Email Security Part 2 – Append and Alert

Email security 2

In a previous blog, “Email Security Part 1 – Mail Flow Rules,” we discussed how mail flow monitoring will usually come with some additional services attached. Continuing this discussion of email security, let’s look at some of those other services and explain what they are and what they do. Specifically, let’s look at email appends and advanced alerting for Office 365.

What are Email Appends?

Through rules, the subject of an email can be appended to alert the receiver. We can control some mail flow policies from the server side to increase IT security. By using a series of conditions to process mail flow, we can do some exciting stuff. One of these rules is to append text to the subject of certain emails. This rule is configured so that when an email arrives that is not sent from within your domain, the subject of the email is appended to notify you. We can even take this a step further so that if the email is sent from a server that is not yours but claims to be from your company’s domain, the email subject will be appended to tell the user that the email address is fake or “spoofed.” This makes it harder for an attacker to trick users into clicking on malicious links or giving away login passwords. In addition to these steps, a well-defined email phishing campaign can “trick” and then train end users. But this technique will be discussed in a future blog.

Advanced Alerting

Another security control that usually gets lumped in with email appends and mail flow monitoring is alerting. Of course, basic alerting should be configured by your managed service provider early on, but Office 365 offers a multitude of advanced alerting conditions which are not configured by default. These more eclectic alerts, such as: “Mass download by a single user,” “Login from a risky Internet Protocol (IP) address,” or “General anomaly detection” can require a lot of fine-tuning that most IT service providers do not include in their standard offering. Each of these advanced alerts generally require advanced customization. This customization requires identifying such things as:

  • What counts as an anomaly?
  • What IP addresses count as suspicious?
  • Who should be notified of these alerts?

These and additional answers must be addressed as part of advanced alerting. Identifying and configuring these alerts according to your company’s specific IT security needs can consume significant manpower and thorough vetting. As with all IT security needs, communication with your managed services provider is required.

Always bear in mind that there is a distinct difference between a Managed Services Provider (MSP), and a Managed Security Services Provider (MSSP). While most MSPs do provide an essential and valuable level of security, more advanced security services will probably not be included. Some full service MSPs, like Truewater, offer advanced security services as a project or ongoing service. But in the end, when it comes to the security of your business, ask the hard questions to make sure you fully understand what security services are included.

For additional security information, contact Truewater at 713-869-0001 Ext 5.

By: Joshua Lackey, Truewater Project Manager