Brksec 2913

Why Cisco Secure Email?
If you have Microsoft 365…
Abdalla Taha, Technical Solutions Architect – Secure Email
BRKSEC-2913
How effective is
Microsoft 365’s email
security?
Webex App
Questions?
Use the Webex App to chat with the speaker
after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2913

by the speaker until February 23, 2024.
BRKSEC-2913 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• Microsoft 365 Email Security
• Exchange Online Protection
• Microsoft Defender for O365
• Cisco Secure Email

• Cloud Gateway
• Threat Defense
• Domain Protection
Agenda • Cisco vs Microsoft – with live
demos
• Conclusion
• Extra slides for your reference
About Me
Abdalla Taha
Technical Solutions Architect
• Palestinian/Morrocan from Finland!

• Part of Global Security Sales Organization
• Dedicated technical resource for north EMEA
• Worldwide lead for Email Technical Advisory Group
• 8+ years at Cisco (Email security focus 6 years)
• Husband & Father of two
• Love outdoor sports & travelling
Disclaimer
Disclaimer
• This presentation is created by Abdalla Taha, a Cisco employee specialized in email security
• The information presented is based on:
• Research
• Experience with the products
• Customer/Partner/Colleagues feedback
• Feel free to approach me with feedback

• I welcome feedback (positive + negative) & I welcome challenges (prove me wrong)
• Main purpose for this presentation is to show that the combination of Cisco + Microsoft is better
than Microsoft on its own. Yes, also in the case of E5!
• Please be cautious when using this deck as new features come, licenses change, etc. I will do
my best to keep recurring this session for accurate and updated content.
Microsoft 365
• Formerly Office 365 (name changed 2020)
• Provides Microsoft software as SaaS solution
• Exchange server → Exchange Online
• An opportunity to move the “headache” of keeping Exchange
server operation to Microsoft
• Admins can focus only on managing policies and
configurations
• Always up to date
• Today more than a million companies use Microsoft 365(1)

(1) https://www.statista.com/statistics/983321/worldwide-office-365-user-numbers-by-country
What about Email Security on Microsoft 365?
• In contrary to Exchange on premise, Exchange

online includes Exchange Online Protection (EOP)
• Companies migrating to the cloud could replace
existing email security vendor with Microsoft's
own services
Exchange Online Protection
• Question arises, why keep or add other vendors?

And, how good is Microsoft’s Email Security?
Email Security with Microsoft 365
Microsoft offers email security in 3 levels(1)
• Exchange Online Protection
• Microsoft Defender for Office 365 Plan 1 (formerly ATP plan1)
• Microsoft Defender for Office 365 Plan 2 (formerly ATP plan2)

From high level perspective Microsoft has it all!
• Most companies don’t even bother to run a Proof-of-Concept as they
trust Microsoft’s brand and reputation
• Microsoft sales team also encourages to disregard the third-party
email security vendor for “simplicity” and maximum performance
(1) https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison
• Included in most licenses such as E3
• Antispam
• Acts on Connection filtering and Content
filtering
• Anti-Malware
• ZAP function to remove known viruses after
delivery
• Anti-phishing (spoof) protection

• Control what happens when DMARC fails
• Threats based on URLs (QR codes included)
• Message trace
• Find logging details of emails
• Basic reports on mail traffic

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about
Microsoft Defender for Office 365 Plan 1 (MDO 1)
• Included in E5
• Safe Attachment
• Microsoft’s sandbox to mitigate zero-day malware
• Option for dynamic delivery (get email first without attachment and attachment once scan is ready)
• Safe Link
• Protection from malicious links
• Rewriting URLs to be checked again at time-of-click
• Better Anti-phishing
• Improves EOP antispam to protect also from impersonation attacks
• VIP protection & Intelligent Mailbox
• More reports
• Called Real-time detections
• Reports and tools to investigate malware and URL based email attacks
• Integration with SIEM API
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-about
Microsoft Defender for Office 365 plan 2 (MDO 2)
• Included in E5
• Includes Microsoft Defender for Office 365 plan 1
• Threat Tracker
• More reports and widgets
• Threat Explorer
• More powerful tool for investigation and threat hunting
• Possibility to remediate malicious emails from end user's inbox
• Automated investigation and response
• Automated actions for faster remediation
• Automated actions over SIEM API
• Attack simulation training
• Sending simulated phishing emails to bring up awareness
• Campaign View
• Means to identify attack campaigns
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/why-do-i-need-microsoft-defender-for-office-365
Do you need more?
• Based on datasheets and marketing, Microsoft seems quite comprehensive
• Many customers hesitate on Microsoft Defender for Office 365 (MDO) plans as they
are expensive
• EOP level protection is not sufficient to protect from today's threats
• A report showed that with 3M malicious emails on Microsoft 365 account, almost
19% of phishing emails bypassed EOP+MDO protection
Do you need more?
• Based Cisco internal test with E5 level protection
• Attacks simulated by fetching newest phishing links from
PhishTank and malicious attachments from Malware bazaar
• ~28k malicious emails sent in 16 days
• Microsoft blocked ~36% (9k); ~59% moved to junk; ~2% (420) delivered to inbox
Malicious 5.27%
Phishing 19.32%
Microsoft
blocked 36%
Scam 1.19%
BEC 0.37%
SPAM 38%
Your answers on:
How effective is
Microsoft 365’s
email security?
After all, email is still the #1 threat vector
Cisco? Please help!
Cisco Secure Email
Cisco Secure Email Portfolio
On premise Cloud & more
Email Gateway
Awareness Training
Email Threat Defense
Email Security Appliance (ESA, IronPort) Cloud Mailbox (CM, CMD)
Domain Protection
Email and Web Email Cloud Gateway

Manager Email Archiving
Security Management Appliance (SMA) Cloud Email Security (CES)
Cisco Secure Email Portfolio
On premise Cloud & more
Since Microsoft 365 is Awareness Training

Email Gateway Email Threat Defense
a cloud platform we
will
Email useAppliance
Security cloud(ESA,option
IronPort) Cloud Mailbox (CM, CMD)
in the examples.
Domain Protection
Nevertheless, the on-
premise gateway has
the sameEmail capabilities
and Web Email Cloud Gateway
as cloud gateway.
Manager
Security Management Appliance (SMA) Cloud Email Security (CES) Email Archiving
Cisco Secure Email Cloud Gateway
Email firewall for Microsoft 365
End users
SMTP SMTP
Email Cloud Gateway

