Osterman Research has released a new industry report warning that many organizations will likely need to augment their Microsoft Office 365 implementations with best-in-class, third-party solutions—especially when it comes to advanced email threat protection.
That's not an indictment of Microsoft, mind you. In fact, Osterman researchers point out that O365 is quickly proving to be a capable and robust cloud platform for an exploding number of organizations spanning more than 155 million users. And it offers a wide array of powerful features and functions that satisfy a broad range of corporate requirements for productivity, collaboration, and most especially, email communications.
But according to the researchers, it does have some crucial capability gaps that will likely become an issue for organizations that find themselves facing a growing number of advanced email threats.
"Microsoft is attempting to deliver a cloud service that does many things," the report states. But in their eyes, the result is that the platform "frequently provides a 'good enough' capability in many areas, but does not necessarily provide the depth of capability or specialized solutions for customers with needs and requirements beyond the basics."
Unfortunately, when it comes to email security, the rapidly-evolving threat landscape is swiftly making that last statement descriptive of virtually every organization using the platform.
Open For Business—And Attack?
According to ThreatPost, organizations using O365, including many Fortune 500 companies, are increasingly finding themselves hit by business email compromise (BEC) scams, phishing attacks, and other email-based threats as cybercriminal organizations adapt to a cloud-first world.
So far, organizations using Office 365 that fall victim to email scams have seen average losses of up to $2 million.
Among the newer modalities used to defraud organizations with cloud-based email is a BEC variant called a PhishPoint attack in which fraudsters set up O365 accounts and place documents within SharePoint. They then pose as their targets' colleagues and send invitations, offering them access to edit the file, which may contain malware.
Platform-Native Phishing Defense is Not Enough
Indeed, according to the researchers, a security service called Advanced Threat Protection (ATP), offered either in O365 E5 or as a standalone service, does provide at least some protection against threats hidden in URLs, phishing messages, or attachments.
But for the added cost, the researchers say the service suffers from some important limitations. In their view, organizations would be well advised to consider augmenting O365 with third-party apps instead of those offered by Microsoft. For example, the researchers say, while O365 APD scans links and attachments, it is not effective against whaling or CEO fraud messages that typically contain no dangerous link or attachment.
Unfortunately, the attacks these platform native controls can't catch are exactly the ones that are causing so much damage. Instead of hacking systems, they hack human psychology—leveraging sophisticated social engineering tricks to manipulate recipients into anxiously sending payments for fraudulent invoices, or giving up login credentials to sensitive systems, before thinking to confirm the message's legitimacy.
As a result, organizations need email security options that are able to inspect incoming email messages in real time and in ways no human or cloud-native security control could possibly achieve.
The Next Generation of Cloud Email Security
Today, a new generation of third-party advanced email security solutions is rising to this challenge.
Designed from inception to take full advantage of cloud technology, scalability, and economics, these solutions augment platform-native security controls by detecting, defending against, and deterring attacks that even the most advanced of these controls can't address.
Instead of attempting to monitor an ever-expanding attack surface for phishing links or malware in search of "the bad," today's most effective forms of email security for Office 365 model identity at Internet scale to establish "the good" to deliver superior results.
The most powerful of these solutions leverages intelligence from trillions of emails per year, individualizing email protection using deeper, more relevant intelligence that leverages machine learning to improve with each new email sent.
A vast majority of organizations find that with the right third-party solution, they don't have to try to cobble together point solutions to flesh out the capabilities the platform-native controls or legacy secure email gateways (SEGs) lack. Instead, they are able to implement a single solution that gives users and their organizations the confidence to open, click, and trust everything in their inbox—perhaps for the first time.
Outlook: Trouble Ahead
Regardless of the approach organizations take to address the email security limitations of O365, they need to get cranking. As we begin 2019, it's estimated that up to 48% of all Internet-related business losses this year will stem from targeted email attacks, meaning losses could be in the billions of dollars.
In fact, with targeted email attacks continuing to represent the #1 cybersecurity threat the enterprise will face in the year ahead, augmenting O365 with the right advanced email threat protection may be more urgent than you think.
To learn more, download a copy of the Why Your Company Needs Third-Party Solutions for Office 365 report.