Investing in multiple layers of protection from different vendors can help to eliminate blind spots and complexity in security solutions, providing better protection against attack attempts. However, many are unaware that threat actors can easily bypass third-party email filtering products by directing emails to onmicrosoft.com domains, which are an inherent part of the Microsoft 365 configuration. Companies that invest in third-party email filtering solutions often focus on applying rules, policies, and IP white-/blacklisting lists within their third-party solution, assuming that all traffic is routed through it. This assumption is dangerous and inaccurate.
It is important for organizations using Microsoft 365 to ensure that all email traffic is routed through the third-party product they have invested in, in order to fully capitalize on the layered protection they have implemented. When a domain is added and verified, it is appended with a Microsoft default domain, which cannot be updated or pointed at a preferred mail security gateway. This can lead to emails being delivered by threat actors targeting onmicrosoft.com default domains, bypassing the rules, policies, and filters set in the third-party product. To mitigate this risk, rules should be created to alert IT whenever onmicrosoft.com addresses are used, and organizations should stay up to date on the benefits and potential pitfalls of all solutions in their environment.
In complex organizational environments, getting an assessment may be valuable in understanding how to layer solutions together to achieve the best protection across the enterprise.