MS Graph API
Applications
• MX records point at Cisco cloud gateway • US/CA/EU/APJ location

• Protection for emails inbound and • SLA 99.999% on availability
outbound
• Dedicated resources per customer • High availability and Disaster recovery
Processing Pipeline
Connection and Content Filtering Virus & Malware Filtering Content Filtering Anti-Phishing
Connection Threat
Reputation File File Graymail Content Outbreak
SDR Filtering CASE Anti-Virus Defense
Inbound
Filtering Reputation Analysis Detection Filtering Filtering

Connector
Control
Host and IP Domain Throttling, Multi- Block SHA-based Behavioral Admin 9-12 hr lead Behavioral
marketing,
filtering via reputation SPF, DKIM verdict known file blocking indicators, driven rules time on zero- analytics
social and
SBRS & ETF filtering & DMARC scanning viruses sandboxing (ETF & FED) day outbreaks
bulk emails
Content Filtering Encryption Virus & Malware Filtering Data Exfiltration Encryption URL Defense Clawback
Post Delivery Interaction

URL Rewrite, Malware Defense,
File Rep & Data Loss Encryption Graymail
CASE DANE Anti-Virus Tracking Retrospection &
Outbound
Analysis Prevention Service Unsubscribe & Remediation Remediation
Message
Multi- DNSSEC Link URL click Post delivery
Block Outbound Inspect PII & encryption via
action on
verdict checks known malware sensitive Cisco Secure validation & tracking and verdict
scanning TLSA viruses scanning content Email unsubscribe reporting changes
Encryption
Cisco XDR
Detection, Investigation, Remediation
& Threat Management
Processing Pipeline
Connection Threat
Inbound

Connector
Control
Host and IP Domain Throttling, Multi- Block SHA-based Behavioral Admin 9-12 hr lead Behavioral
marketing,
filtering via reputation SPF, DKIM verdict known file blocking indicators, driven rules time on zero- analytics
social and
SBRS & ETF filtering & DMARC scanning viruses sandboxing (ETF & FED) day outbreaks
bulk emails
Content Filtering Encryption Virus & Malware Filtering Data Exfiltration Encryption URL Defense Clawback

URL Rewrite, Malware Defense,
File Rep & Data Loss Encryption Graymail
CASE DANE Anti-Virus Tracking Retrospection &
Outbound
Analysis Prevention Service Unsubscribe & Remediation Remediation
Message
Multi- DNSSEC Link URL click Post delivery
Block Outbound Inspect PII & encryption via
action on
verdict checks known malware sensitive Cisco Secure validation & tracking and verdict
scanning TLSA viruses scanning content Email unsubscribe reporting changes
Encryption
Cisco XDR
& Threat Management
Cisco XDR: Investigate with intelligence,
context and response
Global Intelligence Local security context Response actions
Endpoint security Endpoint security Cloud security Block destinations

Malware intelligence
Internet intelligence Block files
Email security Network firewall
Isolate hosts
VirusTotal and
other third parties Secure Web
Analytics Remediate Emails
Appliance
Are these observables Have we seen these observables? Where? What can I do about
suspicious or malicious? it right now?
Which endpoints connected to the domain/URL?
Observables: 1 ) File hash, 2) IP address, 3) Domain, 4) URL, 5) Email addresses, etc..
Cisco Secure Email Integrations
External Threat Feeds Log collection
Net
STIX / TAXII Logs
FTP, SCP, Syslog, AWS S3, REST API

IP address, Domains, URLs, File hash
CEF formatting supported
Email Cloud Gateway

Cisco Cisco to Cisco REST API
XDR
API
Remediation, Authentication &
LDAP
Malware Analytics
Reporting, Message tracking,
LDAP, SAML 2.0, Graph API Quarantine, Configuration API
Cisco Secure Email Licensing
Three simple tiers
Premier
All the functionalities from
Advantage added with
internal email scanning and
Advantage awareness training.
All the functionalities from
Essentials added with
compliancy features and
more.
Essentials Awareness Training
All security functionalities to
protect from present threats
while providing granular
control and visibility.
Email Cloud Gateway Email Threat Defense
Cisco Secure Email Licensing
Essentials Advantage Premier
• IronPort Antispam • Everything on Essentials • Everything on Advantage
• Sophos AV • Malware Defense • Cisco Secure Email Threat Defense
• Malware Defense • Unlimited sample • Cisco Secure Awareness Training

submissions
• Limited sample
submissions • Envelope Encryption
• Graymail Detection • Data Loss Prevention Add on

• Outbreak Filtering • Safe Unsubscribe • Intelligent Multi Scan
• URL filtering • McAfee AV
• Safe Print • Image Analyzer
• + more
Click here for license comparison
Cisco Secure Email Premier
Phishing Simulation
Security Awareness Training Awareness Training
End users
SMTP SMTP
Email Cloud Gateway

MS Graph API Journaling
• Advantage level
Applications
Gateway features
• Internal traffic scanning

Email Threat Defense • Behavioural Analytics
Cisco Secure Email Threat Defense
• Let Microsoft be the gateway
• Add advanced detection and visibility with parallel scanning
• Simplify admin tasks with automation
• Scan all directions (inbound, outbound, and internal)
End users
MS Graph API Journaling Applications
• Fast deployment and easy management

• Deploy in 5 minutes
Email Threat Defense • Detailed message logs and reports
Header Analysis Virus & Malware Filtering Content Anti-Phishing & BEC Clawback
Post Delivery interaction

Inbound and Internal
Natural Language
IP, Domain and URL File File Anti-Spam & Retrospection &
Understanding and Yara
Protection
Reputation Reputation Analysis Gray Mail Remediation

rule analysis
File types, Post delivery

Responsive analysis Integration
SHA-based behavioral New methods to analyze action on verdict
using global threat with spam &
file blocking indicators, the intent of the email changes:
intelligence junk folders Auto/OnDemand
sandboxing
Cisco XDR
& Threat Management
Header Analysis Virus & Malware Filtering Content Anti-Phishing & BEC Clawback
Post Delivery interaction

