Did Microsoft’s new ‘Secure by default‘ EOP / Defender for Office feature get out of control in March?
Many customers saw seemingly legitimate emails getting classified as SPAM and moved to quarantine. The fallout was massive, with organisations missing important business emails until their daily quarantine digest arrived.
We will try to explain what happened, why Microsoft’s adoption of “Secure by Default” is a good thing, and what you can do to prepare for the upcoming changes.
What is “Secure by default”
The governments National Cyber Security Centre (NCSC) describes “Secure by default” like this:
“Technology which is Secure by Default has the best security it can without you even knowing it’s there, or having to turn it on.”
You can read more on that here on their website. The aim is simple – Install fundamental security at the core of the platform to reduce the need to deal with problems later. That’s easier said than done. Cyber Security is one of the most fast paced and changeable industries in the world.
Secure by default in Microsoft 365
Microsoft have adopted the Secure by Default strategy and implement many practices in an attempt to protect its customers. We spoke back in 2020 about the implementation of Office 365 Security Defaults and Microsoft continue to lead the way in adopting strong security standards.
An article here talks about Secure by Default in Office 365, and specifically around email security in EOP (Exchange Online Protection), Microsoft Defender for Office 365 and Microsoft 365 Defender.
It explains Microsoft’s stance, why they are tightening the grip on poorly formed emails, why quarantine is better than junk folders, and why applying exceptions and whitelists is bad practice.
So, what happened in March?
There seemed to be a big change in the default anti-spam protection policy settings in Exchange Online as lots of what customers had previously seen as geniune emails started getting filtered as SPAM.
Microsoft quickly published Exchange Online Service Health Notification EX530821: Some users email messages are unexpectedly delivered to the Junk Email folder or quarantined in Exchange Online.
Long story short, Microsoft ultimately determined that a recent update to optimize the detection proficiency of potential spam caused some legitimate messages to be incorrectly flagged and quarantined in Exchange Online. They published an update to the detection systems to address the issue and confirmed via telemetry that email flows were returning to normal.
So just a glitch then?
This time, YES. However…
As Microsoft continue to improve security inside their core systems, we think it’s important to talk about how Secure by Default could impact your businesses email communications moving forwards.
Microsoft Roadmap
Microsoft continually work to improve their system functionality, and this includes security. For visibility, they plot their course using the Microsoft roadmap so customers can see what is changing and why.
A plan to improve security around Intra-Org messages (that external email) is logged under Feature ID: 117487 and started rollout in April 2023, with expected completion by late June. It changes the way messages are marked in terms of spam filtering, ultimately with a view to being stricter on messages coming into your business.
Technology
There are various technologies to help secure email communications. SPF (Sender Policy Framework) has been around for decades. More recently, DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) are common standards that have come into play. Even newer technologies like ARC (Authenticated Received Chain) seek to improve the authenticity of emails and the email chain.
The way all these things work together is explained in more detail here:
Deep dive
At a high level, all Microsoft 365 organisations enjoy spam filtering and advanced detection technologies for every email that passes through the infrastructure. Machine Learning determines the course of the message and overall destination, whether this be direct to inboxes or quarantines. This ensures that protection is constantly evolving in the ever-changing threat landscape. Forefront Antispam adds specific headers to each email that determine how the message scores. These are X-Forefront-Antispam-Report, X-Microsoft-Antispam and Authentication-results. The Forefront report contains information about how the message was processed, the Microsoft Antispam report contains details on if the message was bulk or phishing and finally authentication-results contains information about SPF, DKIM and DMARC.
As touched upon earlier, ARC is designed to ensure the message is not tampered with and details of this is also contained in the Forefront report. Some internal SMTP servers can modify a message by adding their own headers and this may break SPF/DKIM, or both which in turn would break DMARC if it was sufficiently strict enough. Microsoft 365 utilises ARC in processed messages and alongside Machine Learning and gathered telemetry they can in near real time determine if the message is ham (good) or spam (bad).
In further detail, headers added by Forefront that determine spam outcomes have the prefix SFV. For example, SFV:SKB is marked as spam because the sender is in a block list in an anti-spam policy, whereas SFV:SKA is skipping spam filtering and delivered to an inbox because the sender is in an allow list in the anti-spam policy. On the contrary, SFV:NSPM is not spam. Forefront determines this has passed ALL of the checks and is not in any allow lists. The message delivers to the intended recipient.
These technologies are included in Exchange Online Protection as standard, but you can take advantage of a wider range of products such as impersonation detection and protection, Microsoft Defender for 365, Intune, Azure Information Protection through additional licencing. Microsoft 365 Business Premium incorporates many of the above technologies. Azure AD Premium P1 and above allows the use of conditional access above security defaults further protecting your business continuity.
What is the big problem?
A lot of email users are behind the curve when it comes to email security. Lots of businesses either do not know about these standards, or their IT team simply haven’t taken the time to get them turned on! Put simply, lots of incoming emails do not comply to the new standards. They will get marked down and ultimately quarantined.
Public Platforms
- M365 gives you SPF on setup, with DKIM & DMARC being freely available to ALL customers.
- Apple’s me.com platform is pretty tight; Apple are pretty good on security like Microsoft.
- Google’s cloud platform have lots of information on their support forums to help turn on some of this stuff, but its not on by default.
- Many smaller platforms who use older DNS systems don’t allow “_” underscores which makes things a bit more difficult. We see lots of unsecure email configurations on smaller POP & IMAP type email users.
Private Platforms
- Larger organisations who use large on-premise email systems like Exchange tend to be configured pretty well. That can of course depend on how well your co-managed IT setup is working for you (IT Team & MSP).
- Smaller organisations who still use things like Windows Small Business Server 2011 tend to be way, way behind. Some have external spam filters protecting mail in & out, but often don’t have DKIM facilities switched on…
If the person sending the email is on a poorly configured platform, their emails are simply going to get marked down. Whitelisting is dangerous, because you are just opening up holes in your own defensive sheild. So, what is the answer?
Simplifying the Quarantine Experience
As one of our customers recently pointed out: “Blocking potentially dangerous emails is a GOOD thing for us. But not responding to a genuine enquiry until the next day is not an acceptable service level for my business.”
Good news! Microsoft have a plan to improve the quarantine experience by making quarantine notifications customizable from “Daily” to “Within 4 Hours”. This is explained in more detail under Feature ID: 93304. The rollout of this feature starts in April 2023.
“Do Business by Default”
CTO are a next-generation Managed Service Provider with a security first mentality. We also recognise the importance of swift communication in business.
For new customers, we will be turning on “Within 4 hours” quarantine emails by Default. We will be updating all existing customers tenancy settings as soon as the options are available.
If you need any further information about your email system capabilities, or you wish to discuss anything mentioned in this article please feel free to reach out.
Thanks for reading,
John Rider.