#sponsored
Phishing emails are becoming more effective and sophisticated these days. Even with awareness training, some users still recognize them too late, causing potential harm to your data. Therefore, it’s important to keep our Microsoft 365 inboxes clean from phishing and malware emails.
To do this, we can use Exchange Online Protection (EOP); the basic version is included in every Microsoft 365 plan with Exchange Online. However, it comes with limited features, and you will need to configure it correctly to block most spam and phishing emails.
Another option is to use 365 Total Protection from Hornetsecurity. This security suite will not only protect your incoming and outgoing emails — it can also add signatures, ads, or disclaimers to your outgoing emails and offers 10-year email retention.
Let’s take a closer look at 365 Total Protection and how it compares to Exchange Online Protection.
365 Total Protection vs Exchange Online Protection
All Microsoft 365 plans that have Exchange Online come with Exchange Online Protection (EOP). So before we take a look at 365 Total Protection it’s good to know which features are available by default in EOP compared to 365 Total Protection.
| Feature | Exchange Online Protection | 365 Total Protection Business | 365 Total Protection Enterprise |
|---|---|---|---|
| Price | included | $ 2.00 per user per month | $ 4.00 per user per month |
| Spam & Malware protection | ✓ | ✓ | ✓ |
| Allow list and deny list | ✓ | ✓ | ✓ |
| Content Filtering | ✓ * | ✓ | ✓ |
| Compliance Filtering | ✓ * | ✓ | ✓ |
| Outlook “allow list” and “deny list” | ✓ | ✓ | ✓ |
| Company Disclaimer | ✓ | ✓ | ✓ |
| Email Live Tracking | ✓ | ✓ | |
| Threat statistics and reporting | ✓ | ✓ | |
| Infomail Handling | ✓ | ✓ | |
| Individual User Signatures | ✓ | ✓ | |
| Global SMIME/PGP Encryption | ✓ * | ✓ | ✓ |
| Websafe | ✓ * | ✓ | ✓ |
| Secure Cipher Policy Control | ✓ | ✓ | |
| Email Archiving | ✓ | ||
| 10-year Email Retention | ✓ | ||
| eDiscovery | ✓ | ||
| Forensic Analyses | ✓ | ||
| ATP Sandboxing | ✓ | ||
| URL Malware Control | ✓ | ||
| Realtime Threat Report | ✓ | ||
| Malware Ex Post Alert | ✓ | ||
| Malware Ex Post Deletion | ✓ | ||
| Email Continuity Service | ✓ |
At first glance, it might seem that a lot of the primary features, like anti-spam and malware or content filtering, are available in Exchange Online by default. And that is true, but there is a big difference between the two: in 365 Total Protection, most of these features are much easier to configure and even more powerful compared to EOP.
Let’s take a closer look at some of the most important features of 365 Total Protection.
Email Live Tracking
One of the most noticeable features of 365 Total Protection is the email live tracking feature. In Exchange Online, we can’t view all incoming and outgoing emails. When an email isn’t delivered, we will need to use the Message Trace to find the email and cause.
With Email Live Tracking, you can see all incoming and outgoing emails and their actual status. Are they delivered to the inbox of the user, is it spam or threat mail? And when it’s a false positive, we can easily deliver the email into the user’s mailbox.
Not only admins can live track emails; users can also log in at the Control Panel and track their own emails.
The Email Statistics feature, located under Reporting and Compliance, can really help you select targeted users, allowing you to give the user some additional awareness training or determine where you might need to tighten the security settings.
Spam and Malware Protection
Spam and Malware Protection is of course the basis of 365 Total Protection. This feature is enabled by default and will filter all incoming emails. In Exchange Online, you will need to fine-tune the anti-spam and anti-malware policy—and even then spam emails will slip through.
I’ve been testing 365 Total Protection for the past two weeks and haven’t received any spam mail in the junk folder since. I can really see a difference here between EOP and 365 Total Protection.
Content filtering
Content filtering allows you to block potential harmful attachments from entering your user’s mailboxes. This feature is also available in EOP and is part of the anti-malware policy.
The big difference between the two is how easy they are to configure. In 365 Total Protection, you only have to enable content filtering, and it will block any executable attachment or Office document with macros by default.
In Exchange Online, you will need to enable this manually—but also add some additional extensions for runnable attachments to be fully secure.
Advanced Threat Protection
Advanced Threat Protection (ATP) is really the next step when it comes to protecting your inboxes. Policies can only do so much. What I see these days, for example, are PDF documents with links in them to phishing sites.
These kinds of attachments can’t be stopped with normal anti-malware policies. And even with active awareness training, some users still seem to fall for these kinds of phishing emails.
We can compare ATP with Defender for Microsoft 365, which is part of the more expensive Microsoft 365 plans or available as an add-on for Microsoft 365.
