Network security overview

How do Microsoft online services secure the network boundary?

Microsoft online services employ multiple strategies for securing its network boundary, including automated detection and prevention of network-based attacks, specialized firewall devices, and Exchange Online Protection (EOP) for anti-spam and anti-malware protection. In addition, Microsoft online services separate their production environments into logically isolated network segments, with only necessary communication permitted between segments. Network traffic is secured using additional network firewalls at boundary points to help detect, prevent, and mitigate network attacks.

How do Microsoft online services defend against DDoS attacks?

Microsoft's large internet presence insulates it from the negative effects of many distributed denial-of-service (DDoS) attacks. Distributed instances of each Microsoft online service and multiple routes to each service limit the impact of DDoS attacks against the system. This redundancy improves Microsoft online services' ability to absorb DDoS attacks and increases the amount of time available to detect and mitigate DDoS attacks before they impact service availability.

In addition to Microsoft's redundant system architecture, Microsoft uses sophisticated detection and mitigation tools to respond to DDoS attacks. Special-purpose firewalls monitor and drop unwanted traffic before it crosses the boundary into the network, reducing stress on systems located inside the network boundary. To further protect our cloud services, Microsoft utilizes a DDoS defense system deployed as part of Microsoft Azure. The Azure DDoS defense system is designed to withstand attacks from the outside and from other Azure tenants.

How does Microsoft protect users against spam and malware being uploaded or sent through online services?

Microsoft online services build antimalware protection into services that might be vectors for malicious code, such as Exchange Online and SharePoint Online. Exchange Online Protection (EOP) scans all emails and email attachments for malware as they enter and exit the system, preventing infected messages and attachments from being delivered. Advanced spam filtering is automatically applied to inbound and outbound messages to help prevent customer organizations from receiving and sending spam. This layer of protection guards against attacks that take advantage of unsolicited or unauthorized email, such as phishing attacks. SharePoint Online uses the same virus detection engine to selectively scan uploaded files for malware. If a file is marked as infected, users are prevented from downloading or syncing the file to protect client endpoints. Similarly, Azure compares hashes related to files uploaded to Azure Storage to those hashes of known malware. When matches are found, an alert is raised in Microsoft Defender for Cloud where a decision is made about the legitimacy of the alert and how it should be addressed.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to network security.

Azure and Dynamics 365

External audits Section Latest report date
VM-1: Security event logging
VM-3: Intrusion detection and monitoring
VM-4: Malicious events investigation
VM-6: Vulnerability scanning
VM-7: Network device configuration
VM-8: Penetration testing
VM-9: Network device security event logging
VM-13: Network device vulnerability mitigation
August 24, 2023

Microsoft 365

External audits Section Latest report date
FedRAMP (Office 365) SC-5: Denial of service protection
SC-7: Boundary protection
SI-2: Flaw remediation
SI-3: Malicious code protection
SI-8: Spam protection
July 31, 2023
SOC 1 CA-27: Vulnerability Scanning January 3, 2023
SOC 2 CA-27: Vulnerability Scanning
CA-45: Anti-malware
January 3, 2023