Natural Language
IP, Domain and URL File File Anti-Spam & Retrospection &
Understanding and Yara
Protection
Reputation Reputation Analysis Gray Mail Remediation

rule analysis
File types, Post delivery

Responsive analysis Integration
SHA-based behavioral New methods to analyze action on verdict
using global threat with spam &
file blocking indicators, the intent of the email changes:
intelligence junk folders Auto/OnDemand
sandboxing
Cisco XDR
& Threat Management
Why Behavioral Modeling ?
Scale and
Complexity
Global Global Organization Individual

Reputation Behavior Behavior Behavior
Microsoft 365
Signals ML Classifier Decision
The final verdict is given

by aggregating the signals
benign email decision: pass
phishing email decision:

block
Layering Detections using Machine Learning
Link
External
The creation of mini-engines or
Brand
Phishing
Masquerade
Department
Detector
Impersonation detectors that identify techniques
and behaviors using ML and NLP.
Fake Reply
Detector
Dash-
Recently
Phishing
Detector
Email Address The combination of detectors
Masquerade
Registered
Domain Payroll Scams BEC reveal the intent of the message.
Individual Deception BEC Zero-
Name Trust
Imposter
Cryptocurrency
Unusual Payment
Masquerade Non-BEC
Request
Scams
Sudden Burst
Victim-
Rare Detector
specific
Communication Sender Victim URL
Relationship Mismatch Impersonation
Detector Detector
Mapping Message
Call To Indicators
Action and
Urgency
Identity and Email Account
Relationship Compromise
Checker Unusual
Masquerade Open Redirect
Detector
Examples of Machine Learning Based Detections
Sender text is unusual Sender domain has low

reputation
Impersonates Microsoft
Greets person by
username
Impersonates the
recipient company
Link contains
suspicious patterns
Examples of Machine Learning Based Detections
We live in a day and age
where Behavioral Analytics
is a must have feature for
all security products
Gateway or API? Just the other or Both?
• Inline security • Supplemental security

➡️More control ➡️Faster deployment
➡️More granular options ➡️Ease of use
➡️Fine tuning ➡️AI/ML-based engines
➡️Granular Policies ➡️Detailed attack visibility
➡️Better troubleshooting
options
Gateway or API? Just the other or Both?
Boost my
security with AI!
Enhance my
inline control!
Both
Google & Yahoo – new email requirements
• Announced 3rd of October

• Takes effect February 2024
• Requirements for senders that send

more than 5000 emails/day
• Authentication protocols need to be
setup correctly (SPF/DKIM/DMARC)
• Valid forward and reverse DNS
(FCrDNS)
• One-click to Unsubscribe (RFC8058)
• Low spam rate
https://blog.redsift.com/google-and-yahoo-announce-new-requirements-for-email-delivery/
Cisco Secure Domain Protection
Spoofing
Domain Protection attempts
Simplify DMARC management recipients
Hosting services
• DMARC, SPF, and DKIM Your organization
• BIMI, MTA-STS, and TLS-RPT
Enforce spoofing protection of your

Legitimate
domains in 6 – 8 weeks! spoofing
Secure Email > Complete Protection
Connection Threat
Inbound

Connector
File types, Control Metadata &
Host and IP Domain Throttling, Multi- Block SHA-based Admin 9-12 hr lead
behavioral marketing, behavioral
filtering via reputation SPF, DKIM verdict known file blocking driven rules time on zero-
indicators, social and day outbreaks analytics
SBRS & ETF filtering & DMARC scanning viruses (ETF & FED)
sandboxing bulk
Content Filtering Encryption Virus & Malware Filtering Data Exfiltration Encryption DMARC
CASE DANE Anti-Virus

File Rep & Data Loss Encryption Domain Cisco XDR
Outbound
Analysis Prevention Service Protection
DNSSEC
Message Brand Detection, Investigation, Remediation
Multi- Block Outbound Inspect PII & encryption via protection,
verdict checks known malware sensitive Cisco Secure SPF, DKIM
& Threat Management
scanning TLSA viruses scanning content Email & DMARC
Encryption management
Header Analysis Virus & Malware Filtering Content Anti-Phishing & BEC URL Defense Clawback Simulation

Natural Language Malware Defense, Secure

IP, Domain and URL File File Anti-Spam & Graymail URL Rewrite,
Understanding and Retrospection & Awareness
Protection
Tracking
Reputation Reputation Analysis Gray Mail Unsubscribe Remediation
Yara rule analysis & Remediation Training
File types, Integration Post delivery End user

Responsive analysis New methods to Link URL click
SHA-based behavioral with spam action on training +
using global threat analyze the intent of validation & tracking and verdict phishing
file blocking indicators, & junk
intelligence the email unsubscribe reporting changes simulations
sandboxing folders
Cisco vs Microsoft
Cisco – strong leader in 3rd party analysis
2023
2020
2021
Comparing Features?
• Customers usually want to see a feature
list comparison between Cisco and Cisco Microsoft
Microsoft
• Sounds easy and simple, right? feature 1 ✔ ❌
• Lets try… feature 2 ✔ ✔

feature 3 ❌ ✔
feature 4 ✔ ❌
feature 5 ✔ ✔
feature 6 ✔ ✔
feature 7 ❌ ✔
feature 8 ✔ ❌
Comparing Features?
• Customers usually want to see a feature
list comparison between Cisco and Cisco Microsoft
Microsoft
• Sounds easy and simple, right? Antispam ✔ ✔
• Lets try… Anti-phishing ✔ ✔
• No difference? Antivirus ✔ ✔
• We need to look a bit deeper to Sandbox ✔ ✔
understand the differences… URL ✔ ✔
Reports ✔ ✔
TS tools ✔ ✔
Automation ✔ ✔
EOP Essentials
MDO 1 Advantage
High-level Feature Comparison 1/3 MDO 2 Premier
Cisco Microsoft 365 Comments

