Almost 19% of phishing emails bypass Microsoft Defender

11 October 2022

Almost 19% of phishing emails bypass Microsoft Defender.

Check Point Software is one of the world's best-known and largest infosec companies. In September 2021 they acquired email security company Avanan and recently they updated Check Point's initial 2020 research about the email security effectiveness of Microsoft 365 and Defender.

A recent report conducted by our partner KnowBe4 have identified that although Microsoft 365 is a secure service, when it comes to phishing email attacks, they are missing almost 19% of them.

As the default security for most organisations, many hackers think of email and Microsoft 365 as their initial points of compromise. A good example of how hackers focus on Microsoft 365 comes in a series of blogs from Microsoft that details the attempts of a state-sponsored group to compromise their services.

Hackers have stepped up their game.

Microsoft is the most used and most targeted email service in the world. After a thorough analysis of nearly three million emails, Check Point found that at the moment Microsoft Defender misses 18.8% of phishing emails. Their previous 2020 analysis showed 10.8 percent of phishing emails reaching inboxes, so Defender's missed phishing rates have increased by 74%. This represents not a decline in Microsoft effectiveness, but rather an increase in targeted attacks designed directly to bypass Microsoft. Hackers, in other words, have stepped up their game.

Another interesting finding in the report showed that Defender sends seven percent of phishing messages to the Junk folder, so they can still be accessed by the user and possibly clicked on.

It's not all bad news though

There are several areas where Defender does quite well. For example it catches 90 percent of unknown malware, and it's also good at spotting attacks that spoof DMARC. Only 2.5 percent of those make it through to inboxes. it also does quite well with Business Email Compromise, with only 2 percent getting through. 


When financial-based phishing attacks have been specifically crafted to bypass Defender it missed 42 percent of them. This category includes things like fake invoices and bitcoin transfers. Brand impersonation is another popular method hackers choose to bypass Defender and 22 percent of these emails get through. 21 percent of credential harvesting attacks also get through to users' inboxes.

Missed phishing rate higher in larger organisations

The missed phishing rate is also higher in larger organisations, reaching between 50 and 70 percent. This is despite security operations centre staff in large businesses devoting a large percentage of their time to email issues. One large company studied saw 910 reported phishing emails within one week, yet the IT team could only remediate 59 of these or less than seven percent.

Defender vs. Secure Email Gateways

In another study analyzing 300 million emails, Check point found that Microsoft is in the middle of the pack compared to the rest of the competition, in this case, Secure Email Gateways. Per every 100,000 emails, Microsoft’s catch rate of phishing emails is better than some Secure Email Gateways and worse than others. The report compares Avanan, Mimecast, Google, Proofpoint and Barracuda. To get the report, start with this article at Betanews.

SEG's are only part of the picture

it is important to keep in mind that none of these SEG stop the phishes using any other medium beyond email (and maybe web-based social engineering using content filtering). They don't catch SMS phishes, voice-call phishes, social media phishes, WhatsApp phishes, tailgating, and so on.

Even if some magic solution came into being that solved the email phishing issue (highly unlikely), all organisations would still have to manage the ongoing social engineering problem. That's why KnowBe4 trains your users about social engineering in general as the overall threat and how to defeat it REGARDLESS of the medium.

Original Source | KnowBe4 | October 8th


The power to protect

Askaris are the cyber security specialists providing customers with the complete suite of cyber security solutions and services.

Cyber Security Consultants