Why the Microsoft 365 Spam Filter Alone Is Not Enough

Why the Microsoft 365 Spam Filter Alone Is Not Enough

TL;DR: Exchange Online Protection (EOP) in Microsoft 365 reliably filters mass spam but fails against targeted phishing attacks, Business Email Compromise (BEC), and zero-day malware. An upstream email security gateway like Conbool MailGuard closes these gaps through multi-layered filtering, deep link analysis, and sandbox technology.

Microsoft 365 is the most widely used email system in German businesses. According to Bitkom (2024), over 70% of mid-sized companies rely on Microsoft 365 or Exchange Online for their email communication. The built-in spam filter – Exchange Online Protection (EOP) – is enabled by default and provides solid basic protection.

But this very prevalence makes Microsoft 365 the preferred target for attackers. And the basic protection has its limits.

What Does Exchange Online Protection (EOP) Offer?

EOP is the standard spam filter in Microsoft 365. It provides:

• Reputation-based filtering: Known spam senders and IPs are blocked.
• Content filtering: Typical spam patterns in subject lines and email body are detected.
• Malware scanning: Attachments are checked against known signatures.
• Transport rules: Administrators can define custom filter rules.

For mass spam – the classic "You have won" emails – this works well. Microsoft reports a detection rate of over 99% for known spam.

Where Does the Standard Spam Filter Fail?

The problem lies not with known spam but with unknown attacks:

Targeted Phishing Attacks (Spear Phishing)

Spear phishing emails are individually tailored to the recipient. They do not use known spam patterns but instead imitate real business partners, suppliers, or supervisors. According to the BSI Situation Report 2024, phishing attacks are the most common cause of successful cyberattacks on German companies.

EOP often fails to detect these emails because:

• The sender is new (no reputation data)
• The email contains no typical spam characteristics
• The link points to a freshly registered domain that is not yet on any blacklist

Business Email Compromise (BEC)

BEC attacks contain neither malware nor suspicious links. An attacker impersonates a CEO or CFO and requests a wire transfer via email. These emails are invisible to content filters because they look like normal business correspondence.

Zero-Day Malware

Signature-based malware scanners only detect known malicious software. New variants – so-called zero-day exploits – pass through the EOP filter before they are added to the signature database. The time span between first appearance and signature update averages 24 to 48 hours according to industry data.

What Does an Email Security Gateway Do Differently?

An upstream gateway like Conbool MailGuard acts as an additional protective layer in front of the Microsoft 365 mail server. It receives emails first, analyzes them in real time, and only forwards verified messages.

Multi-Layered Filter Architecture

Deep Link Analysis

Where EOP only checks links against known blacklists, MailGuard analyzes:

• The target page in an isolated environment
• Redirect chains and URL shorteners
• JavaScript behavior and credential harvesting patterns
• SSL certificates and domain age

Sandbox Technology

Suspicious attachments are executed in an isolated sandbox environment. The system observes the file's behavior – whether it makes system calls, establishes network connections, or encrypts files – before the email is delivered.

How Does the Integration with Microsoft 365 Work?

The setup is done through an MX record change:

1. Change MX records: Emails are first routed to MailGuard.
2. Create a connector in Exchange Online: MailGuard forwards verified emails to Microsoft 365 via a dedicated connector.
3. Adjust EOP rules: Delivery is restricted to the MailGuard connector so that no direct bypass is possible.

The entire setup typically takes less than one hour and requires no changes to end-user devices.

What Does a Lack of Protection Cost?

The costs of a successful attack far exceed the investment in a gateway:

• Average damage from a BEC attack: EUR 120,000 (Source: Allianz Risk Barometer 2024)
• Average downtime after ransomware: 21 days (Source: Coveware)
• GDPR fines: Up to EUR 20 million or 4% of annual revenue

In contrast, a gateway costs just a few euros per mailbox per month.

Frequently Asked Questions

Do I need MailGuard if I already have Microsoft Defender for Office 365?
Defender offers advanced features like Safe Links and Safe Attachments. However, it works reactively within the Microsoft ecosystem. An upstream gateway filters threats before they reach the Microsoft infrastructure – a defense-in-depth approach also recommended by the BSI.

Does an upstream gateway slow down email delivery?
No. The latency is typically under 2 seconds – imperceptible to the end user.

Does MailGuard also work with Google Workspace or on-premise Exchange?
Yes. MailGuard is mail server-agnostic and supports any system that receives emails via SMTP.

What is the false positive rate?
Thanks to the multi-layered filter architecture, the false positive rate is below 0.01%. Administrators can configure exception rules per sender or domain.

Conclusion

The Microsoft 365 spam filter is good basic protection but not a sufficient shield against modern threats. Those who take phishing, BEC, and zero-day malware seriously need an upstream protective layer.

Conbool MailGuard provides exactly that: AI-based filtering, deep link analysis, and sandbox technology – seamlessly integrated with Microsoft 365 and Exchange Online.

Try MailGuard free for 30 days or contact us for a demo.

Also read: Digital Sovereignty Through Automated Email Encryption and Email Security from CyberLab Karlsruhe.