By the numbers

Stat Source
90%+ of cyberattacks begin with phishing as the initial vector CISA, 2024
$4.88M average cost of a data breach globally IBM Cost of a Data Breach Report, 2024
3.4 billion phishing emails sent every day Anti-Phishing Working Group (APWG)
60% of all confirmed breaches involved the human element Verizon DBIR, 2025
$2.77B in BEC losses reported to the FBI in 2024 FBI IC3 Annual Report, 2024

Despite two decades of awareness campaigns, security training sessions, and ever-thicker firewall rulebooks, email remains the single most reliable weapon in a cybercriminal's arsenal. It's not because defenders aren't trying — it's because attackers keep evolving, and default protections aren't keeping pace.

If your organisation runs on Microsoft 365, you have Exchange Online Protection (EOP) and — if you're on the right plan — Microsoft Defender for Office 365 baked in. That's not nothing. But it's also not enough. This is a problem that affects organisations of every size, but it's particularly acute for small and medium-sized businesses: email security for SMBs often begins and ends with whatever Microsoft includes by default, with no additional layer in place. Here's an honest look at the threat landscape and where the gaps are.

The threats your default filters won't catch

Microsoft's built-in filtering is strong at blocking known-bad: blacklisted IPs, recognised malware signatures, obvious spam. What it consistently struggles with are attacks that look legitimate — because they are, technically speaking.

According to Egress's 2024 Phishing Threat Trends Report, 84.2% of phishing attacks passed DMARC authentication — one of the core tools that secure email gateways rely on.[1] In other words, the majority of today's phishing emails are arriving with a clean bill of health from the filters organisations trust most.

Business Email Compromise (BEC) — High risk

A CEO's email address — or one that looks identical — instructs finance to wire funds urgently. No malware. No malicious link. Just text. EOP has almost nothing to scan. In 2024, the FBI's Internet Crime Complaint Center recorded 21,442 BEC complaints with adjusted losses exceeding $2.77 billion — making it the second costliest category of cybercrime tracked by the IC3.[2] Default filters catch perhaps 20% of these attempts. For small and medium-sized businesses, BEC is especially dangerous: there's rarely a second set of eyes on payment requests, and the financial impact of a single successful attack can be existential.

Adversary-in-the-Middle (AiTM) Phishing — Escalating

Modern phishing kits sit as a proxy between the victim and a legitimate site — harvesting session tokens in real time. Multi-factor authentication doesn't stop these. The user authenticates genuinely; the attacker steals the session cookie and is in. Microsoft itself observed a 146% rise in AiTM attacks throughout 2024, indicating that cybercriminals are systematically finding ways to compromise accounts that are protected by MFA.[3] Microsoft's built-in tooling can flag the landing page, but only if it's been seen before.

QR Code Phishing ("Quishing") — Growing fast

The payload is an image — a QR code. Email scanners inspect text and URLs; they can't follow a QR code to its destination. Users scan on a personal mobile device, entirely outside corporate security controls. QR codes were used in just 0.8% of phishing attacks in 2021; that figure jumped to 12.4% in 2023 and held at 10.8% through 2024, according to Egress's Phishing Threat Trends Report.[1] In a single three-month window (mid-June to mid-September 2024), Barracuda researchers detected more than half a million phishing emails with QR codes embedded in PDF attachments alone.[4]

HTML Smuggling & File-Based Attacks — Persistent

Malicious code is assembled inside the browser after delivery — the email itself is clean when scanned. HTML smuggling bypasses gateway analysis entirely because the payload doesn't exist at scan time. It's reconstructed from encoded blobs in otherwise innocent-looking attachments. Several leading Phishing-as-a-Service platforms now offer ready-to-use HTML phishing templates, accelerating adoption of the technique across the criminal ecosystem.[5]

These attacks exploit trust signals, not technical vulnerabilities. They arrive from real domains, pass SPF/DKIM/DMARC checks, and look exactly like the emails your staff expect to receive.


What M365 default filtering actually covers

Microsoft's built-in filtering is strong at blocking known-bad. The problem is that the threats most likely to result in an actual breach are precisely the ones it handles least well:

Threat type EOP (all plans) Defender Plan 2
Known spam & malware Strong Strong
Recognised phishing domains Partial Better
BEC / impersonation Weak Moderate
AiTM / session hijack No Limited
QR code phishing No Minimal
HTML smuggling No Partial

The 2025 Verizon Data Breach Investigations Report adds important context here: 60% of all confirmed breaches involved the human element — clicks, social engineering, and credential misuse — a figure that has remained consistent year over year despite increased investment in security awareness training.[6] Technology alone, including Microsoft's native tooling, cannot close a gap that is fundamentally about human behaviour.


What to do about it: a practical checklist

Layered security isn't a buzzword — it's the only realistic response to a threat landscape this varied. Here's where to focus:

  1. Enforce DMARC at p=reject. Surprisingly, many organisations still run p=none — monitoring only. Given that 84.2% of phishing emails already pass DMARC checks,[1] rejecting spoofed mail from your own domain is a baseline that every organisation should meet before anything else.

