Email Security

How To Stop Microsoft Defender For Office 365 Classing Genuine Emails As Malicious

Office 365 ATPs phishing detection policies often flags legitimate emails as malicious. This is putting users at risk, by forcing organizations to release potentially dangerous emails back into the inbox

How to Stop Microsoft ATP’s Phishing Detection from Putting Your Users at Risk

Email attacks are continuing to grow more prevalent, with targeted phishing attacks, ransomware and insider risks growing year on year. As many businesses move or are in the process of moving to cloud based email platforms like Office 365, they are turning to cloud-based email security technologies to help mitigate the risks of these attacks.

One of the most popular email security technologies used to stop phishing attacks is Microsoft’s own Defender for Office 365 solution. Microsoft Defender is designed to work seamlessly with Office 365 to filter unknown malware and phishing attacks in real time, with enhanced reporting into the attacks happening in your organization.

However, some organizations are reporting issues with Office 365’s phishing detection and labelling of emails which could be putting users at risk. In this article we’ll cover the problems with Office 365’s phishing detection, and what email solutions can protect your organizations against them.

What is Microsoft Defender for Office 365 and what are the benefits?

Microsoft Defender is a cloud-based email filtering solution for Office 365, developed by Microsoft. It’s designed to stop unknown malware and viruses, with features to stop malicious phishing emails, links and attachments. Defender is included in Office 365 Enterprise E5, Education AT and Microsoft 365 Business Premium. It’s also available as an add-on module for other O365 plans.

As the biggest email platform for businesses, Office 365 is naturally a big target for email phishing attacks. It’s easy for attackers to sign up for an O365 account and create and test phishing campaigns.

Microsoft has put billions of dollars into investing in ways to secure Office 365 and acquired multiple security companies to beef up its security infrastructure. Microsoft Defender is designed for business users to protect against phishing attacks and see more visibility into the threats facing their organization.

Microsoft Defender does have some significant benefits, which makes it a popular choice for organizations looking to secure their Office 365 environment:

  1. Works Across Office Applications: Defender’s Safe Links feature provides real-time protection against malicious URLs in emails, Office documents, OneDrive attachments and even in Microsoft Teams. This goes beyond the capabilities of most third party security services.
  2. Safe Attachments: Defender’s Safe Attachments feature stops unknown malware and viruses with sandboxing. All messages and attachments that don’t have a known signature are routed to a special environment, where Defender uses machine learning to detect malicious intent. Again, this works in Teams and other Microsoft technologies which third party email security vendors cannot protect.
  3. Easier Integration: As a native Microsoft solution, Defender integrates seamlessly and easily into Office 365 and so there is no need to configure any third party solutions.

What are the Problems with Microsoft Defender for Office 365?

However, despite these benefits, Defender is not perfect. In its 2020 Microsoft ATP Report, security vendor Avanan found that with Defender in place 11% of malicious email, including targeted phishing, were delivered to user inboxes. This puts employees and customers at risk of a data breach.

There are a number of reasons for this. Because Office 365 is the largest email platform, attackers take the time to use specific attack methodologies, designed solely to exploit Defender. This includes taking advantage of common Defender misconfigurations and whitelists.

Defender is also a relatively new platform. Launched in 2015, the service is less mature than other security solutions; some have decades of experience adapting to the latest threats. Critics also point out there is a lack of granular control and visibility in the Defender platform, making it harder to take phishing emails that were delivered to a user, and ensure it is blocked from being delivered to other users.

Junk Policies

Avanan also point out that of the emails that Defender actually classified as malicious, 95% were actually safe emails that had been misclassified. Their analysis found that most emails they quarantine are actually marketing emails, newsletters, subscriptions and more, some of which users actually want to see.

This presents a major challenge for businesses, due to the way that Defender filters malicious and genuine emails. Defender gives businesses three main options for sorting malicious emails, allow all to be delivered, quarantine everything suspected to be malicious, or send suspected malicious emails to junk.

Allowing all malicious emails to be delivered does ensure that any genuine emails that have been mistakenly listed as malicious will be received. But of course, it also means that malicious emails can be opened by users, and defeats the purpose of putting extra security in place to begin with. Quarantining all emails solves this problem, but it also causes user frustration, because genuine emails will also be quarantined by mistake.

To solve this, many admins are choosing the third option and sending malicious emails to junk. However, this does still mean that users can interact with potentially malicious emails in their inbox, and also creates the extra burden of users having to go looking for genuine emails themselves. Not having a robust way to stop phishing while ensuring that users can access the emails they need to is a major weakness of this service.

How You Can Protect Your Organization With Multi-Layered Security

Gartner now recommends that all businesses should implement a multi-layered strategy when it comes to email security, implementing protection both at the email gateway and inside the inbox, rather than relying on one solution like Defender.

At the Gateway

Implementing a secure email gateway like Proofpoint can help organizations to solve the problems of Defender misrepresenting malicious emails in three steps:

1. Proofpoint sits at the email gateway and uses URL defense, attachment sandboxing and known spam filters to block malicious emails and grey-mail (spam-like marketing emails) from being delivered to users.

2.  Proofpoint sorts newsletters into the junk folder automatically. Proofpoint also delivers regular emails to users, letting them know which emails have been quarantined.

3. Proofpoint users are then able to request any emails that have been quarantined to be delivered to their inbox. Proofpoint scans the email in question, and if it cannot detect any signs of malware, the email will be delivered to the user automatically. This helps to ensure users can quickly access critical emails, without creating extra hassle for IT teams or giving users access to email continaing malicious content.

Inside the Inbox

Protection inside the inbox compliments protection at the gateway and provides greater controls to remove emails than Defender offers. With IRONSCALES, admins are able to remove malicious emails from inside the email inbox, automatically. Here’s how it works:

1. A compromised account sends a targeted phishing email that appears genuine and contains no viruses or malicious links, so it is not identified by the secure email gateway or Defender.

2. IRONSCALES identifies the email as potentially suspicious, using machine learning and behavioral identifiers that pick up the email has been sent from an unknown contact. According to admin policies, the email can be automatically deleted at this stage without reaching the user.

3. The user is displayed a warning banner not to interact with the email. Admins are able to remove the email even after it has been delivered, and stop the compromised account from reaching any other user on the IRONSCALES platform.


Due to evolving email threats, organizations are turning to Office 365’s security solution Defender. However, Defender’s malicious email detection and lack of quarantine policies can put users at risk of interacting with malicious emails. Organizations should look at implementing multi-layered email security, both at the gateway and inside the email inbox.