Email remains the primary attack vector for cybercriminals, with phishing responsible for over 90% of successful breaches. This guide covers technical controls, email authentication, and human-focused defenses to protect your organization.
The email threat landscape
Attack types
| Attack | Description | Impact |
|---|
| Phishing | Mass credential harvesting | Account compromise |
| Spear phishing | Targeted attacks on individuals | Data theft, malware |
| Business Email Compromise | Impersonation for fraud | Financial loss |
| Malware delivery | Malicious attachments/links | Ransomware, backdoors |
| Account takeover | Compromised legitimate accounts | Trust exploitation |
2025-2026 trends
| Trend | Impact |
|---|
| AI-generated phishing | 54% click rates vs 12% traditional |
| QR code phishing (quishing) | Bypasses URL scanning |
| Callback phishing | Voice + email combined attacks |
| Thread hijacking | Replies in legitimate conversations |
| MFA fatigue attacks | Push notification bombing |
Email authentication fundamentals
SPF (Sender Policy Framework)
| Component | Purpose |
|---|
| DNS TXT record | Lists authorized sending IPs |
| Validation | Receiving server checks sender IP |
| Result | Pass, fail, softfail, neutral |
Example SPF record:
v=spf1 include:_spf.google.com include:sendgrid.net -all
DKIM (DomainKeys Identified Mail)
| Component | Purpose |
|---|
| Private key | Signs outgoing messages |
| Public key | Published in DNS for verification |
| Signature | Header added to each email |
DMARC (Domain-based Message Authentication)
| Component | Purpose |
|---|
| Policy | None, quarantine, or reject |
| Alignment | SPF and DKIM must align with From domain |
| Reporting | Aggregate and forensic reports |
DMARC implementation stages:
| Stage | Policy | Purpose |
|---|
| 1 | p=none | Monitor only |
| 2 | p=quarantine | Send failures to spam |
| 3 | p=reject | Block failures entirely |
Secure Email Gateway (SEG)
Core capabilities
| Feature | Function |
|---|
| Spam filtering | Block unsolicited email |
| Malware scanning | Detect malicious attachments |
| URL rewriting | Inspect links at click time |
| Sandboxing | Detonate suspicious files |
| Impersonation detection | Identify spoofed senders |
Advanced features
| Feature | Function |
|---|
| BEC detection | Analyze communication patterns |
| Lookalike domain detection | Flag typosquatting |
| Attachment sandboxing | Execute files safely |
| URL sandboxing | Analyze link destinations |
| Post-delivery protection | Remediate after delivery |
Leading solutions
| Vendor | Key strength |
|---|
| Proofpoint | Threat intelligence |
| Mimecast | BEC protection |
| Microsoft Defender | M365 integration |
| Abnormal Security | AI-based detection |
| Cisco Email Security | Enterprise integration |
Phishing-resistant MFA
Why traditional MFA fails
| MFA type | Vulnerability |
|---|
| SMS codes | SIM swapping, SS7 attacks |
| Push notifications | Fatigue attacks |
| TOTP apps | Real-time phishing proxies |
| Email codes | Account takeover |
Phishing-resistant options
| Method | How it resists phishing |
|---|
| FIDO2/WebAuthn | Origin binding, no shared secrets |
| Hardware keys | Physical possession required |
| Passkeys | Device-bound, biometric |
| Certificate-based | PKI validation |
Implementation priority
| User type | Recommended MFA |
|---|
| Administrators | Hardware keys (mandatory) |
| Executives | Hardware keys |
| Finance/HR | Hardware keys or passkeys |
| General users | Passkeys, then push |
| Contractors | Conditional access + MFA |
Business Email Compromise (BEC) defense
BEC attack patterns
| Pattern | Scenario |
|---|
| CEO fraud | Fake executive requests wire transfer |
| Vendor impersonation | Attacker poses as supplier |
| Account compromise | Real account used for fraud |
| Attorney impersonation | Fake legal urgency |
| Payroll diversion | Change direct deposit info |
Technical controls
| Control | Function |
|---|
| External sender tags | Mark emails from outside |
| Lookalike domain alerts | Flag similar domains |
| New sender warnings | Highlight first-time contacts |
| Wire transfer verification | Out-of-band confirmation |
| Display name analysis | Detect executive impersonation |
Process controls
| Control | Implementation |
|---|
| Dual authorization | Two approvers for transfers |
| Callback verification | Call known numbers to confirm |
| Payment change procedures | Multi-step vendor updates |
