Vircom researchers believe that Microsoft Exchange Online Protection (EOP) may be exposing users and their networks to both data breach and data loss risks due to the manner in which EOP manages the retention and quarantining of spam email.
The EOP spam filter, which Microsoft self reports to achieve a 99 percent catch rate, is below industry standards and could allow more potentially dangerous messages while blocking potentially valuable emails that aren't spam but have been categorized as such by Microsoft's algorithm, according to Vircom's “Is 0ffice 365's EOP Seaworthy - The CaseFor Tighter Email Security Whitepaper.
The whitepaper cited the Virus Bulletin's most recent VBSpam+ test which reviewed 21 products and found that only two of the lowest performing products fall under the 99 percent catch rate with all other vendors competing for percentages well above 99.5 percent.
“Applying a simple hypothetical scenario in which an average business person receives 50 potentially dangerous spam emails a day, the difference between a 99.96% catch rate (Vircom modus' most recent VB Spam+ result, March 2016 ) and Microsoft's 99% catch rate is significant,” the whitepaper said.
At that rate, researchers said that an Office 365 user who receives an average of 50 spam messages per day could receive as many as 20 spam emails per month as opposed to just one spam message a month with other products.
Researchers presented an example in the irony of Microsoft's false positives with a screenshot of Microsoft flagging a security notice for one of its own sites as an example how information could be marked as spam.
“Exchange Online Protection exposes organizations to a higher risk to email borne malware and phishing scams while at the same time being prone to false positives,” Vircom Director of Marketing and Communications Brendan Tully Walsh told SCMagazine.com.
The whitepaper also criticized Microsoft for not wanting to submit its security performance to peer review.
“In so doing they not only provide a false sense of security to their users and admins alike, but as they underperform on both ends of the unwanted email spectrum, they also present a real risk for irretrievable data loss,” researchers said in the post.
Walsh contended that if Microsoft were to submit themselves to industry test, such as those performed by Virus Bulletin, it would only show that their product is falling short of industry standards.
