Safe Links takes a different approach by extending the protections to websites that users visit by detonating the links within Microsoft's system and evaluating them to ensure the sites do not exhibit malicious intent for the end users.
Despite these protections available as part of the Office 365 suite, cybercriminals keep coming up with new ways to bypass protection systems, including Microsoft ATP and Safe Links. One of the new techniques attackers use to evade detection and trick users to visit harmful websites is by sharing documents from cloud storage services such Google Drive and other popular sites that include harmful links. By sharing a document, a legitimate link is sent from Google and other cloud providers to unsuspecting users; in most cases, those links are allowed through because they refer to content that can't be directly scanned by Microsoft.
URL filtering brings additional protection
To protect against these and other new attack methods, Exchange administrators can add another layer to their line of defense through URL filtering and DNS security. Administrators can set these up within the environment so each endpoint passes all web requests to the filtering service. Palo Alto Networks URL filtering service and Cisco Umbrella are two of many tools vendors offer in this space to prevent threats from infiltrating the network.
One area that makes the Palo Alto product worth consideration for IT administrators is its machine learning and static analysis feature to identify and block any sites or webpages that might slip past the Exchange email filters. The filtering platform also blocks newly registered domains that attackers frequently use for different purposes, including ransomware distribution, typosquatting, phishing and spam.
Given the increases in emails with hidden links attacks and the use of newly registered domain names to evade domain blacklisting, Exchange administrators are quickly realizing that one email filtering system is not enough. Additional security layers will strengthen their defenses and reduce the chance of infection.