| Executive communication policy | No wire requests via email only |
User awareness training
Training program elements
| Element | Frequency |
|---|
| New hire training | Onboarding |
| Annual refresher | Yearly |
| Phishing simulations | Monthly |
| Just-in-time training | At failure point |
| Role-based training | As needed |
Effective simulation practices
| Practice | Rationale |
|---|
| Realistic templates | Match actual threats |
| Graduated difficulty | Build skills progressively |
| Immediate feedback | Teachable moments |
| No public shaming | Encourage reporting |
| Track improvement | Measure over time |
Key metrics
| Metric | Target |
|---|
| Click rate | <5% |
| Report rate | >70% |
| Time to report | <5 minutes |
| Repeat offenders | <2% |
Incident response for email
Phishing response workflow
| Step | Action |
|---|
| 1 | User reports suspicious email |
| 2 | SOC triages and analyzes |
| 3 | Extract indicators (URLs, hashes) |
| 4 | Search for similar messages |
| 5 | Quarantine/delete from all mailboxes |
| 6 | Block indicators |
| 7 | Notify affected users |
| 8 | Document and close |
Compromise response
| Step | Action |
|---|
| 1 | Confirm account compromise |
| 2 | Reset credentials immediately |
| 3 | Revoke active sessions |
| 4 | Review mail rules and forwarding |
| 5 | Check sent items for BEC |
| 6 | Analyze access logs |
| 7 | Notify potential victims |
| 8 | Enhanced monitoring |
Email security architecture
Defense in depth layers
| Layer | Controls |
|---|
| Perimeter | SEG, DMARC enforcement |
| Mailbox | Native protection, add-ons |
| Endpoint | EDR, browser isolation |
| User | Training, reporting button |
| Process | Verification procedures |
Microsoft 365 security stack
| Component | Function |
|---|
| Exchange Online Protection | Basic filtering |
| Defender for Office 365 P1 | Safe attachments/links |
| Defender for Office 365 P2 | Threat investigation |
| Conditional Access | Context-based access |
| Insider Risk Management | Internal threat detection |
Google Workspace security
| Component | Function |
|---|
| Gmail protection | Built-in filtering |
| Security sandbox | Attachment analysis |
| Advanced phishing protection | Spoofing detection |
| Security investigation tool | Threat analysis |
| Context-aware access | Conditional policies |
Metrics and reporting
Operational metrics
| Metric | Purpose |
|---|
| Emails blocked | Volume of threats stopped |
| Phishing reported | User engagement |
| Mean time to remediate | Response efficiency |
| False positive rate | Tuning accuracy |
Risk metrics
| Metric | Purpose |
|---|
| Click rate trend | Training effectiveness |
| BEC attempts | Targeted attack frequency |
| Account compromises | Breach indicator |
| DMARC compliance | Authentication coverage |
Implementation roadmap
Phase 1: Foundation (Month 1-2)
| Task | Priority |
|---|
| Implement DMARC monitoring | Critical |
| Deploy SEG or enhance native | Critical |
| Enable external sender tags | High |
| Create reporting process | High |
Phase 2: Enhancement (Month 3-4)
| Task | Priority |
|---|
| Move DMARC to quarantine | High |
| Deploy phishing simulations | High |
| Implement BEC controls | High |
| Enable URL rewriting | Medium |
Phase 3: Maturity (Month 5-6)
| Task | Priority |
|---|
| Move DMARC to reject | High |
| Deploy phishing-resistant MFA | High |
| Automate response playbooks | Medium |
| Implement advanced analytics | Medium |
Common mistakes to avoid
| Mistake | Impact |
|---|
| DMARC at p=none forever | No protection benefit |
| Punishing simulation failures | Discourages reporting |
| Relying solely on technology | Humans remain vulnerable |
| Ignoring internal email | Compromised accounts abuse trust |
| No executive buy-in | Insufficient resources |
Key takeaways
- Layer defenses - No single control stops all threats
- Implement DMARC - Progress to p=reject policy
- Deploy phishing-resistant MFA - Especially for privileged users
- Train continuously - Monthly simulations with feedback
- Enable easy reporting - One-click report button
- Verify out-of-band - Never trust email alone for sensitive requests
- Measure and improve - Track metrics, reduce click rates
Email security requires both technical controls and human awareness working together. The goal is not zero clicks—it’s building a culture where users recognize and report threats while technical controls catch what humans miss.
