Business email compromise (BEC) is one of the most costly and damaging types of email threats, as it relies on social engineering, deception and impersonation to defraud the recipient. According to Gartner’s Market Guide for Email Security, “Impersonation and account takeover attacks via business email compromise (BEC) are increasing and causing direct financial loss, as users place too much trust in the identities associated with email, which is inherently vulnerable to deception and social engineering.” 

Microsoft Defender for Office 365 is a built-in security solution that provides email protection against spam, malware, phishing, and other threats. However, some customers are being told by Microsoft that an E5 license, or Defender, as an add-on will help to solve their problem of BEC attacks. This is wrong for two main reasons. 

Microsoft Acts as a SEG and Not an ICES or Mailbox-Level Solution 

One of the reasons why Microsoft Defender for Office 365 is not successful in stopping BEC is that it acts as a secure email gateway (SEG) and not an integrated cloud email security (ICES) or mailbox-level solution. Therefore, it is more focused on known threats and not so much on bad intent, which can only be learned when operating at a mailbox level. 

SEGs typically rely on static rules, signatures, reputation lists, and sandboxing to block known bad content, such as spam, malware, and malicious links. However, these methods are not effective against targeted attacks that use legitimate or spoofed domains, clean attachments or links, and convincing messages that mimic the style and tone of trusted contacts. 

ICES solutions, on the other hand, use dynamic data points and techniques to detect anomalies and bad intent in email communication, such as natural language understanding (NLU) and natural language processing (NLP) to analyze the meaning and sentiment of email messages; social graph analysis to build relationship maps and communication patterns between senders and recipients; image recognition to inspect URLs that are impersonating common login pages or brands; machine learning (ML) and artificial intelligence (AI) to learn from historical email data and user feedback to improve detection accuracy. 

According to Gartner’s Market Guide for Email Security, “As organizations continue to adopt cloud email systems, there is a shift in communication beyond email to other collaboration platforms, introducing threats that may not be protected by incumbent email security tools.” ICES solutions can also provide phishing protection for collaboration tools such as Microsoft Teams, Slack, or LinkedIn by using their API integrations to filter malicious content or suspicious interactions. 

Microsoft Is a Single Layer of Defense and Can Be Easily Tested Against 

Another reason why Microsoft Defender for Office 365 is not successful in stopping BEC is that it is a single layer of defense and can be easily tested against by attackers. Because it is publicly available and has such wide adoption, attackers can easily bypass Microsoft’s defenses by using social engineering tactics that exploit human vulnerabilities and trust relationships. For example, attackers can use spear-phishing emails that impersonate trusted contacts or use compromised accounts to send BEC emails from within the organization. 

According to Gartner’s Market Guide for Email Security, “Vendor consolidation and integration of email security with other security tools (such as security service edge [SSE] and endpoint detection and response [EDR]) enable improved detection and response capabilities of security threats as part of an extended detection and response (XDR).” Therefore, organizations should look for email security solutions that can integrate with other security tools and provide multiple layers of defense against BEC attacks. 

For example, IRONSCALES is an end-to-end email security solution that combines human intelligence with machine learning to detect and prevent BEC attacks. IRONSCALES uses advanced data points and techniques such as NLU, NLP, social graph analysis, image recognition, ML and AI to analyze email content and behavior at the mailbox level. IRONSCALES also provides account takeover protection, which analyzes user behaviors and various other factors, such as login behavior, locations, authentication methods, etc., to detect compromised internal accounts and take remediation actions if required. 

Moreover, IRONSCALES integrates with other security tools, such as XDR or SIEM/SOAR platforms, to provide enhanced visibility and response capabilities. IRONSCALES also leverages a global network of more than 35 million users who report phishing emails using a one-click button. These reports are then verified by IRONSCALES’ analysts and shared with other customers in real time through a federated system. 

Conclusion 

Email security is not a one-size-fits-all solution, but organizations should be aware of the differences between SEGs like Microsoft Defender for Office 365 and ICES solutions like IRONSCALES. By choosing an ICES solution that uses advanced data points and techniques to detect bad intent rather than bad content, organizations can protect their email communication from sophisticated attacks that SEGs cannot stop.