What No One Tells You About Office 365 Email Security

| In SMX Blog |
Th Linkedin 0.1 365

Date: 11/03/2020


In the first in a series of blog articles on email SMX co-founder and self-described “email evangelist” provides his take on Office 365’s email security as well as Radicati’s assessment of Microsoft’s flagship cloud offering...

  1. Introduction

Office365 is taking over the world - and I don’t mean that in a negative way, it’s genuinely a great product. In New Zealand and Australia it’s by far the most popular provider and has a large and loyal reseller base migrating customers of all sizes over to the service.

  1. Office 365 Success Brings Problems

However that success has brought some problems. Microsoft should be congratulated for building an excellent core product, it’s the market leader for good reason. Being in the email security space ourselves we talk to a lot of resellers and customers about their experiences with Office 365, in particular its email security offering. While a lot of people are fairly happy with it there are several common themes that we hear:

  • “Bought the features just not able to find them” To properly manage the Office 365 email security offering users must access multiple consoles to perform related functions. This causes gaps to appear in organisations security profile due to its fragmented nature.
  • “What exactly is ATP?” This has been a constant bugbear for customers since it was released. It’s not entirely clear what the Office 365 ATP offering is. This opaqueness might be fine with consumer products but with security you need to know exactly which controls you have in place and where they’re located and managed from.
  • “Reporting” Another area that is often overlooked in the security arena is reporting. If something is going on (or has gone on!) you need to know. The length of time required to get reports on email data out of the Office 365 cloud makes using the service for any serious root cause analysis problematic. Customers who need this shouldn’t rely on Office 365’s message reporting.
  • “Mail security is still a problem in Office 365” one of our Australian resellers reported to me last week, another said “Office 365 has a terrible scanning engine allowing in attachments it should be blocking”. This is a consistent unsolicited theme we hear from partners and customers of all sizes using Office 365 in Australia and New Zealand.
  1. Radicati Analysis Of Office 365

In October 2019 Radicati published their annual Secure Email Gateway Market Quadrant report analysing the global players in this sector. If you haven’t read it yet you can purchase the report here. While Radicati did find some positive points in its security features, readers in this part of the world might be interested to learn that in Radicati’s view the Office 365 offering had the lowest functionality score of any SEG vendor. Microsoft also had the least mature offering and had the lowest overall score versus its competitors. Remember this is just comparing Office 365’s secure email gateway offering but in Radicati’s view Office 365’s email security ranks lower than any other SEG vendor they reviewed.

Should we be surprised? Microsoft is a generalist vendor, a fabulously successful one, but they are not a security vendor. It’s a bit unfair of Radicati to compare the security offering from a generalist against the mature security offerings of specialist vendors such as Symantec, Proofpoint and Barracuda. (On the other hand Microsoft paid Radicati for the analysis and I’m sure the product owners behind Office 365 are busy planning upgrades to their service...)

  1. Radicati’s Verdict On Office 365

In their verdict on Office 365 Radicati go on to add 4 other points that are consistent with feedback from our partners and customers in this part of the world:

  1. Despite Microsoft spending massively in an attempt to improve their phishing, spam, malware and spoofing protection Office 365 customers are still seeing large volumes of spam, malware and other forms of email abuse in their inbox. We would certainly agree with that.
  2. As a result of this poor performance Radicati confirms that most Office 365 customers are placing 3rd party security vendors in front of their Office 365 tenancy. You might say deploying a 3rd party security vendor alongside Office 365 has become industry best practice, just like it is to deploy server or desktop security from a 3rd party vendor.
  3. In Radicati’s view the complexity and changing features of the Office 365 licensing model means that customers struggle to figure out which controls and features they have purchased. Having a 3rd party console with all of your email security controls means reduced admin overhead and an efficient use of resources.
  4. Lastly, and perhaps most worryingly, Office 365 customers consistently reported that Microsoft’s customer support was not as clued up on security problems as customers would like. TL;DR Microsoft ≠security. We all sort of knew this at some level, it’s worrying to hear a vendor’s own staff aren’t able to help customers with a critical part of their infrastructure.
  5. 3rd Party SEG Improves Office 365 Email Security

The good news is 3rd party specialist email security vendors, such as SMX, can solve these issues. 

Whether it’s a single administrative console, security that actually works, simplified admin functions, clear reporting or dedicated support, you’ll find a huge difference between a generalist provider such as Microsoft and SMX, a local specialist security vendor. 

  1. Office 365 Integration

Additionally, SMX’s services integrate with Office 365 in a far simpler way than some of our out-of-region competitors that don’t value Office 365 integration as much as Australasian companies do. These competitors often have more complex toolsets but are then more expensive to justify the extra functionality. Complex toolsets come with more administrative overhead as well, therefore are costlier to use than services with a simplified toolset.

I’ve written about this before and congratulated them in the past, Microsoft has always created good products that enable other vendors to extend and improve them. A good example of this has been the Windows desktop and server anti-spam & anti-malware space where Microsoft allows 3rd party security vendors to integrate their security engines. 

  1. SMX’s Verdict on Office 365: Opaque vs Transparent 

When our partners and customers ask our opinion of how Office 365 SEG compares to ours, my view is the Office 365 offering is “opaque” whereas the SMX service is “transparent”. Transparency is a big deal in security and I believe that comparison is valid for all features. SMX customers know exactly which services they’re paying for and which features they receive, as well as exactly what SMX does with every single email we process on their behalf. I’m not sure many Office 365 customers could say the same thing.

  1. Office 365 for SMB

My final analysis of the Office 365 SEG is that if you’re an SMB in Australia or New Zealand on Office 365 E3+ you’re probably paying too much for features you’re not using. A better way to improve your security profile is to retain Office 365 for its core products but utilise a 3rd party cloud provider, such as SMX, for your email security. 

  1. Office 365 for Enterprise & Government

Enterprise and government Office 365 customers can probably justify the E3/E5 license costs for the extra features they need but putting all your eggs in a single vendor’s security basket, especially when that vendor isn’t a security specialist provider, is possibly not the smartest idea. 

According to Radicati, most companies on Office 365 use a specialist security provider to secure their email, does yours?