Online protection the only way to go

Spam, viruses, phishing attacks, attachments containing malware and other little threats are the kind of thing that anti-malware solutions are designed to detect and block. The problem is that attack surfaces and threat vectors are not static. New ways of penetrating email systems are found all the time and are usually blocked in a matter of hours, but unless you keep up with developments, the chances are that your email servers will be compromised. Online services that disinfect inbound email streams seem like the right way forward because they evolve and protect faster. Great if you can use an online service, not so good if you're restricted to on-premises software.

Microsoft’s January 14 post “Leading the way in the fight against dangerous email threats” to the Office blog recalled the discussion that ensued in September 2012 after they announced the cancelation of their on-premises email protection products, including the Threat Management Gateway (TMG) and Forefront Protection for Exchange (FPE).

At the time, my conclusion was that there were both upsides and downsides to the decision. In another post, I made the case that the world of anti-virus had changed and that it had “become more important to recognize the way that threats mutate through social engineering techniques and cloaking.” I went on to say that the results of threat mitigation are most easily deployed in centralized environments such as Office 365.

I don’t see that much has changed since. We still have threat. That threat mutates all the time and the waves of spamming, phishing, and social engineering attacks keep on coming.

What has changed is that Microsoft has moved away from many of the traditional techniques employed to detect and intercept malware to focus more on leveraging the huge resources that exist within Office 365 to erect even-more sophisticated barriers against new threat vectors.

Microsoft's post is informative because it explains how some existing techniques are changing and new approaches are evolving. Take Advanced Threat Protection (ATP), a way to detect and analyze suspicious attachments before blocking the content or passing it to the user. ATP had its critics, mostly because of the delay in message delivery that could occur before checking was complete. Now Microsoft has made the process “dynamic” by delivering a placeholder attachment along with the message while checking of the original attachment occurs in the background.

I like the idea of Zero-Hour Auto Purge (ZAP). The problem being addressed here is how best to handle a zero-day exploit, defined as an attack that uses a new method and therefore cannot be picked up by existing checks. ZAP is able to automatically remove messages that contain zero-day threats from user mailboxes and also to replace messages previously removed because they were regarded as potentially harmful. It makes sense to automate this process as otherwise administrators have to resort to techniques such as using the Search-Mailbox cmdlet to find and purge items from mailboxes.

It also makes sense to include MailTips (or safety tips) within OWA to help users better deal with messages. That is, if they read the tip. Another feature available in OWA is the ability to report phishing messages (those that ask for responses containing confidential information).

I’m not so sure about the need for protection against inside phishing, which apparently has been strengthened by 500% (meaning that it was very weak or non-existent before?). The example in the post is laughable as I can’t imagine any CFO running to wire $25,000 on the basis of a quick note from the CEO. Most companies have stringent processes in place to stop that sort of thing, but I guess it must happen so it’s good that the power of “big data” is now being exerted to stop executives making a fool of themselves.

Of course, those responsible for running on-premises Exchange servers can rightly ask whether all of this work has benefited them in any way. The short answer is no, at least not in a meaningful sense. Exchange 2013 and Exchange 2016 continue to offer anti-malware protection, but it’s not at the level that you see available within Office 365.

The need for massive resources is one reason why the on-premises world has been left behind. Take the scanning of suspicious attachments for instance. Could any on-premises deployment set aside the necessary resources to be available to intercept and scan inbound attachments that might contain a new payload? The answer is probably no.

On-premises servers can continue to deploy traditional anti-malware solutions to protect users. However, over the long term, I suspect that we will all route inbound mail through a cloud-based message hygiene service in the same way that hybrid Exchange deployments can use Exchange Online Protection today.

Given the amount of threat that exists and the speed that new threats can evolve, it seems to me that making use of centralized anti-malware services is the way forward. Simple checks for things like the “I Love You” virus that ignited this market just don’t cut the biscuit any more.

Follow Tony @12Knocksinna

Discuss this Blog Entry 4

on Jan 19, 2016

Good article. Thanks for the information!

on May 24, 2016

One of the greatest advantages of software in the Cloud is that a provider can continuously update the service, essentially eliminating the traditional monolithic software release. Trying to synchronize the Cloud and premise versions is a trade-off between losing the continuous update or putting premise IT on 24/7 constant update. Any service compromise is a compromise in service.

on Jan 19, 2016

We're managing several on-premise Exchange and we use 3rd party filtering service, some use EOP/ATP and some 3rd party email filtering solutions. Now, I do remember the I Love You virus and I assume the above filtering services would stop that. However, one way for it to spread was that some client accessed their private e-mail, opened an attachment and this infected the on-premise Exchange. Hopefully the local antivirus on the client would stop this but with the trend of BYOD, this can't be guaranteed. But then we had Antivirus software scanning the Exchange DB but I don't see that much nowadays. EOP/ATP would not help here except for stopping outgoing e-mail. Your Exchange DB would still be infected. What are your comments on this?

on Jan 21, 2016

Excellent point. You are absolutely correct that the potential exists that someone could bring in an infected file and transmit it within an organization. If you use something like Exchange Online, then it's likely that the infection will be detected and suppressed because Microsoft monitors the situation for outbreaks and tools like ZAP can be deployed to remove infected items from mailboxes. You're on your own in the on-premises world and have to figure out how you will protect your infrastructure at multiple levels. We have always known that protection achieved through multiple layers is better than trying to erect the strongest wall to the outside...

Please or Register to post comments.

What's Tony Redmond's Exchange Unwashed Blog?

On-premises and cloud-based Microsoft Exchange Server and all the associated technology that runs alongside Microsoft's enterprise messaging server.


Tony Redmond

Tony Redmond is a senior contributing editor for Windows IT Pro. His latest books are Office 365 for Exchange Professionals (eBook, May 2015) and Microsoft Exchange Server 2013 Inside Out: Mailbox...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×