Do you need Advanced Threat Protection? Maybe some new malware is en route to your mailbox!

Do you need Advanced Threat Protection? Maybe some new malware is en route to your mailbox!

If you use Exchange Online, either as the standalone plan or as part of an Office 365 commercial plan, any inbound email sent to your tenant is cleansed by going through Exchange Online Protection (EOP), essentially a massive barrier of servers dedicated to intercepting and removing bad stuff from email before unwanted rubbish reaches inboxes. EOP is also available as a hosted email filtering service that can be used by on-premises servers.

The fight against spam, viruses, and other forms of email-transmitted malware has been going on ever since someone realized that you could send messages to unwitting recipients that contained malicious code or some text that convinced that person to do something that was really not to their advantage. Famous examples in the past include the "I Love You" virus of May 2000 and the many variations of notifications that millions of dollars await you because someone has died or been overthrown or whatever. So many of these letters come from Nigeria that they are often referred to as 419 scams, where 419 refers to the article of the Nigerian Criminal Code dealing with fraud. Social engineering attacks and phishing are also common vectors for email-borne infection, as the White House apparently discovered recently.

Time moves on and despite a huge investment across the industry to erect and maintain network bastions, an incredible amount of rubbish still circulates in email and the volume is growing. Some reports put the amount of spam sent daily at more than 100 billion messages with nearly a billion more containing malware and estimate that 70% of all email is spam.

As explained in this article by  security company Sophos, the availability of copious high-speed connectivity and cheap computers makes it easy for spammers to generate vast quantities of email that no one in their right mind wants to receive. Unwanted commercial email is the pollution of the Internet and it's not going to go away anytime soon.

Which brings us back to EOP. Its standard processing is good enough at removing the vast bulk of spam that arrives at the outer boundary of Office 365, but given the amount of spam that is generated and the ingenuity of spam creators in finding new ways to deceive and outfox the developers of mail filtering services like EOP, some unwanted messages will get through. I see between 3 and 4 messages weekly in my Inbox that I consider suspicious and I forward these messages to Microsoft for their analysis.

Yesterday, Microsoft announced Advanced Threat Protection (ATP) for EOP. This is an add-on service that costs an extra $2 per user per month. ATP is in preview with a select group of Office 365 tenants at present and is scheduled for general availability this summer. No doubt we shall hear more about ATP at the Ignite conference in Chicago next month (the session titled "Evolving Email Protection for Tomorrow’s Needs with Exchange Online Protection" at 10:45AM on Wednesday seems like a good bet).

An extra $2/user/month could create a large bill. A company with 10,000 Office 365 mailboxes will have to pay $240,000 annually to use ATP if they decide to enable ATP for all users (the feature can be selectively deployed to protect specific groups), so what will they get? Microsoft breaks the new functionality down into three areas:

Better protection against day zero viruses and malware: A day zero virus is something that has never been seen in the wild (outside a laboratory) so anti-virus and anti-malware engines can't detect it. Every message that comes into Office 365 is processed by EOP, which channels traffic through multiple anti-spam and anti-virus engines. Much of the traffic is dropped immediately as it can be identified as containing a virus or some other objectionable content. The partially sanitized mail stream is then examined to detect any messages that might be good but not good enough to be let through for delivery, possibly because they exhibit many of the known characteristics of malware. However, because these messages don't match any of the known signatures of malware, EOP can't determine whether they are good or bad, so the messages are shunted into a special sandbox environment (which seems to be running on Azure VMs) where the suspicious content can be broken down and analyzed to figure out if it is dangerous. For example, an attachment containing an executable is always suspicious, but you need to observe what the executable attempts to do when it is invoked to be sure. 

Conceptually, this is no different to the work done by malware investigators when they decipher new threats, but it's done at massive scale and by using machine learning to make a decision about the content. Quite how long it takes for a suspicious message to be analyzed and validated is an open question, especially at peak times, but it is likely to be measured in minutes rather than seconds. If the content is OK, it is released for delivery. If not, the option exists to block the message entirely or release it to the recipient after the offending content is removed. Bad messages can also be captured for further (human) analysis.

Real-time protection against malicious URLs: Attackers can hide bad URLs behind what seem to be good links to safe sites that you might want to visit. But when you click one of these URLs, a redirect takes you to a bad place. This is the attack vector exploited by phishing attacks, which can be remarkably successful in convincing people to share confidential data that is later misused. ATP looks for this kind of redirection and compares the redirected URLs against URL reputation lists that are updated regularly. If the URL is on a list, it's a problem and is therefore blocked.

The important thing here is that the check is performed at the time of reading rather than when a message arrives at the border of Office 365; a lot can happen to develop and enable a threat between delivery and reading. Whether or not this warrants the "real-time" label is debatable because a real-time check should preferably happen against a database that is continually updated or by scanning the suspicious URL to determine its real status. The problem here is that scanning a suspicious URL might take more time than a user would like.

Reporting and URL trace: Clearly EOP gathers a lot of information about who is receiving malware and spam and the contents of those messages. This information can be interpreted and analyzed to determine whether any patterns exist. Are specific people in the organization targeted or is everyone a target? What categories of attacks are most prevalent, and so on.

It's hard to put a value on an add-on feature like ATP. For some companies it will be extraordinarily valuable and they'll consider the extra cost an insignificant detail because they need that level of protection. After all, dealing with the fallout from an attack like Cryptolocker is usually very expensive and time-consuming for all concerned. 

Others will look at ATP as a nice-to-have but perhaps not now. At least you have the choice. And it’s good to see that some new ways of combating malware are being deployed because this problem is going to be with us for as long as people can make money by exploiting the weakness of others.

Follow Tony @12Knocksinna

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.