Shield protect

How to Better Secure and Protect Your Microsoft 365 Environment  

Share with your network!

Microsoft 365 has become the de facto standard for email and collaboration for most global businesses. At the same time, email continues to be the most common attack vector for threat actors. And spam, phishing, malware, ransomware and business email compromise (BEC) attacks keep increasing in both their sophistication and impact. Verizon’s 2023 Data Breach Investigations Report highlights the upward trend BEC attacks, noting that they have doubled over the past year and comprise 60% of social engineering incidents.  

While Microsoft 365 includes basic email hygiene capabilities with Exchange Online Protection (EOP), you need more capabilities to protect your business against these attacks. Microsoft offers Defender for Office 365 (MDO) as part of its security tool set to bolster security. And it’s a good place to start, but it simply can’t stop today’s most sophisticated email threats.   

That’s why analysts suggest you augment native Microsoft 365 security to protect against advanced threats, like BEC and payload-less attacks such as TOAD (telephone-oriented attack delivery)


“Supplement the native capabilities of your existing cloud email solutions with third-party security solutions to provide phishing protection for collaboration tools and to address both mobile- and BEC-type phishing scenarios.” 

Source: 2023 Gartner Market Guide for Email Security 


The rise of cloud-based email security solutions 

Email threats are nothing new. For years now, secure email gateways (SEG) have been the go-to solution to stop them. They filter spam, phishing emails and malware before they can get to users’ inboxes. But with more businesses adopting cloud-based email platforms—particularly Microsoft 365—alternative email security solutions have appeared on the market. 

Gartner calls them integrated cloud email security (ICES); Forrester refers to them as cloud-native API-enabled email security (CAPES). These solutions leave the basic email hygiene and handling of email traffic to Microsoft. Then, they examine the emails that are allowed through. Essentially, they identify threats that have slipped past Microsoft’s defenses. 

The main advantage of ICES and CAPES is their ease of deployment and evaluation. They simply require a set of permissions to the Microsoft 365 installation, and they can start detecting threats right away. It’s easy to remove these solutions, too, making it simple and straightforward to evaluate them. 

Two deployment models: the good and the bad

When you’re augmenting Microsoft 365 email security, you have several options for deployment. There’s the post-delivery, API-based approach, which is used by ICES and CAPEs. And there’s the pre-delivery, MX-based approach used by SEGs. 

Post-delivery deployment (API-based model) 

In this scenario, Microsoft provides an API to allow third-party vendors to receive a notification when a new email is delivered to a user’s mailbox. Then, they process the message with their platform. If a threat is found, it can be deleted or moved to a different folder, like quarantine or junk.

However, this approach presents a risk. Because a message is initially delivered to the mailbox, a user still has a chance to click on it until the threat is retracted. Emails must be processed fast or hidden altogether while the solution scans the message for threats. 

Analyzing attachments for malware or running them through a sandbox is time-consuming, especially for large or complex attachments. There are also limits on how many alerts from Microsoft 365 that cloud-based email security solutions can receive.  

Pre-delivery deployment (MX-based model) 

This approach is useful for businesses that want to detect and prevent email threats before they reach their users’ inboxes. As the name suggests, email is processed before it is delivered to a user’s inbox. To enable this model, an organization’s DNS email exchange (MX) record must be configured to a mail server. The MX record indicates how email messages should be routed in accordance with the Simple Mail Transfer Protocol (SMTP). (SMTP is the standard protocol for all email.)

Here is how pre-delivery works with Microsoft 365:  

  • SEG receives the email for processing. 
  • SEG passes the email to Microsoft 365 for final inspection. 
  • Once processing is complete, the email is delivered to the user’s mailbox.  

The benefit of this approach is that it allows for more complex email threat analysis and processing. In other words, URL rewriting, attachment scanning, complex file analysis and rewriting can all be applied to incoming emails. The downside is that it requires a deeper understanding of email protocols, formats and internal email configuration to get up and running.   

The best of both worlds 

Advanced email threats are rapidly on the rise. That’s why a modern SEG that features URL rewriting, post-delivery automated remediation and removal, sandboxing, graymail handling, and more is the best choice for email security. 

Pre-delivery solutions can deeply analyze an email without the risk that a user will access it before it has been deemed safe. The combination of pre-delivery processing with post-delivery remediation provides the best of both worlds. Threats are stopped before they can reach the user.

Pre-delivery protection is so critical because, based on Proofpoint’s telemetry across more than 230,000 organizations around the world, post-delivery detections are frequently too late. Nearly one in seven malicious URL clicks occur within one minute of the email’s arrival. And more than one-third of BEC replies happen in less than five minutes. These narrow timeframes, during which a user can fall prey to an attack, underscore the importance of blocking malicious attacks before they can reach a user’s inbox.

This is where Proofpoint can help. Our flexible deployment options can be matched to your business needs and use cases. You can deploy MX-based solution as a SEG, or you can choose inline+API deployment. And you have the option of moving from one model to the other. In contrast, ICES and CAPES solutions can’t offer this deployment flexibility. Neither can they detect and stop threats before they’re delivered. 

Figure 1

Proofpoint supports MX-based and Inline+API flexible deployment options.  

More secure together: Proofpoint and Microsoft 365  

Microsoft provides a robust set of native security features. But gaps in its email defenses mean many businesses are vulnerable to data breaches and cyber attacks. Another layer of email security helps you fill in these gaps. There is no silver bullet to stop the growing threat of modern, sophisticated attacks. That’s why you need a multilayered, integrated approach to protecting your Microsoft 365 environment. 

With Proofpoint and Microsoft 365 working together, you can:  

  • Detect and block more email threats, more accurately
  • Enhance threat visibility across your entire organization 
  • Make your operations more efficient

Today’s businesses need more than comprehensive email security that stops advanced email threats. They need their users to be trained in security awareness. They need tools for automated remediation. And they need the ability to detect account compromise for both internal users and external suppliers. Plus, they need capabilities like DMARC to protect their brand. 

Proofpoint provides all this and more. So it’s no wonder that more than 80% of the Fortune 100 trust us to secure and protect their Microsoft 365 environments. 

To learn more about how we can help, go to Secure Microsoft 365