Cisco Email Gateway provides granular control to decide the level of reputation (IP/domain) to
Connection Control block, throttle, or accept. Microsoft only has “allow lists” and “block lists”.
Antispam Cisco’s SLA on FP for antispam is 1:1M where Microsoft’s SLA is 1:250k.
Microsoft hides the amount and the vendors of Antivirus, Cisco uses Sophos &
Antivirus (antimalware) McAfee
Cisco’s malware sandboxing takes 5 to 10 min. Microsoft Safe-Attachment is slow,
Sandbox detonation and customers mostly complain about the slowness…
Marketing/Social/Bulk Cisco provides granular control for graymail messages, with Microsoft, the only option
management is to mark bulk emails as spam, end users get “focus view”
Cisco has Forged Email Detection with Fuzzy matching. No limitation on the amount of
VIP spoof protection VIP names to be provided. With Microsoft this feature is only available in MDO1
Cisco Email Gateway provides granular control to decide the level of URL reputation
URL protection or category on when to block, rewrite, or replace with text. There are many
“hacks” to bypass Microsoft SafeLink detection which is only rewriting URLs.
Cisco can look at file meta data and mime type in addition to file extensions. Cisco
Attachment control can also automatically recognize macros in files. Microsoft only looks at
extensions.
Outbreak protection Cisco protects from file and other based outbreaks; Microsoft has this only for files.
EOP Essentials
MDO 1 Advantage
Safe unsubscribe Microsoft has this feature for consumer outlook, but not for enterprise side…
Password protected Cisco can parse the body of an email and find the password which can
file analysis help detecting malware hiding in passwd protected attachment
Automatic Email Cisco has MAR, Microsoft has ZAP

Remediation
On demand Email Cisco has this included in Essentials
Remediation
Microsoft has deprecated EOP DLP and is offering DLP from Microsoft
Data Loss Prevention E5 Pureview which is part of E5.
Microsoft has migrated encryption functionalities to Microsoft Pureview
Envelope Encryption E5 which is part of E5.
Cisco can poll up to 8 sources with STIX/TAXII protocol for malicious IP,
3rd party threat feed domain, file hash, and/or URLs
DMARC/DKIM/SPF Microsoft finally supports DMARC policy handling, like Cisco.
Cisco supports today DANE and MTA-STS is on the roadmap, Microsoft

DANE/MTA-STS supports today both
EOP Essentials
MDO 1 Advantage

Reports vary and get better based on the license level with Microsoft. Cisco
Reports has all in essentials.
Microsoft message trace tool provides only 10-day high level visibility.
Deeper and older info is available via csv file. Cisco can easily hold more
Message logs than 1 year worth of logs and show all deep information right from the GUI.
Microsoft capability to analyze log data for threat hunting requires higher
level licenses.
Cisco supports exporting automatically of all events in syslog, AWS S3 push,
Log export/SIEM integration SCP push. Microsoft supports only API based integration with SIEMs in MDO 1
for reporting and in MDO2 you get response abilities.
Phishing Simulation Only available in MDO 2.
Awareness training Only available in MDO 2.
Provided with Cisco Secure Email Threat Defense, with Microsoft only
Internal traffic protection Safe-Link can be activated for internal traffic
Provided by Cisco XDR Orchestration workflows. You need MDO 2 with
Automation Microsoft to enable automation.
Microsoft does not have customer specific AI engines, only a feature called
Behavioral Analytics (AI/ML) “Mailbox Intelligence”. Cisco Email Threat Defense is customer specific.
Feeling This?
• Don’t worry, deep dive

comparisons are in the coming
slides
• Don’t hesitate to ask questions

and challenge claims
Cisco vs Microsoft
Live Demo
Conclusion
“The more threat intelligence you have,
the better protection you can achieve”
-Abdalla Taha ☺
Cisco Secure Email adds value to Microsoft 365
Email Cloud Gateway
More granular control Use Microsoft email security in parallel

Better visibility to Cisco. With Microsoft Enhanced
Faster diagnostics Filtering, EOP becomes aware of
More efficient security gateway between it and the internet. (1)
More features “Two eyes are better than one eye!”
(1) https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors
Do you need Control? Just with Essentials…
Not only adding features, but improving existing
Email Cloud Gateway

Essentials EOP
• Antispam Antispam
improve • Antimalware
•
• Antimalware
• Antiphishing • Antiphishing
• Sandbox
added • URL protection
• On demand remediation
• Automation
• Threat Investigation
Do you need Control? Just with Essentials…
Even with Microsoft Defender for O365 plan 1,

to match on features, you need plan 2 or E5!
Email Cloud Gateway

Essentials EOP + MDO 1
• Antispam • Antispam
• Antimalware
improve • Antiphishing
• Antimalware
• Antiphishing
• Sandbox • Safe-Link
• URL protection • Safe-Attachment
added • On demand remediation
• Automation
Do you need boost of security & visibility?
improve
• Antispam
Email Threat Defense • Antimalware
• Antiphishing
• Sandbox
• URL protection
• Automation
• Behavioral Analytics
Exchange online Protection
added
improve
• Antispam
• Antiphishing
• Sandbox
• URL protection
• Automation
EOP + MDO 1
added
improve
• Antispam
• Antiphishing
• Sandbox
• URL protection
• Automation
EOP + MDO 2 = E5
added
Can Cisco add value to
Microsoft 365?
#CiscoLive
Prove it to me!
Trial and test it for yourself
• Best way to see the differences is to have a Proof-of-Value

• Start the trial today:
• Email (cloud or on-premise) Gateway: Contact your Cisco Account team!
• Awareness Training: Contact your Cisco Account team!
• Email Threat Defense: link
• Domain Protection: link
Thank you
Cisco vs Microsoft
extra slides
Deeper Look
List of features to compare
1. Connection Control 13. On demand Email
• The next slides will dive in deeper to Remediation
each feature we saw in the high-level 2. Antispam
14. Data Loss Prevention
comparison 3. Antivirus (antimalware)
15. Envelope Encryption
Sandbox detonation
• Screenshots of dashboards and 4.
16. 3rd party threat feed
documentation 5. Marketing/Social/Bulk
management 17. DMARC/DKIM/SPF
• Links and references 6. VIP spoof protection 18. DANE/MTA-STS
7. URL protection 19. Reports
8. Attachment control 20. Message logs
9. Outbreak protection 21. Log export
10. Safe unsubscribe 22. Phishing Simulation
11. Password protected file 23. Awareness training

analysis
24. Internal traffic protection
12. Automatic Email
Remediation 25. Automation
Microsoft’s Email Protection Feature Stack
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365
Email processing pipeline: Microsoft 365
https://i1.wp.com/msexperttalk.com/wp-content/uploads/2019/08/EOP-and-ATP-1.jpg (link dead, no other public references found)

