Microsoft earns high marks for email security, but experts say it doesn't do enough

Microsoft Logo at Ignite
Microsoft Logo at Ignite (Image credit: Windows Central)

What you need to know

  • Microsoft was named a leader in 2021 enterprise email security in The Forrester Wave.
  • Security company Egress appears to disagree, as explained in a recent report about data loss related to outbound emails.
  • The report from Egress calls outbound emails "Microsoft 365's security blind spot."

Microsoft was named as a leader in enterprise email security in The Forrester Wave, a guide designed to help inform people about purchasing options in the technology marketplace. Microsoft received high scores in the strategy category, as explained in a Microsoft security post (opens in new tab). Despite earning high marks, security company Egress appear to have different thoughts. A recent report by Egress highlights a "blindspot" in Microsoft 365: Outbound emails.

In The Forrest Wave report, Microsoft Defender for Office 365 received the highest score possible in regards to incident response, threat intelligence, and endpoint detection and response solutions. It also received the highest marks possible in product strategy, customer success, and performance and operations.

"Together, Microsoft Defender for Office 365 and Microsoft 365 Defender help customers reduce gaps in coverage by trading disparate point solutions for comprehensive coverage," reads Microsoft's security blog post.

In contrast, Egress reports that "85% of organizations using Microsoft 365 have had an email data breach in the last 12 months." Egress also states that organizations with Microsoft 365 experience more incidents than those without it.

The report adds that "Organisations using Microsoft 365 have seen a 67% increase in data leaks via email since March 2020 – compared to just 32% of the businesses who don't use it."

These conflicting reports need to be placed in context. Microsoft's reputation has taken a hit when it comes to security due to the recent attack on Microsoft Exchange servers. Despite these recent issues, Microsoft is active on the security front and wants to highlight that. On the other side, Egress emphasizes security flaws related to Microsoft software and recommends purchasing its Intelligent Email Security Software.

There's room for both of these reports to be accurate, as the companies each address security from different angles.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at (opens in new tab).

  • I suspect the criticism is the ease with which you can share secure information via Exchange with people outside the organization, and if you share it as an open link, it can then be trivially shared with the rest of the world. It is possible to lock this down with care or with Microsoft add-ons that force proper security behavior too. But a key distinction is that when managing security, we tend to think differently about hacking attacks than we think about employees giving away the secrets. External attacks are ongoing and the only way to stop them is with good security systems. For internal failures, on the other hand, at least we know that they only happen if a colleague actively does something wrong. Unfortunately, internal failures are just as common a source of problems.
  • Cause and effect might be reversed, a way to skew your numbers if you need to cast shade. It might be simply that larger orgs with magnitudes higher email output use M365 for emails. Smaller companies might not. In essence, data leaks might not even correlate to which kind of mail ecosystem one uses.
  • It’s mostly due to the fact that everyone who uses M365 has a front door at You don’t have to go looking for obscure EAS URLs. It’s not that on premises Exchange is more secure, it’s just harder to find.
  • "On the other side, Egress emphasizes security flaws related to Microsoft software and recommends purchasing its Intelligent Email Security Software. " Talk of burying the lede. It's not unlike how all the breathless reports on "piracy" losses come from companies selling anti-piracy services rather than outfits that aren't selling elephant repellent. To sell a "crisis solution" you first have to create a crisis atmosphere.