Spam and phishing emails are the most common cause of ransomware infections worldwide. Therefore, keeping your email secure and preventing phishing emails from reaching your users’ mailboxes are really important.
Of course, you’ve already taken the necessary security steps to protect your Office 365 tenant—but do you actively monitor all the incoming emails? Are you 100% sure that phishing emails don’t reach your users anymore? And even if a phishing email slips through the spam filter, can you easily delete it from your users’ mailbox?
Hornetsecurity reached out to ask if I wanted to test and review their new 365 Threat Monitor for Office 365 solution and give my honest opinion about it.
With the 365 Threat Monitor from Hornetsecurity, you can monitor incoming emails and intercept those that are malicious and unwanted that slip through your Exchange Online Protection (EOP).
Hornetsecurity 365 Threat Monitor
Hornetsecurity has years of experience in protecting Microsoft 365 tenants with their 365 Total Protection solution. Recently, they added a free threat monitoring tool for Office 365 to their portfolio.
The 365 Threat Monitor will scan all incoming emails and flag harmful content. Their free mobile app sends you a push notification when a threat slips through your Exchange Online security and reaches your users’ mailbox.
This tool classifies a threat as either “Spam,” “Threat,” or “Advanced Threat” based on the severity. In the app, you can also see why it has flagged the emails as a threat—for example, because of a malicious attachment. It will also show you the subject line, sender, and recipient of the email.
You can delete the email instantly with the app, preventing the end user from interacting with the suspicious email.
Getting started with 365 Threat Monitor
Getting started with the 365 Threat Monitor is really simple. Threat Monitor uses Microsoft Graph to connect to your Microsoft 365 tenant, so you don’t need to install anything or change any DNS records.
To get started, you can download the mobile app from the Google Play Store or the Apple App Store. Open the app and register with your business email address. Make sure that you’re an Office 365 Administrator so that you can grant permissions to the app.
After you’ve logged in with your Office 365 account, you only need to accept the requested permissions. After that, Threat Monitor will start scanning all incoming emails and notify you of any potential threats. That’s it!
All your Exchange Online mailboxes are automatically protected with the 365 Threat Monitor. You don’t need to assign users or groups to the app.
Using the app
When you first open the app, you’ll see an empty dashboard. It won’t scan through any existing emails in your users’ mailboxes, so you will need to give it some time to detect the first malicious emails.
Dashboard -
Alerts -
Top Targets
The dashboard will show you a quick overview of the number of incoming threats that weren’t captured by Exchange Online Protection. These are emails that are currently sitting in your users’ mailboxes.
The emails are classified into three levels:
- Moderate (spam content)
- High (threats)
- Critical (Advanded threats)
Most flagged emails will have a moderate threat level, which most of the time indicates simple spam emails or newsletters. The high and critical severity alerts are the ones that you really want to be on the lookout for and probably delete.
The top targets screen gives you really valuable information about the top targeted users and how many malicious emails they have received. This can help you with identifying targeted phishing emails, allowing you to take extra measures to protect your users.
Deleting Malicious Emails
All threats are listed on the alerts screen. From here, you can inspect the detected threats and directly delete emails from the user’s mailbox. At this time, you can only see the sender, subject, and recipient of the email.
By selecting an email, you can see more info about the threat, but that only contains the classification, reason, and message ID. The attachment tab will show you the email headers. It would be a great addition if you could open the actual email from the app. From the subject and sender alone, it can sometimes be a bit difficult to verify the threat.
When you are certain that an email is a threat that needs to be removed from the user’s mailbox, then you can simply delete it from the app. You will have to verify your delete action in the app before the email is actually deleted from the user’s mailbox.
Push Notifications
If a high or advanced-level threat is detected, you’ll receive a push notification on your phone and an email alert in your inbox. This allows you to quickly react to incoming phishing attempts.
How does Threat Monitor compare with EOP and Defender?
As mentioned earlier, every Microsoft Office 365 account comes with EOP. This offers a baseline level of security when it comes to protecting your inboxes from spam and phishing emails.
EOP relies on sender reputation, known IP Addresses, signature-based virus scanners, and machine learning to detect malicious emails. It does a decent job, but it’s known that EOP doesn’t catch all threats.
The trouble is that you don’t have a way of knowing which emails get through—you really need to rely on your users to recognize them in time.
Defender for Office 365
Defender for Office 365 (formerly known as ATP) is part of the most expensive plans (E5, A5) of Microsoft 365, and it can be bought as an addon through a CSP. Defender for Office 365 Plan 1 costs $2 per month per user. The strong points of Defender for Office 365 are the Safe Links and Safe Attachments. They work really well and can eliminate most of the threats.
The challenge, however, with Defender for Office 365 is setting up the policies correctly to prevent too many false positives while still capturing the majority of the phishing emails. A recent test done by Avanan showed that 11% of threats go uncaught by Defender for Office 365.
Wrapping up
The advantage of 365 Threat Monitor is that you have an extra set of eyes that scan your email and alert you when a threat slips through your email protection.
365 Threat Monitor was just released, and there is definitely some room for improvement. For example, it would really help if you could filter the alerts by threat level. Especially for those with a larger tenant, you’ll need to scroll through a lot of moderate threats, which are comparatively less important.
Overall is it a great tool to monitor your current email protection performance and intercept emails that slip through. The free version of the app allows you to delete a limited number of emails and monitor your mailboxes—forever free!