Secure Email > Complete Protection
Connection Threat
Inbound

Connector
File types, Control Metadata &
Host and IP Domain Throttling, Multi- Block SHA-based Admin 9-12 hr lead
behavioral marketing, behavioral
filtering via reputation SPF, DKIM verdict known file blocking driven rules time on zero-
indicators, social and day outbreaks analytics
SBRS & ETF filtering & DMARC scanning viruses (ETF & FED)
sandboxing bulk
Content Filtering Encryption Virus & Malware Filtering Data Exfiltration Encryption DMARC
CASE DANE Anti-Virus

File Rep & Data Loss Encryption Domain Cisco XDR
Outbound
Analysis Prevention Service Protection
DNSSEC
Message Brand Detection, Investigation, Remediation
Multi- Block Outbound Inspect PII & encryption via protection,
verdict checks known malware sensitive Cisco Secure SPF, DKIM
& Threat Management
scanning TLSA viruses scanning content Email & DMARC
Encryption management
Header Analysis Virus & Malware Filtering Content Anti-Phishing & BEC URL Defense Clawback Simulation

Natural Language Malware Defense, Secure

IP, Domain and URL File File Anti-Spam & Graymail URL Rewrite,
Understanding and Retrospection & Awareness
Protection
Tracking
Reputation Reputation Analysis Gray Mail Unsubscribe Remediation
Yara rule analysis & Remediation Training
File types, Integration Post delivery End user

Responsive analysis New methods to Link URL click
SHA-based behavioral with spam action on training +
using global threat analyze the intent of validation & tracking and verdict phishing
file blocking indicators, & junk
intelligence the email unsubscribe reporting changes simulations
sandboxing folders
1. Connection Control
• Cisco
• Granular and highly customizable; categorizing senders based on groups, IP address reputation,
domain reputation,
• Full control to decide when to drop a connection and when to accept (or accept with throttling)
• How good reputation must be for you to accept/throttle
• Verification of sender domain existence and resolvability
• Link to Admin guide
• Microsoft 365
• Blocks bad reputation senders based on their own intel
• Customer has no control to select the reputation level
• Only allow lists and block lists can be configured (IP and domain)
• Does not block a sender if the domain does not resolve/exists
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/connection-filter-
policies-configure
1. Connection control: Cisco
Utilize third party feed to block bad senders
Decide the level of reputation to block
Throttle suspicious senders
1. Connection control: Cisco
Choose threshold to block a sender

based on domain reputation
Block malformed senders
Prevent non existing domain senders
1. Connection control: Microsoft
That’s all you can configure… You can’t configure thresholds to accept or block email based on
reputation score etc. Microsoft uses their own threat intel to block bad reputation senders.
2. Antispam
• Cisco
• IronPort antispam
• With IMS license can be combined with a third party antispam to increase efficacy
• Two levels of spam verdict: positive and suspect
• Thresholds customizable and easy to configure special spam policies for specific email
senders/recipients/both
• SLA of False – Positive is 1:1M
• Microsoft 365
• Configurable easily for whole organization, customization per group or user is harder
• Interesting configuration options (looks like patching security holes)
• SLA of False – Positive is 1:250k
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about
2. Antispam
• Cisco
https://www.cisco.com/c/dam/en_us/about/doing_business/legal/OfferDescriptions/secure-email.pdf page 4
• Microsoft 365
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about
2. Antispam: Cisco
Decide spam detection thresholds per policy
2. Antispam: Cisco
• Configure threshold
of message size to
scan with antispam
• Select mode of
scanning
2. Antispam: Microsoft
Microsoft offers various options to affect antispam verdict, yet many of them are
subject for higher false positives.
2. Antispam: Microsoft
Microsoft does offer the same options on actions and in addition ZAP for antispam is
configurable for spam and phishing (based on URLs).
3. Antivirus
• Cisco
• Sophos AV included in Essentials
• Possibility to add and combine with McAfee AV (licensed separately)
• Easy per policy configuration
• Microsoft 365
• Called Antimalware. Used to have in documentation that three 3d party vendors are used, not
publicly mentioned anymore.
• Vendor(s) unknown
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-
policies-configure
3. Antivirus: Cisco
• Same as with Antispam, you can

define for each policy its behavior.
• have just one AV or both
• Drop, quarantine or deliver with
warning
• Notify admin/recipient
• Decide what to do when an email is
unscannable (for example
corrupted) or encrypted.
3. Antivirus: Microsoft
• No easy way to select all file types
• No option to deliver with warning or to
act on corrupted files, you need to create
a message rule to accomplish it
4. Sandbox detonation
• Cisco
• Malware Defense (formerly called AMP) with Malware Analytics (formerly called TG)
• Malware Analytics detonates unknown suspicious files (possible zero-day malware)
• Detonation takes 5 to 10 minutes and maximum wait time can be configured for 15 minutes
• Microsoft 365
• Called Safe-Attachment, included in MSO plan 1
• Customers complain a lot on the delay of scanning. Dynamic delivery is meant to help with the
delay but for some its annoying
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-
attachments-about
4. Sandbox detonation: Cisco
• Easy per policy config
• Choose actions on failures and
corrupted attachments
• Choose if only reputation check
is done or also sandboxing
• Keep email in quarantine while
waiting for results
• Customize threshold to mark an
attachment malicious
• Deliver without attachment
while pending result
4. Sandbox detonation: Cisco
• Configure max delay for
sandbox detonation
• ~500 filetypes supported for
detonation
• Detonation is done only for files
with active content in the file.
• Files with low risk is not
sandboxed to provide
efficiency while keeping high
security
• Sandboxing supported for files
up to 100MB
4. Sandbox detonation: Microsoft
• Many customer experience
delays with Safe Attachment
• Microsoft solved delay issue
with dynamic delivery
function where email is sent
with a placeholder for the
attachment until the scan is
complete, yet the delay does
prevent from efficiency
• Exclusions are done per
recipient, not sender based
• No options to customize or
finetune
https://jocha.se/blog/tech/exchange-atp-attachment-delay
4. Sandbox detonation: Microsoft
• Monitoring mode adds delay to

