Microsoft 365

    Why Microsoft's Security Isn't Enough On Its Own

    M365’s cybersecurity features have improved but still fall short of what’s needed. A layer of additional protection remains the best strategy for most companies.


    Key Points

    • M365’s success has made it into one of the world’s biggest targets for cybercriminals. 
    • Some budget-constrained enterprises rely solely on M365’s built-in security features, exposing those enterprises to increased risk at a time of intensifying attacks.
    • A more robust defense can be achieved by adding complementary technology to M365’s built-in security. This strategy helps reduce business disruption and data loss. 


    Microsoft introduced Microsoft 365 (M365) as “Office 365” more than a decade ago, and today this cloud version of its productivity software suite has a huge market share. Microsoft maintains roughly 90% of the market, with the rest falling to Google Workspace, according to research from Gartner.[i]

    In our current remote-work era, another component of M365, Teams, has also gotten enormous traction. Companies that were already using M365 to send emails, create documents, and build presentations now have this full-featured collaboration tool as part of the same package. As of the beginning of 2022, Teams had more than 270 million active monthly users, according to Microsoft.[ii]

    Even in the days when misgivings about Microsoft’s market dominance were more common, there was always an upside, as far as enterprise users were concerned, to Microsoft’s success. Microsoft’s financial resources meant a continually improving and more feature-rich line of software. The company’s embrace of cloud technology is an additional benefit to users, making the experience of using Microsoft’s products simpler and more seamless.

    The main exception to this good-news story is in the area of cybersecurity. With Microsoft’s software and its customers’ data residing in the cloud, bad actors have looked to exploit vulnerabilities. Few cloud software platforms have been bigger targets for such attacks in recent years than M365.

    Microsoft’s efforts to shore up M365’s security are starting to make a difference. Products like Defender, which is part of Microsoft’s E3 version of M365, offer anti-spam and anti-virus features and provide good entry-level protection. Microsoft’s more expensive E5 offering goes further with email security, and also protects against other threats, such as those involving smartphones and other end- point devices that are areas of vulnerability.

    But Microsoft is by no means a security company. And this means that chief information security officers (CISOs) who rely exclusively on Microsoft for their organizations’ data protection are making a de facto decision to accept security solutions that aren’t best-of-breed in certain areas. They’re also being exposed to the problems of operating in a software monoculture, including the problem of having many cyberattackers who have spent years learning the system and figuring out how to infiltrate it.

    The Benefits of Layered Security

    There is certainly a faction of M365 users who — partly because of cost pressure from their boards or finance departments — are entrusting all of their security needs to Microsoft. But even among this group, there are quite a few CISOs who think the ideal practice would be to have additional layers of security from an outside vendor like Mimecast. As one cybersecurity executive suggested in a recent interview, any smart CISO who isn’t layering is probably acquiescing to a sub-optimal solution because of cost. Any CISO who can layer and still isn’t doing so, the executive added, “is a fool.”

    There are five main benefits to layering:

    1. Better protection against malicious emails: A best practice in security layering is to use a secure email gateway (SEG) with M365. SEGs sit in front of M365 email servers, eliminating a large majority of emails that pose a threat of phishing, account takeover, VIP impersonation, or ransomware.

    One way to think about the value of a SEG is to imagine that one’s organization is a sovereign nation. An enterprise user of M365 should employ a SEG for the same reason that sovereign nations have overseas intelligence operations: to eliminate the threat while it’s still on the outside, as opposed to within.

    To be sure, the ecosystem for protection is getting more varied. In particular, there’s an emerging set of security vendors that have set themselves up using a different model for M365 email security. The systems of these Integrated Cloud Email Security providers sit behind M365 rather than in front of it, with the mission of reinspecting and catching damaging emails in the event Microsoft’s own security lets one through. The risk is that a high-volume attack could overwhelm such a system’s ability to catch all malicious emails in a timely way, and that a user could click on one in the interim.

    2. Avoidance of email outages: Though generally reliable, M365 isn’t perfect. A succession of M365 service disruptions in late 2020 proved this and was problematic for companies in certain parts of the U.S., keeping them from using Outlook, OneDrive, and Teams.[iii]

    Moreover, the incidence of M365 email downtime events appears to be increasing. In Mimecast’s 2022 State of Email Security report, two in every three enterprise users of M365 said they had experienced an email outage in the previous 12 months that either had a “moderate” or “severe” impact on their organizations. That was up from 49% of M365 users who said this in 2021 and up from 42% of users who said it in 2020.

    One of the benefits of a good SEG is that, with a few keystrokes, an email administrator can temporarily switch all email activity to the SEG platform.

    3. Preservation of data: The data in emails and other corporate systems is not just a “nice to have;” it includes business decisions, shared files, recordings, and other essentials. For companies in industries like healthcare and finance, maintaining it can be a regulatory obligation.

    SEG providers offer archiving solutions, simplifying this part of an M365 enterprise’s compliance requirement and speeding e-discovery when it’s needed. Archiving solutions can also help when data has been lost because of a security breach involving Teams, an increasingly common problem and growing area of concern.[iv]

    4. More security services and features: With its focus on M365’s productivity features, Microsoft doesn’t offer much outside the core areas of security. Awareness training, crucial since human error is a factor in 94% of all email-borne attacks, isn’t part of M365. An enterprise must add other security layers, beyond those available in M365, to ensure that all threats are being managed.

    5. The ability to build a best-of-breed security solution: Enterprises that put a premium on security may prefer to use a handful of different providers — one to protect their e-mail systems, a second for endpoint devices and maybe a third for zero trust network access controls. This best-of-breed approach can be managed relatively simply if the security team opts for cybersecurity vendors that have a library of open APIs or off-the-shelf integrations among different brands of security. 

    The Bottom Line

    Microsoft’s success has put it and its customers in the crosshairs of cybercriminals. The additional security Microsoft is adding to its M365 platform is encouraging and offers basic protection against spam and email-borne viruses. Many enterprises will want to go beyond this, though, reinforcing their defenses and protecting their operations with additional tools and technologies from well-established security vendors. Read how Mimecast can protect your investment in M365.


    [i]As Google moves to reshape Workspace, barriers to business adoption remain,” Computerworld

    [ii]Microsoft: Teams now has more than 270 million monthly active users,” ZDNet

    [iii]Very Frustrating’: Microsoft Office 365 Outage Hits U.S. Again,” ZDNet

    [iv]Microsoft Teams is the new frontier for phishing attacks,” VentureBeat


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page