Why third-party email filters may be ineffective in Microsoft 365 environments
Because email is the primary source of initial entry in many breaches, many organizations pay for sophisticated, third-party email filtering solutions on top of the protections afforded by Microsoft 365. This is a wise investment; having layers of protection by different vendors helps eliminate blind spots found in any one vendor solution and provides complexity that can foil attack attempts.
Yet, few know that threat actors can easily bypass these third-party filtering products by directing emails to onmicrosoft.com domains that are an inherent part of the Microsoft 365 configuration.
Companies that invest in third-party email filtering solutions typically focus their time and effort applying rules, policies, and IP white-/blacklisting lists within their third-party solution assuming all traffic is routed through it. This is a dangerous (and inaccurate) assumption. While many organizations find Microsoft 365 to be a versatile solution set, it is important to understand how to ensure all email traffic is sent through the third-party product (if you use one) so that they can capitalize on the blanket of layered protection they invested in.
How Does Email Traffic Bypass Third-Party Solutions?
All Microsoft tenants come with a custom onmicrosoft.com domain. When a domain is added and verified, it is appended with a Microsoft default domain. Microsoft owns these domains as well as the underlying, associated MX record, so companies cannot update it or point the record at their preferred mail security gateway. For example, these MX records for Microsoft domains usually follow the pattern of “[yourcompanyname]onmicrosoft.com.” Email addresses typically follow the pattern “username@[yourcompanyname]mail.onmicrosoft.com. This is not the address that most third-party products are scanning; they will be looking for username@[yourcompanyname].com, and thus, emails could be delivered by a threat actor targeting these onmicrosoft.com default domains. If your email rules, policies, and filters are set primarily in your secondary solution, the phishing attempt will bypass these rules.
These onmicrosoft.com addresses are also used for internal routing and routing between hybrid environments, so they cannot be removed.
What Should IT Do to Avoid This Filter Workaround?
Admins should create transport rules in Exchange Online that block email from any external source to the onmicrosoft.com domains. This will ensure all external emails flow to the product you not only paid for, but also invested time in customizing to the most secure settings for your organization.
Additionally, rules should be created to alert IT whenever these addresses are used, even internally, to ensure security controls are not being bypassed.
Understanding the Complexity of Patchwork Security
As organizations today employ more platforms, SaaS solutions, and internal tools, it becomes increasingly difficult to understand how they interoperate and which features and settings may enhance, or even detract, from one another. Staying up to date on the benefits and potential pitfalls of all solutions in your environment is critical. If your organizational product estate is particularly complex, getting an assessment may be valuable in understanding how to layer solutions together to achieve the best protective blanket across your enterprise.
Photo credit: Slavoljub Pantelic/Shutterstock
John Anthony Smith is Conversant Group Founder & CSO