email processing
• No option to choose which
filetypes not to sandbox
• No option to choose threshold to
mark a file malicious
5. Marketing/Social Network/Bulk management
• Cisco
• Graymail Detection included in Essentials
• Detect automatically marketing, social media, and bulk sources
• Emails detected can be “tagged” for “inbox hygiene”
• End users can create rules in outlook to keep graymail out of their inbox and directed to dedicated folder
• Microsoft 365
• Bulk Emails can be tagged as Spam
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-spam-vs-bulk-
about
• Focus view on outlook tries to separate marketing emails from business critical, yet customers have
complained that it does not do good work in separating the two
6. VIP protection
• Cisco
• Forged Email Detection, uses a dictionary of names to compare friendly from header
• Uses fuzzy matching, and similarity score threshold is configurable
• Can rewrite the friendly from address with the envelope sender address
• Forged Email Detection is included Essentials
• Link to Guide
• Microsoft 365
• Impersonation protection in anti-phishing is included with MDO plan 1.
• Will check similarity of name in friendly from address and act on it
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-
policies-mdo-configure
7. URL protection
• Cisco • Microsoft 365
• URL filtering is part of Essentials
• Ability to scan URLs from body and attachments • Safe link is included with MDO plan 1.
• Expanding short URLs supported • will protect inbound and internal messages, by
• Uses Talos Web Reputation score to identify rewriting the URLs, if website is malicious
malicious and suspicious links upon click, block page is shown.
• Also, web category can be identified (+80 web categories
available) • Can be configured to detonate URLs that are
• If a malicious link is found the email can be
dropped/quarantined
suspicious or point to a file. (will cause delays)
• URL rewrite will provide protection on the moment • Many websites show easy methods to
of click bypass/hack safe-link scanning therefore
• URLs that appear in outbreak emails can be leaving the end-user unprotected (google
detonated in sandbox
bypass safe link)
• Retrospective URL filtering will act on email on the
moment of new threat intelligence • https://learn.microsoft.com/en-us/microsoft-
• https://docs.ces.cisco.com/docs/url-defense 365/security/office-365-security/safe-links-
• https://docs.ces.cisco.com/docs/url-retro about
7. URL protection: Cisco
7. URL protection: Microsoft
• Internal emails can be scanned

which is important to protect
from insider threats.
• No option to quarantine emails
with malicious links
• No option to replace links
• No option to protect from
specific URL web categories
• No threshold options to
customize when to block or
behave differently
8. Attachment Control
• Cisco
• Block/quarantine/warn emails with dangerous attachments based on many factors:
• File extension, file type (fingerprint), MIME type, keyword in the document, keyword in the file name, macro
detection (Adobe, Microsoft, or OLE type)
• RegEx can be used in rules
• Safe print action can help as well by transforming the original document into a pdf with screenshots of the
original
• Link to guide
• Microsoft 365
• Configurable in anti-malware policy:
• “The common attachments filter uses best effort true-typing to detect the file type regardless of the file name
extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is
used.”
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-
about
8. Attachment Control: Cisco
Attachments can be stripped and/or quarantined (for admin release) or the

whole email can be dropped.
8. Attachment Control: Microsoft
• There is option here to
react for corrupted
files or if scanning
was not successful
• No option to identify
files according to
mime-type
• No option to detect
macro-enabled
attachments
• Limited to files up to
1MB (reference)
9. Outbreak protection
• Cisco
• Based Cisco Talos telemetry, Cisco Secure Email gateway is able to detect zero-day viral
threats such as phishing and virus outbreaks:
• Get updated outbreak info every 5 minutes for Cisco Talos.
• Detect viral outbreaks based on attachments (viruses/malware).
• Detect viral outbreaks based on email content/URLs/other threats.
• Suspicious viral outbreak that was not recognized to be malicious can be sent to end user with warnings and
URLs rewritten.
• Link to Admin Guide
• Microsoft 365
• Only virus-based outbreak protection:
• Updates every 2 hours
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-
about
9. Outbreak protection: Cisco
• Outbreak filter configuration
per sender/recipient or
group policy
• Define action if delivered to
end-user
• Manage the max time to
delay
• Customize the threat level
threshold for temporarily
quarantining an outbreak
email
10. Safe Unsubscribe
• Cisco
• Graymail Safe Unsubscribe helps end-users from unsubscribing from Marketing emails
• Banner added on top of the email.
• Unsubscribe link is rewritten to redirect the end user to the automated unsubscribing process from Cisco.
• Feedback is provided if the unsubscribing of the email was successful. In case it was not, the original link is
provided for manual unsubscribing.
• Microsoft 365
• Does not provide this functionality to enterprise/business customers yet for consumers under
outlook.com it is available.
• For consumers the behaviour is the same but without the feedback if the automated process was successful
or not.
11. Password Protected file analysis
• Cisco
• Starting from version 14.0 Cisco Secure Email Gateway is able to analyse password protected
files.
• Body is parsed for detection of the password
• Admin can provide a list of passwords to test in case the body did not contain one
• Can be enabled separately per inbound and/or outbound traffic
• Malware Defence will be able to sandbox the attachment to reveal potential threats
• Encrypted files can also be dealt with AV scanning results and Content/message filter
• Actions could be removing the attachment, quarantine the email, add disclaimers or warnings
• Link to Guide
• Microsoft 365
• Does not provide this feature
• You can only create a message rule to act on emails that have password protection
11. Password Protected file analysis: Cisco
12. Automatic Mailbox Remediation
• Cisco
• Attachment based remediation
• When a file that initially was deemed as “clean” or “unknown” gets a verdict update from Cisco Talos AMP
reputation DB, a retrospective alert is raised and utilizing the Microsoft Graph API the delivered email can be
remediated automatically.
• https://docs.ces.cisco.com/docs/office-365-configuration-guide
• URL based remediation
• Same as with attachment based but for URLs. Available for Cloud and on-premise Gateway and Email Threat
Defence. Guide https://docs.ces.cisco.com/docs/url-retro
• Microsoft 365
• Feature is called ZAP, and functions for spam, phishing emails (URL based), and malicious
attachments.
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge
13. On-demand Mailbox Remediation
• Cisco
• Available in Essentials license and Email Threat Defence
• Search emails with Message tracking tool and select the emails you want to remediate
• Reporting to show the result of remediation and if the email remediated was read by the
recipient
• https://docs.ces.cisco.com/docs/office-365-configuration-guide
• Microsoft 365
• Using PowerShell, it is possible remediate emails, but it is slow and tedious task and requires
many manual steps
• In Microsoft Defender for Office 365 plan 2, you get access to Threat Explorer where you can
initiate email remediation from the GUI
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/remediate-
malicious-email-delivered-office-365
13. On-demand Mailbox Remediation:
Cisco Cloud Email Gateway
Easy remediation in three steps with Message tracking:
1. Find the email(s) 2. Select the emails 3. Choose remediation

