Business Email Security: Protecting Your Inbox from Attack

Why email remains the primary attack surface

Despite decades of warnings, email continues to be the number one delivery mechanism for cyberattacks on UK businesses. The reason is straightforward: it is the one communication channel that every employee uses, and every message requires a human judgement call about whether to trust it. The 2024 UK Cyber Security Breaches Survey found that phishing attempts remain the most commonly identified form of attack, affecting 84% of businesses that reported a breach.

The threat landscape has shifted considerably. Opportunistic spam and bulk phishing campaigns still exist, but they are increasingly accompanied by targeted business email compromise (BEC) attacks — where criminals impersonate senior staff or trusted suppliers to authorise fraudulent payments. These attacks require no malware; they succeed through social engineering alone.

The core technical controls

SPF — Sender Policy Framework

An SPF record in your domain's DNS tells receiving mail servers which IP addresses are authorised to send email on behalf of your domain. Without it, anyone can send email that appears to come from your address. SPF alone is not sufficient protection, but it is a foundational requirement that every business domain should have configured correctly.

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outbound message. The receiving server can verify this signature against a public key published in your DNS. If an email is modified in transit — or if a criminal attempts to send forged email — the DKIM signature will fail verification. DKIM works in conjunction with SPF rather than replacing it.

DMARC — Domain-based Message Authentication, Reporting and Conformance

DMARC builds on SPF and DKIM by specifying what a receiving server should do when an email fails authentication — quarantine it, reject it, or do nothing — and provides reporting back to the domain owner. A DMARC policy set to reject provides the strongest protection against domain spoofing. Many UK businesses have SPF and DKIM configured but leave DMARC in none monitoring mode indefinitely, which provides no active protection.

Email security gateways

Authentication protocols stop spoofing, but they do not filter malicious content arriving through legitimate sending infrastructure. An email security gateway sits between the internet and your mail server, scanning every inbound and outbound message for:

• Known malware signatures and zero-day threats using sandboxing
• Phishing URLs checked against threat intelligence feeds
• Suspicious attachment behaviour (macro-enabled documents, obfuscated scripts)
• Data loss prevention rules on outbound email

Solutions such as Microsoft Defender for Office 365, Proofpoint, Mimecast and Abnormal Security operate in this space. Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which provides baseline gateway capabilities. Organisations with higher risk profiles often layer a third-party gateway on top for additional filtering depth.

Business email compromise and impersonation attacks

BEC attacks are particularly difficult to block with technical controls because the email itself may be entirely legitimate — sent from a real, uncompromised account that has been set up to mimic a trusted contact. Warning signs include:

• A request to change bank account details for a supplier payment
• An urgent instruction from the CEO to transfer funds, sent outside normal channels
• A reply to an ongoing email thread where the reply-to address differs from the sender
• Requests that bypass normal approval workflows because of claimed urgency

Staff training is the primary control here. Any payment instruction or request to change financial details received by email should be verified through a separate channel — a phone call to a known number, not a number provided in the suspicious email.

Email encryption

Encrypting email in transit (TLS) is now standard between major mail providers. End-to-end encryption — where only the sender and recipient can read the message — is appropriate for sensitive communications such as legal advice, financial data, or personal information. Microsoft 365 Message Encryption and S/MIME are both available within the Microsoft 365 ecosystem. For ad hoc secure file sharing, a secure file transfer portal is often more practical than encrypted email.

Backup and email archiving

Email data is frequently subject to legal hold, regulatory retention requirements, and business continuity needs. Microsoft 365 includes Exchange Online archiving, but organisations should consider whether a dedicated third-party email backup solution is also required — Microsoft's native retention policies are not a substitute for an independent backup that can recover individual items deleted through administrative error or malicious action.

AMVIA helps UK businesses configure email security from the ground up — including DMARC enforcement, gateway deployment, and staff awareness training — as part of a managed security programme.

Building an email security policy

Technical controls work best when supported by a written email security policy that covers: acceptable use of business email, handling of attachments and links from unknown senders, reporting procedures for suspected phishing, and the process for verifying unusual payment requests. Policy alone achieves nothing without regular reinforcement through training and, ideally, simulated phishing exercises.