Spam, viruses, phishing attacks, attachments containing malware and other little threats are the kind of thing that anti-malware solutions are designed to detect and block. The problem is that attack surfaces and threat vectors are not static. New ways of penetrating email systems are found all the time and are usually blocked in a matter of hours, but unless you keep up with developments, the chances are that your email servers will be compromised. Online services that disinfect inbound email streams seem like the right way forward because they evolve and protect faster. Great if you can use an online service, not so good if you're restricted to on-premises software.
Microsoft’s January 14 post “Leading the way in the fight against dangerous email threats” to the Office blog recalled the discussion that ensued in September 2012 after they announced the cancelation of their on-premises email protection products, including the Threat Management Gateway (TMG) and Forefront Protection for Exchange (FPE).
At the time, my conclusion was that there were both upsides and downsides to the decision. In another post, I made the case that the world of anti-virus had changed and that it had “become more important to recognize the way that threats mutate through social engineering techniques and cloaking.” I went on to say that the results of threat mitigation are most easily deployed in centralized environments such as .
I don’t see that much has changed since. We still have threat. That threat mutates all the time and the waves of spamming, phishing, and social engineering attacks keep on coming.
What has changed is that Microsoft has moved away from many of the traditional techniques employed to detect and intercept malware to focus more on leveraging the huge resources that exist within Office 365 to erect even-more sophisticated barriers against new threat vectors.
Microsoft's post is informative because it explains how some existing techniques are changing and new approaches are evolving. Take Advanced Threat Protection (ATP), a way to detect and analyze suspicious attachments before blocking the content or passing it to the user. ATP had its critics, mostly because of the delay in message delivery that could occur before checking was complete. Now Microsoft has made the process “dynamic” by delivering a placeholder attachment along with the message while checking of the original attachment occurs in the background.
I like the idea of Zero-Hour Auto Purge (ZAP). The problem being addressed here is how best to handle a zero-day exploit, defined as an attack that uses a new method and therefore cannot be picked up by existing checks. ZAP is able to automatically remove messages that contain zero-day threats from user mailboxes and also to replace messages previously removed because they were regarded as potentially harmful. It makes sense to automate this process as otherwise administrators have to resort to techniques such as using the Search-Mailbox cmdlet to find and purge items from mailboxes.
It also makes sense to include MailTips (or safety tips) within OWA to help users better deal with messages. That is, if they read the tip. Another feature available in OWA is the ability to report phishing messages (those that ask for responses containing confidential information).
I’m not so sure about the need for protection against inside phishing, which apparently has been strengthened by 500% (meaning that it was very weak or non-existent before?). The example in the post is laughable as I can’t imagine any CFO running to wire $25,000 on the basis of a quick note from the CEO. Most companies have stringent processes in place to stop that sort of thing, but I guess it must happen so it’s good that the power of “big data” is now being exerted to stop executives making a fool of themselves.
Of course, those responsible for running on-premises Exchange servers can rightly ask whether all of this work has benefited them in any way. The short answer is no, at least not in a meaningful sense.and Exchange 2016 continue to offer anti-malware protection, but it’s not at the level that you see available within Office 365.
The need for massive resources is one reason why the on-premises world has been left behind. Take the scanning of suspicious attachments for instance. Could any on-premises deployment set aside the necessary resources to be available to intercept and scan inbound attachments that might contain a new payload? The answer is probably no.
On-premises servers can continue to deploy traditional anti-malware solutions to protect users. However, over the long term, I suspect that we will all route inbound mail through a cloud-based message hygiene service in the same way that hybrid Exchange deployments can use Exchange Online Protection today.
Given the amount of threat that exists and the speed that new threats can evolve, it seems to me that making use of centralized anti-malware services is the way forward. Simple checks for things like the “I Love You” virus that ignited this market just don’t cut the biscuit any more.
Follow Tony @12Knocksinna