with message tracking action
Cisco Cloud Email Gateway
Get clear reporting on remediation success and indication if the
message was read by the recipient
Cisco Email Threat Defense
Easy remediation in three steps:
1. Find the email(s) 2. Select the emails 3. Choose remediation

with message search (optional: change the verdict) action
14. Data Loss Prevention
• Cisco
• Included in Advantage or can be bought separately
• GUI based configuration with templates and customizations
• Over 180 DLP templates available and ready to use. All of them are customizable and new
templates can be created
• Microsoft 365
• Used to be available in the base EOP license level but now deprecated and migrated to
Microsoft Pureview which is included in E5.
• https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp
15. Envelope Encryption
• Cisco
• Included in Advantage or can be bought separately
• Cloud based decryption key storage
• Very similar to Microsoft’s OME service, where email is encrypted based on conditions and
decryption key is sent to cloud storage CRES (Cisco Registered Encryption Service) and
recipient receives an email with HTML attachment. The HTML attachment is the encrypted
email and can be opened with any modern web browser, decryption key is fetched from cloud
(with recipient validation) and encrypted email is shown.
• Microsoft 365
• Legacy OME and IRM are available on EOP license if these were activated. Microsoft is likely to
deprecate these functions soon and force customers to use Microsoft Pureview.
• https://learn.microsoft.com/en-us/microsoft-365/compliance/legacy-information-for-
message-encryption
• https://learn.microsoft.com/en-us/microsoft-365/compliance/email-encryption
16. 3rd party threat feed
• Cisco
• Feature in Essentials called External Threat Feeds and DNS lists
• External Threat Feeds
• Configure up to 8 of IoC threat feed sources based on STIX over TAXII protocol
• IoC types supported: IP address, Domain, URLs, and File hash
• DNS list
• Get blacklisted IP addresses to block from a DNS record
• Microsoft 365
• Not a native Exchange Online feature, nor available as security policy.
17. DMARC/SPF/DKIM
• Cisco
• Configure easily actions based on SPF/DKIM/DMARC authentication results
• Sending DMARC aggregate reports to email senders supported
• DKIM signing for outbound emails is supported with options to sign with separate keys based
on domains, users
• Microsoft 365
• Supports authentication of incoming email with DMARC, DKIM, and SPF
• Finally, Microsoft supports creating policy for DMARC fail behaviour to honour the policy or to
override. Microsoft also supports now sending DMARC aggregate reports
• Good thing is that Microsoft does support ARC protocol which improves DMARC authentication
validation
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-
configure
17. DMARC/SPF/DKIM: Cisco
• Create easy content
filters that can be applied
per incoming mail policy
• These can be also
combined with
other conditions
such as domain
reputation
• Many actions are
available such as
quarantine and
adding a warning
• Choose for different
sender groups a DMARC
profile which either
overrides policy action or
honors them
17. DMARC/SPF/DKIM: Microsoft
• This is configured under anti-

phishing policy actions
• Finally, it is possible to honor
DMARC policies p=reject
• https://learn.microsoft.com/e
n-us/microsoft-
365/security/office-365-
security/anti-phishing-
policies-mdo-configure
18. DANE/MTA-STS
• Cisco
• For outbound traffic DANE support is available
• Configuration on per domain basis to mandate DANE or have it opportunistic
• Link to guide
• MTA-STS is currently on roadmap
• Microsoft 365
• Supports today both MTA-STS and DANE for outbound traffic.
• Not configurable, enabled natively for all customers
• https://learn.microsoft.com/en-us/microsoft-365/compliance/how-smtp-dane-works
• https://learn.microsoft.com/en-us/microsoft-365/compliance/enhancing-mail-flow-with-mta-sts
19. Reports
• Cisco
• Vast range of reports which can be viewed easily based on time range
• Schedule reports to be sent as pdf periodically
• Reporting data is stored as long as there is disk space available. Most customers can view
easily a year worth of data.
• All reports are available in a single dashboard
• Many of the reports are “clickable” to make easier investigations on interesting events
• Microsoft 365
• Reports in EOP level are limited and not as flexible to customize based on time range
• More reports are enabled according to the license level
• Reports related to email security are scattered to many different dashboard which can make it
hard to find a certain report
19. Reports: Cisco Secure Email Gateway
Easy to read reports Select the time range
See detailed reports based on
features
Click to find emails

related to report and
do deeper analysis
Get human-readable and detailed

report of sandbox file analysis
19. Reports: Cisco Secure Email Threat Defense
19. Reports: Microsoft
• https://admin.exchange.microsoft.com/#/reports/
mailflowreportsmain
• https://security.microsoft.com/securityreports
• Which dashboard to use and when? Takes a bit
time to get used to
20. Message logs
• Cisco
• Granular options to create a search query to find emails from the message logs
• Quick and fast analysis on the final action, message processing, and detailed log entries of
various types of scanning results and verdicts
• Message tracking data is restricted only with disk space
• If needed, there is a new option to configure auto-purge data after certain amount of days
• Microsoft 365
• EOP comes with message trace which is very limited in terms of search parameters and details
that it outputs
• If data is required from an email event that occurred more than 10 days ago, the results are sent as a CSV file
per email, which takes time and makes troubleshooting very slow
• Microsoft Defender for Office 365 plan 2 has Threat Explorer which improves email analysis
and threat investigations
20. Message logs: Cisco Secure Email Gateway
Granular search parameters help