ATP provides a couple of different tools that help with analyzing attachments and links, allowing it to find sophisticated threat emails.
- Sandbox Engine
- URL Rewriting
- URL Scanning
- Freezing
- Targeted Fraud Forensics
With sandboxing, for example, the attachment is opened and executed while the behavior is monitored. This way, potentially malicious code can be detected in an isolated environment before the attachment is sent to the user’s mailbox.
URL Rewriting replaces URLs in emails and targeted pages with a secure URL, redirecting all traffic through a web filter. This allows ATP to detect phishing sites or malicious content.
Signatures and Ads
Company-wide signatures aren’t really possible in Exchange Online. You could use a mail flow rule to append a disclaimer to an email, but a personalized signature, with the user’s contact details, isn’t possible.
Thus, users must create signatures themselves in Outlook or use a third-party solution. With 365 Total Protection, you can easily add signatures to each outgoing email.
You can add HTML and plain text signatures with individual users’ data from the Active Directory. Signatures can be assigned based on groups or to individual users.
If you want to promote your products, events, or services, then you can also use the intelligent ads to easily place banners and links in your email signatures.
Email Archiving, Retention and eDiscovery in 365 Threat Protection Enterprise
By default, all sent and received emails are archived for 10 years. This allows you to trace back every email that is ever sent to or by your organization. This feature is not suitable for restoring complete mailboxes but can be a great advantage in legal or audit cases.
Using the Email Live Tracking feature, we can search for mail based on different parameters, such as subject, recipient, or even in the body of the email.
Users are able to mark emails as private so they are excluded from the archiving procedure.
Newsletter handling
The last feature that I really want to point out is the infomail handling. When enabled, all emails classified as “newsletter” or “informative” will be quarantined. Once a day, or weekly, the user receives an overview with all relevant newsletters.
They can then decide which newsletters they want to receive. If a user wants to receive a newsletter immediately, then they can whitelist the newsletter.
Users can turn infomail handling on or off if the tenant admin has enabled the module in 365 Total Protection.
Getting started with 365 Total Protection
Getting started with 365 Total Protection is really simple and done in a couple of minutes. After you have signed up for the two-week trial, you will need to log in with a Microsoft 365 Global Administrator account.
After accepting the permissions request, we can synchronize your Microsoft 365 tenant with 365 Total Protection. This only takes a couple of minutes at most, after which you will have access to your customer portal.
The next step is to point the MX record to Hornetsecurity and change the auto-discover record to the correct address. This way, emails sent to your domain will go through 365 Total Protection first before they are delivered to your Exchange Online server.
This means that you could still use custom mail flow rules in Exchange Online together with Hornetsecurity.
When mail starts flowing through 365 Total Protection, it is important to change some settings in your EOP. Because by default, EOP will also scan all the mail that comes from 365 Total Protection and could mark them as spam.
So one of the last steps that you have to do is change the anti-spam policy in EOP as described here. Also, don’t forget to adjust your SPF record when you also route your outbound mail through 365 Total Protection.
Wrapping Up
Successful phishing attempts or malware infections can lead to ransomware infection—and we all know the severe consequences of a ransomware attack. Therefore, keeping the incoming mail free from malware and phishing emails is really important.
Even though you can do a lot with EOP, you will need to make sure that all policies are configured correctly. Threat protection is constantly changing, so you will need to stay up to date with all new features and make the required policy changes.
With 365 Total Protection from Hornetsecurity you don’t have to worry about these changes; they manage it for you. And besides protecting your email, it also includes features like 10-year email retention, email signature tool, disclaimers, and much more.
Hello Ruud, thanks for the insight. But how does the features compare with the ATP and Content analysis that comes with defender plan 2?
Thank you for your clarification!
Hi Ruud,
Nice review! I’ve been using this for a couple of years now in multiple firms I’ve worked for.
There’re only a few things that don’t quite work as advertised.
An example of those ‘oversights’:
When adopting the signatures via cp together with all mandatory settings like (for f.e. the spf checks) mail-rules, it’s impossible to send mails to an internal O365 group or shared mailbox. You’ll get an smtp error “HS-Targeted-Fraud-Forensics”.
It’s caused by the rule you’ll have to create to send all mail over the HSE-smarthosts.
another example:
The Continuity Service does nothing it seems. In case of an system failure the sending party simply get a NDR.
Another feature that’s not performing as axpected is the url-rewriting. In some cases it works, in other in doesn’t and you’ll get a 404 not found error. Even when the same mail is received by different users it’s behaivour is not consistant.
Last annouyance we encounter is the lack of support we get from HornetSecurity. They just redirect you to a partner and refuse any direct contact.
Yes we’re using the 365 Total Protection with an enterprise licence in case someone wonders.
Best regards,
Jeroen Sedee