TL;DR

• Email remains the most consistent entry point for cyber attacks
• Organisations are increasingly reviewing Microsoft 365 email security gaps
• Phishing, business email compromise (BEC), and spoofing continue to rise
• Layered email security combining gateway protection, DMARC, and awareness training is becoming the preferred approach
• Platforms such as Check Point, Sublime, Fortra, Valimail, and KnowBe4 are increasingly part of modern email security strategies
• ITogether offers Email Security Reviews to help you to benchmark your existing stack

Email Still Remains The Most Consistent Route In

Despite huge advances in cyber security tooling, email remains one of the most reliable ways for attackers to gain access to organisations.

Most conversations we are currently having around email security come back to the same core issues: phishing attacks, business email compromise (BEC), spoofing and impersonation, user awareness gaps, and overreliance on default Microsoft 365 protection.

The challenge is that many organisations assume Microsoft 365’s built-in protection is “good enough” by default.

In practice, we regularly see gaps when those controls are benchmarked against more specialist email security platforms.

The Microsoft 365 Assumption

Microsoft 365 includes baseline spam and phishing protection, and for many smaller organisations that may appear sufficient initially.

However, as attack techniques evolve, many organisations are finding limitations around advanced phishing detection, impersonation protection, DMARC enforcement visibility, user-targeted attacks, malicious link analysis, and post-delivery threat response.

This is particularly relevant as attackers increasingly use AI-generated phishing content, highly targeted BEC attacks, supplier impersonation, and credential harvesting techniques.

From our perspective, organisations relying solely on Microsoft’s default controls are often leaving unnecessary exposure in place.

Why Layered Email Security Matters

One of the biggest mistakes organisations make is treating email security as a single product decision.

Modern email security works best as a layered approach, combining:

• gateway protection

• DMARC enforcement

• anti-spoofing controls

• user awareness and training

• identity validation

• monitoring and reporting

Each layer solves a different part of the problem.

No single control stops every attack.

DMARC And Identity Protection Are Becoming Critical

One of the biggest shifts we are seeing is increased focus on identity protection within email.

DMARC, SPF, and DKIM are no longer “nice to have” controls. They are becoming essential.

Without proper DMARC enforcement:

• attackers can spoof domains

• customers can receive fraudulent emails appearing legitimate

• trust in the organisation’s brand can be damaged

Platforms such as Valimail and Check Point are helping organisations strengthen anti-spoofing controls, email authentication, sender trust, and visibility into domain abuse.

User Awareness Still Matters

Technology alone is not enough.

Even with strong filtering, users still remain a target.

That is why ongoing awareness training continues to play a major role in effective email security strategies.

Platforms such as KnowBe4 help organisations run phishing simulations, measure user risk, improve reporting behaviour, and deliver continuous awareness training.

The Rise Of Specialist Email Security Platforms

We are also seeing increased interest in specialist email security vendors beyond Microsoft’s native tooling.

Platforms such as Check Point, Sublime Security, Fortra, and KnowBe4 are increasingly being evaluated for advanced threat detection, behavioural analysis, post-delivery response, API-driven email security, and phishing investigation capabilities.

The broader trend is clear: organisations are moving towards layered and specialist protection models rather than relying on a single vendor stack.

What We Are Seeing In Practice

Across both the UK and New Zealand, the same patterns continue to emerge.

Many organisations have basic email protection in place, but have not fully implemented DMARC enforcement, underestimate BEC exposure, lack ongoing phishing awareness programmes, and assume Microsoft’s defaults are more comprehensive than they actually are.

At the same time, attackers continue to evolve quickly.

Email attacks are becoming more personalised, more convincing, more automated, and harder for users to spot.

That makes layered protection increasingly important.

The Bigger Picture

Email security is no longer just about spam filtering.

It is now closely tied to identity security, user behaviour, supplier trust, brand protection, and business resilience.

The organisations responding most effectively are not looking for a single product to “solve email security”.

They are building layered strategies that combine technology, identity controls, monitoring, user awareness, and operational processes.

That is where the market is clearly heading.

👉 If you are currently reviewing your email security approach, we would be happy to help assess where the biggest risks and gaps may sit across phishing protection, DMARC, and user awareness.

📞 UK +44 (0) 113 341 0123

📞 NZ +64 (0)9 802 2444

📧 hello@itogether.com

FAQs

• What is business email compromise (BEC)? BEC is a type of cyber attack where attackers impersonate trusted individuals or suppliers to trick users into transferring money or sharing sensitive information.
• Why is DMARC important? DMARC helps prevent attackers spoofing your organisation’s domain and improves email trust and authentication.
• Is Microsoft 365 email protection enough on its own? Microsoft 365 provides baseline protection, but many organisations add specialist controls for stronger phishing, spoofing, and advanced threat protection.
• Why does user awareness training still matter? Even strong technical controls cannot stop every phishing attempt, making user awareness a critical final layer of defence.