85% of Breaches Start in Your Inbox — Is Yours Protected?

Why Email Security Matters for UK Businesses

Email is the single most important attack surface for the vast majority of UK businesses. The UK Government's Cyber Security Breaches Survey 2025 found that 85% of breaches involving a cyber attack began with a phishing email. Despite this, many businesses rely solely on the default filtering included in Microsoft 365 — which, while improved significantly in recent years, is not sufficient to block sophisticated phishing campaigns, business email compromise attacks, or targeted spear-phishing.

The financial consequences of email-based attacks are severe. Business Email Compromise (BEC) — where criminals impersonate executives or suppliers to authorise fraudulent payments — costs UK businesses over £125,000 on average per successful attack. Ransomware delivered via email attachments regularly causes days or weeks of operational disruption.

Types of Email-Based Attack

Phishing

Phishing emails impersonate trusted organisations — banks, HMRC, Microsoft, delivery companies — to trick recipients into clicking malicious links or entering credentials on fake websites. Modern phishing campaigns are highly convincing and personalised, often using information scraped from LinkedIn or company websites to add credibility.

Spear-Phishing

A targeted variant of phishing where the attacker researches a specific individual before crafting an email that appears highly credible. Spear-phishing is used against high-value targets — finance directors, senior executives, IT administrators — and is significantly harder to detect than generic phishing.

Business Email Compromise (BEC)

BEC attacks involve an attacker impersonating a senior executive or trusted supplier — either by compromising their actual email account, or by registering a look-alike domain — and instructing the target to transfer funds, change payment details, or share sensitive information. BEC does not require any malware; it exploits trust rather than technology. This makes it very difficult to filter and very lucrative for attackers.

Malware Delivery via Email

Malicious attachments (PDFs, Office documents, ZIP files) and links to malware downloads are a common delivery mechanism for ransomware and remote access tools. Modern malware often uses macro-enabled documents or password-protected archives to evade basic filtering.

Email Spoofing

Spoofing involves sending emails that appear to come from a legitimate domain — either your own domain or a trusted partner's. Without DMARC, DKIM, and SPF in place, there is nothing to stop an attacker from sending emails that display your company name and email address as the sender.

DMARC, DKIM, and SPF: Email Authentication Explained

Email authentication protocols are DNS records that tell receiving mail servers how to verify whether an email claiming to be from your domain is genuine. Implementing all three is a Cyber Essentials requirement and provides foundational protection against spoofing and impersonation.

SPF (Sender Policy Framework)

An SPF record lists the mail servers that are authorised to send email on behalf of your domain. When an email arrives claiming to be from your domain, the receiving mail server checks the SPF record to verify the sender's IP address is on the approved list. If it is not, the email fails SPF authentication.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails that allows receiving servers to verify the email was sent by an authorised source and has not been modified in transit. DKIM signing should be enabled in Microsoft 365 and any other email sending platform your business uses (marketing tools, CRM systems, etc.).

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC builds on SPF and DKIM by defining what happens to emails that fail authentication checks. A DMARC policy with p=quarantine sends failing emails to spam; p=reject blocks them entirely. DMARC also sends aggregate reports to a designated inbox, giving you visibility of who is sending email using your domain. Many businesses discover third-party services sending on their behalf only when they set up DMARC reporting.

Configuring DMARC correctly requires expertise — setting an overly aggressive policy without first reviewing reports can accidentally block legitimate emails. AMVIA deploys DMARC in monitoring mode first, reviews the reports, cleans up legitimate sources, and then moves to enforcement.

Microsoft 365 Email Security vs Third-Party Gateways

Microsoft 365 includes Microsoft Defender for Office 365 as part of certain licence tiers. For businesses on Business Premium (which includes Defender Plan 2), the built-in email security is genuinely effective — with Safe Links, Safe Attachments, anti-phishing policies, and attack simulation training all available.

However, configuring Defender for Office 365 correctly requires expertise. The default settings are not the most secure possible settings. AMVIA audits and tunes the Defender configuration as part of our M365 security service.

For businesses on Business Basic or Business Standard (which includes only Defender Plan 1 or Exchange Online Protection), the built-in protection is less comprehensive. Adding a third-party secure email gateway — such as Mimecast or Proofpoint Essentials — significantly improves filtering accuracy and adds capabilities such as attachment sandboxing, email archiving, and continuity services.

Phishing Simulation Training

Technology can block most phishing attempts, but staff will always be the last line of defence against sophisticated attacks that evade filters. Phishing simulation training involves sending your staff realistic (but fake) phishing emails, measuring how many click, and providing targeted training to those who do.

Research consistently shows that regular simulation training reduces staff susceptibility to phishing by 50–80% over 12 months. AMVIA runs quarterly simulation campaigns and provides a dashboard showing click rates by department, enabling managers to identify training needs.

Email Security for Regulated Businesses

Financial services firms (FCA-regulated), law firms (SRA-regulated), and healthcare organisations have specific email retention and archiving requirements. AMVIA's email security service includes compliant archiving with tamper-proof storage, e-discovery capability, and defined retention policies aligned to regulatory requirements.