  2. Add a third-party Integrated Cloud Email Security (ICES) layer. Tools like Proofpoint Essentials, Abnormal Security, and Sublime Security use behavioural AI to detect BEC patterns and AiTM indicators that signature-based filters miss. Proofpoint Essentials is specifically designed for small and mid-sized businesses — it layers on top of Microsoft 365 without replacing it, adding the advanced threat detection that EOP and Defender leave uncovered. These sit downstream of Microsoft's filtering and catch what EOP/Defender doesn't.

  3. Deploy phishing-resistant MFA. FIDO2/passkeys or certificate-based authentication can't be bypassed by AiTM kits — unlike TOTP or push notifications. With AiTM attacks up 146% in 2024,[3] upgrading from legacy MFA is no longer optional for high-risk roles.

  4. Enable QR code URL scanning. Defender Plan 2 added limited QR scanning in late 2023; third-party tools generally do this better. Given that QR codes now feature in roughly 1 in 10 phishing emails,[1] check your current coverage and don't assume it's handled.

  5. Run simulated phishing campaigns that reflect real threats. Include BEC scenarios and AiTM-style lures, not just link-click drills. The goal is building realistic muscle memory. The Verizon DBIR notes that the primary ROI of phishing simulation is not preventing clicks, but accelerating reporting — turning your workforce into a rapid detection network.[6]

  6. Instrument your email pipeline. If you don't have visibility into what's being detonated in your sandbox, what's being quarantined, and what's slipping through — you're flying blind. Phishing accounted for 15% of initial breach vectors in the 2025 DBIR,[6] but the true number is almost certainly higher given how often phishing enables credential theft that's attributed to a different root cause.

  7. Establish an out-of-band verification process for wire transfers. A single phone call to a known number before any funds move would have prevented the majority of the $2.77 billion lost to BEC in 2024.[2] Make it mandatory, not optional, and put it in writing as a finance policy.


Stop Assuming. Start Auditing

Microsoft 365 is a solid starting point, not a finished email security strategy. The threats most likely to actually compromise your organisation — BEC, AiTM phishing, quishing — are precisely the ones that default filters are worst at catching, because they're designed to evade exactly that kind of detection.

The data is consistent across sources - email-borne attacks are the dominant initial access vector. They're getting more sophisticated — AiTM infrastructure grew over 50% year-on-year into early 2025.[7] And the human element remains a factor in 60% of breaches regardless of how much training organisations run.[6]

The good news: the countermeasures are known, proven, and increasingly accessible. Solutions like Proofpoint Essentials bring enterprise-grade email threat detection within reach of smaller organisations — without the enterprise price tag or the complexity of a full-stack deployment. The organisations that get breached via email in 2026 are, almost without exception, the ones that assumed their built-in filtering was sufficient.

You can check how resilient your current email set up is and more using our free Technology Resilience Assessment.


Sources

  1. Egress, Phishing Threat Trends Report, October 2024. egress.com
  2. FBI Internet Crime Complaint Center (IC3), 2024 Internet Crime Report. ic3.gov
  3. Microsoft, Defeating Adversary-in-the-Middle Phishing Attacks, 2024. Via Microsoft Community Hub
  4. Barracuda Networks, Threat Spotlight: The Evolving Use of QR Codes in Phishing Attacks, October 2024. blog.barracuda.com
  5. Sekoia TDR Team, Global Analysis of Adversary-in-the-Middle Phishing Threats, 2025. blog.sekoia.io
  6. Verizon, 2025 Data Breach Investigations Report (DBIR). verizon.com
  7. Lab539, AiTM Trends Throughout 2024, February 2025. lab539.com
  8. CISA, guidance on phishing as a cyberattack initial vector. cisa.gov
  9. IBM, Cost of a Data Breach Report 2024. ibm.com
  10. Anti-Phishing Working Group (APWG), Phishing Activity Trends Reports. apwg.org

more similar articles

The outline of a red envelope on a dark background with a warning logo on it. The image is designed to reflect the article's title Why Email Is Still the #1 Way Businesses Get Hacked — And What to Do About It
Categories: Security

Why Email Is Still the #1 Way Businesses Get Hacked — And What to Do About It

0 min read|Last Updated: April 10, 2026|
A padlock with a dark background, it is showing login screens from applications, reflecting the article's title MFA Is Not Optional in 2025 Why One Password Is Never Enough
Categories: Identity and Access Management

MFA Is Not Optional in 2025: Why One Password Is Never Enough

0 min read|Last Updated: April 10, 2026|
Microsoft Teams Vs Google Meet For Businesses UK
Categories: Performance

Microsoft Teams Vs Google Meet For Businesses

6 min read|Last Updated: March 27, 2026|
Child Protection On Devices
Categories: Computer tips, Security

Securing Your Company Laptop At Home

4.5 min read|Last Updated: March 13, 2026|