Microsoft email security: important update for all broadcast email senders
In the last few years, big tech has taken an increasingly strong position on email security. In 2021, Apple launched Apple Mail Privacy Protection, which opts-in users by default to a service that opens all emails from a proxy in front of a recipient’s mailbox, thereby shielding that user’s IP address and rendering email open stats to these mailboxes redundant. At the end of last year, Google and Yahoo announced sweeping changes to their email services to enhance security on their platforms, including requirements for authentication standards such as TLS, SPF, DKIM and DMARC, maximum user-reported spam rates, and compliance with web standards for list-unsubscribe links in email headers.
While those changes in security have been made very public by the companies involved, there are other changes among the big email providers that are not being made public by their orchestrators, and are perhaps just as impactful. Most notably, Microsoft has been gradually turning up the dial on security services across its various email platforms, including its Microsoft Defender and Safe Links products. While neither service is new by any stretch of the imagination (Defender dates back to 2006 in various guises, and Safe Links to 2015), the aggressiveness with which these services are applied and the impact to systems that encounter them is changing dramatically.
Link Scanning
In particular, Engaging Networks has noted a significant increase in the amount of link scanning performed by the Microsoft Corporation on broadcast emails sent from our systems. We can see when email links are being scanned by Microsoft due to the IPs involved, and because the pattern of traffic matches the volume of emails sent from our servers within a given window immediately after an email is sent. Typically you’ll see an email being sent out and then an immediate response from Microsoft servers as requests are submitted for all of the links in these emails to check their authenticity (we may receive hundreds of thousands of requests from Microsoft within a matter of minutes). Obviously this pattern of traffic does not reflect the normal patterns you’d expect of human interaction with the content, which would typically be more gradual over time.
From the data we’ve collected, it’s unclear exactly why Microsoft scans when it does. The scanning is intermittent and doesn’t appear to be limited to specific domains that might be on a ‘watch list’. While one sender might have all of its links scanned on one occasion, they may not be scanned again for months. We’ve also noted Microsoft scanning immediately after an email, and as many as 30 days after it was originally sent. It’s difficult to pinpoint a rhyme or reason to it all, and indeed it may well be that the scans are indiscriminate and taken from random samples as opposed to targeted in any way.
There are many knock-on effects of all this, most notably how they impact link tracking. For example, once a tracked link is scanned by Microsoft, a click-through may be recorded in our database that’s then reflected in reporting on email engagement that can be seen from the front-end of the Engaging Networks application. Not only is this click not legitimate, it also stops subsequent legitimate clicks by the intended recipient from being recorded. This is because click-throughs on tracked links will only ever be recorded the first time, for reasons of both accuracy in reporting and security.
From the research that we’ve done so far on security scanning, it would appear that Microsoft is deploying these scans across its full fleet of email services, so that includes the domains of paying Office 365 subscribers as well as the users of its free webmail services such as hotmail.com and outlook.com. The implications of this are far reaching, and more or less nullify the relevance of click-through reporting as a reliable engagement metric in email marketing when sending to Microsoft systems. As we’ve also seen email open pixels being scanned by Microsoft security, this casts significant doubt on email open reporting for emails sent to Microsoft mail platforms as well.
Perhaps even more problematically, it does call into question whether One-Click Unsubscribe links in Engaging Networks emails are at risk of being submitted by these security scans and thereby illegitimately unsubscribing recipients from future communications by requesting an opted-out status. What we’ve found out so far from testing is that Microsoft partially scrambles the hash of our One-Click unsubscribe links, so where you might see a tracked One-Click Unsubscribe link like this:
https://test.engagingnetworks.app/page/unsubscribe?q=1299&p=80212&b=12659&hash=S706y%2Fh62mgXQ1qol0GvF%2FNmh%2Fomfvs4mZAK81VjEpg=
Microsoft will then scramble the hash randomly as below:
http://test.engagingnetworks.app/page/unsubscribe?q=1299&p=80212&b=12659&hash=F039l/u95ztKD4dby3TiA/Azu/bzaif7zMBX14IwFct=
This therefore stops the One-Click link from unsubscribing supporters unintentionally. However, we have seen isolated cases where this hash has not been scrambled by Microsoft and one-click unsubscribes have been submitted by its scans. We’ve also seen this with other security services such as those provided by Barracuda Networks, which are often paired with the Office 365 platform. To be absolutely sure scans from any of these platforms are not impacting your subscriber lists with unintended unsubscribes, we recommend senders only use Subscription Management Pages for the unsubscribe links in emails and remove any One-Click Unsubscribe links from their email templates.
IMPORTANT NOTE: when we’re referring to ‘One-Click Unsubscribe’ in this article, what’s meant is the type of unsubscribe link that’s selected from Engaging Networks tools and set in the body of an email. This is not to be confused with similar terminology for ‘List-Unsubscribe’ links or ‘List-Unsubscribe One-Click’, which are used more widely in the email sector and outlined in RFC-2369 and RFC-8058.
Safe Links and Pre-Populated Forms
In addition to link scanning, Microsoft is also providing a service under its ‘Safe Links’ tools that rewrites outgoing links from emails. When an Office 365 user clicks on a link in the body of an email, Microsoft sends that request to a ‘safe’ domain that it controls first before forwarding on the request to the originally specified link in the email body. This serves as a proxy, thereby protecting the user that originally submitted the link from anything malicious and allowing the request to pass through Microsoft security first. There are specific policies and rules in Office 365 accounts that graduate use of ‘Safe Links’ in this way, so the feature is therefore employed to varying degrees from one Office 365 controlled domain to another.
The main takeaway from this is that it compromises the pre-population features that are used in some Engaging Networks tools because (as noted earlier) tracked links are only accepted by our systems once for reasons of both accuracy and security. So, for example, the Next Suggested Gift feature relies on the initial submission of a tracked link from our emails, and so when that submission is passed through Microsoft Safe Links first it stops our forms from being pre-populated with a next suggested gift when the rewritten link by Microsoft is submitted. Security scans will also compromise pre-population in this way, of course, however while Microsoft’s use of security scanning is intermittent/occasional, Safe Links are always used for Office 365 accounts with a policy that utilises the feature. This means that our pre-populated forms will never work for any Office 365 accounts using Safe Links.
Pre-population of forms is also a feature we use more widely on any tracked links that are sent within emails from our systems, so when a supporter clicks on a Safe Link to take action from an email, they will find an empty form on the destination page as opposed to a pre-populated one. This issue, then, while perhaps not as far-reaching as the pre-emptive security scanning we first outlined above, may well still be something broadcast senders should keep in mind when engaging with their supporters using the Office 365 platform.
What Next?
If you are at all unsure of the best approach for your organisation to these evolving changes in the email landscape, please don’t hesitate to reach out to our support team or your Account Services Manager for more information. Engaging Networks is continuing to investigate ways we can adjust our own systems to mitigate the measures employed by Microsoft and other providers that we’ve outlined above and, as we roll out any new measures, this page will be updated with more details on those measures, how they work, and what they mean for your emails.