analyze and troubleshoot faster
Quick view provides immediate visibility of last action and processing pipeline.
More details shows
line-by-line
information about
scanning results and
verdicts.
More details shows
line-by-line
information about
scanning results and
verdicts.
20. Message logs: Cisco Secure Email Threat Defense
Use search bar to find any email based on URLs, subject, IP…
Filters can be used

to narrow down
search results
Detailed analysis on technique used
20. Message logs: Microsoft
Only less than 10 and summary report
are shown on the dashboard. More
days or more detailed reports are
available as CSV which usually take
time to generate.
20. Message logs: Microsoft
On the message trace summary report, very little information is given. With
Microsoft Defender for Office 365 plan 2 this improves with Real-Time
detections tool and Threat Explorer tool.
21. Log export
• Cisco
• Exporting logs for email events, connection events and many other types, is easy to configure
• Logs automatically exported to syslog push, FTP push, SCP push, and AWS S3 push (for CEF logs)
• Logs can also be pulled through REST API
• CEF formatted logs supported
• Logs can also be kept in the gateway and data retention is according to disk space
• Microsoft 365
• Supports today only SIEM based API integration with Microsoft Defender for Office 365 plan 1
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/siem-
integration-with-office-365-ti
22. Phishing Simulation
• Cisco
• Included in Premium license level or can also be bought separately – Cisco Secure Awareness
Training
• Very similar to Microsoft’s phishing simulation
• https://docs.ces.cisco.com/docs/cisco-security-awareness
• Microsoft 365
• Included in Microsoft Defender for Office 365 plan 2
• On par with Cisco
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-
simulation-training-get-started
23. Awareness Training
• Cisco
• Included in Premium license level or can also be bought separately – Cisco Secure Awareness
Training
• Very similar to Microsoft’s Awareness training
• https://docs.ces.cisco.com/docs/cisco-security-awareness
• Microsoft 365
• Included in Microsoft Defender for Office 365 plan 2
• On par with Cisco
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-
simulation-training-get-started
24. Internal Traffic Protection
• Cisco
• Included in Premium license level or can be bought as standalone Cisco Secure Email Threat
Defence
• Full scan of emails traversing in the same Microsoft 365 tenant
• Spam, Phishing, URLs, Attachment with sandboxing, BEC, etc.
• https://docs.ces.cisco.com/docs/email-threat-defense
• Microsoft 365
• Only Safe-link and anti-malware can be applied for internal traffic
• Safe-link does not prevent traffic, only rewrites URLs
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-
about#safe-links-settings-for-email-messages
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-
protection-faq#does-the-service-scan-internal-messages-for-malware-
25. Automation
• Cisco
• Part of Essentials license level – Cisco XDR
• Integrate all Cisco and third-party security products into one dashboard to help with threat hunting and
automated workflows
• https://docs.ces.cisco.com/docs/cisco-secure-email-securex-extending-email-protection-and-
integrations-beyond-the-gateway
• Microsoft 365
• Automated investigation and response is part of MDO plan 2
• No support for third-party
• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about
Licensing
• Cisco
• Licensing is based on seats (users) and subscription
term.
• Trust based license
• Possibility to add-on’s only on subset of users
• No surprises with billing
• Microsoft 365
• License is based on mailboxes and subscription term.
• Licenses are enforced
• The Defender for O365 licenses can’t be restricted to a subset of
users. If the license is bought for a subset of users, and Defender
level features is used by the other users, Microsoft will bill the
customer of it at the end of the subscription.
https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-
365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance

Brksec 2913

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2913

Uploaded by

Copyright:

Available Formats

Why Cisco Secure Email?

If you have Microsoft 365…

Abdalla Taha, Technical Solutions Architect – Secure Email

2 Click “Join the Discussion”

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2913

• Cisco Secure Email

• Palestinian/Morrocan from Finland!

• Feel free to approach me with feedback

• Today more than a million companies use Microsoft 365(1)

• In contrary to Exchange on premise, Exchange

• Question arises, why keep or add other vendors?

Exchange Online Protection

• Anti-phishing (spoof) protection

• Basic reports on mail traffic

Cisco? Please help!

Email and Web Email Cloud Gateway

Since Microsoft 365 is Awareness Training

Email Cloud Gateway

• MX records point at Cisco cloud gateway • US/CA/EU/APJ location

• Dedicated resources per customer • High availability and Disaster recovery

Filtering Reputation Analysis Detection Filtering Filtering

Post Delivery Interaction

Analysis Prevention Service Unsubscribe & Remediation Remediation

Filtering Reputation Analysis Detection Filtering Filtering

Post Delivery Interaction

Analysis Prevention Service Unsubscribe & Remediation Remediation

Endpoint security Endpoint security Cloud security Block destinations

Observables: 1 ) File hash, 2) IP address, 3) Domain, 4) URL, 5) Email addresses, etc..

FTP, SCP, Syslog, AWS S3, REST API

Email Cloud Gateway

• Sophos AV • Malware Defense • Cisco Secure Email Threat Defense

• Malware Defense • Unlimited sample • Cisco Secure Awareness Training

• Graymail Detection • Data Loss Prevention Add on

Email Cloud Gateway

• Internal traffic scanning

MS Graph API Journaling Applications

• Fast deployment and easy management

Post Delivery interaction

Reputation Reputation Analysis Gray Mail Remediation

File types, Post delivery

Post Delivery interaction

Reputation Reputation Analysis Gray Mail Remediation

File types, Post delivery

Global Global Organization Individual

The final verdict is given

phishing email decision:

Sender text is unusual Sender domain has low

Email Cloud Gateway Email Threat Defense

• Inline security • Supplemental security

Email Cloud Gateway Email Threat Defense

• Announced 3rd of October

• Requirements for senders that send

Simplify DMARC management recipients

Enforce spoofing protection of your

Filtering Reputation Analysis Detection Filtering Filtering

CASE DANE Anti-Virus

Analysis Prevention Service Protection

Post Delivery Interaction

Natural Language Malware Defense, Secure

File types, Integration Post delivery End user

• Lets try… feature 2 ✔ ✔

Cisco Microsoft 365 Comments