Why Office 365 Cloud is a better option than using a Outlook client.
There are more or less two options for email access: Webmail and clients (Outlook, Mail, Thunderbird, etc.). Depending on use case scenarios, many people weigh which option is better suited for their needs. Some people use Microsoft Outlook as a client because of the robust features they might have. Other people use webmail because of their the expediency to which they process email and attachments since they are all in the cloud. Regardless of what your preference is I want to make a case for why the cloud option might be a faster, more secure option than any of the clients out there.
One of the main thrusts for my argument is mainly for security sake. You see, everything you do whether in the cloud on on your computer itself could be compromised someway, one would ask which would lend itself the least or lesser amount of risk. In this case, the webmail version of Office 365 seems to be a safer option because you can see attachments in the cloud before they are physically being downloaded on to your computer.
As zero-day and file-less attacks increase through their favorite mechanism (email), one mitigating factor that can help minimize risk is not downloading attachments if you do not have to. As a matter of fact, having a hygienic approach to cyber security would dictate that you analyze the entire email for characteristics that might increase its potential security risk and or liability. For example, basic common security sense would dictate that you not download an attachment coming from yourself with an urgent message that you need to open the attachment. You would immediately sense that something was fishy because you do not remember sending that email. While the same scenario could develop using an email client, the difference is that in a client you already downloaded the the attachment.
You might object that by this time you are not obligated to open the attachment! However, from a security perspective you would do better if you decrease any scenario by a mitigating factor of one. That is one less risk, one less vector of attack.
It has been my personal experience that there have been attachments that do not work well in previewing them in the cloud because something is wrong with them and they do not display well. This is a red flag that there is some mechanism that it is waiting for you to activate it (once you download it) in order to "view" it. This is when the unsuspecting user, busy multi-tasking, and just trying to clear out his vast inbox of unread emails just automatically does the necessary steps in order to "view" what was deemed so important by the purported sender. Hence the trap is sprung.
Moral of the story is that attackers do not rely on lack of common sense as much as they rely on the fact that we are technologically predictable. Best practice, remove the risk by a factor of one and let the advanced features of Office 365 webmail take care of most of the security risks before they are downloaded.
As a side bonus, it seems that the contextual email menu that pops up when you right-click on a messages is more robust on the Office 365 than the traditional Outlook from a security perspective. As you can see above, you have options such as adding emails to your Safe Senders list, marking an email as a phishing attempt, or even blocking spammers completely by right-clicking and selecting Block.
In conclusion, nothing is perfect and tomorrow maybe the client might be more conducive to being more secure (maybe a sandboxing feature for all attachments?)
Information Security Manager
Assistant Director