Email phishing remains the entry point for over 90% of cyberattacks against businesses. Ransomware deployments, business email compromise wire fraud, credential theft, and supply chain attacks all begin with the same vector: a malicious email that convinces someone to click a link, open an attachment, or share information they shouldn't.
The problem is not that businesses don't know phishing is dangerous. The problem is that the threat has evolved far beyond the obviously fake "Nigerian prince" emails that people learned to recognize a decade ago. Modern phishing is sophisticated, targeted, and often indistinguishable from legitimate communication without the right technical controls in place.
How Phishing Has Evolved in 2026
Bulk phishing is the spray-and-pray model: millions of identical or slightly varied emails sent to harvested address lists, hoping a small percentage of recipients will click. These messages impersonate well-known brands — Microsoft, DocuSign, FedEx, banks — with generic urgency hooks: "Your account will be suspended," "You have a package waiting." Bulk phishing is volumetric and relies on scale, not sophistication. A well-configured anti-spam filter with current threat intelligence catches the vast majority.
Spear phishing is targeted: the attacker researches a specific individual or organization, then crafts a message tailored to that target. Your CEO's name in the from field. A reference to a real project your team is working on. An invoice formatted to match your actual vendor's style. Spear phishing bypasses generic spam filters because the message contains no known malicious indicators — it is specifically designed to look legitimate. It bypasses human judgment because the recipient has no reason to be suspicious of what appears to be a normal, expected communication.
Business Email Compromise (BEC) is the highest-value phishing attack category. The attacker either compromises a real email account (often through a previous phishing attack that harvested credentials) or spoofs a trusted email address, then uses that position to impersonate executives, vendors, or clients. The payload is not a malware link — it is a request: change the bank account for this vendor payment. Wire $80,000 to this account for a pending acquisition. The FBI's 2025 Internet Crime Complaint Center report shows BEC causing over $3.1 billion in adjusted losses — more than any other cybercrime category.
AI-generated phishing is the 2025–2026 threat evolution that security teams are actively grappling with. Generative AI tools allow attackers to produce grammatically perfect, contextually plausible phishing emails at scale, eliminating the poor grammar and odd phrasing that have historically been reliable detection signals. AI also enables voice cloning for vishing (voice phishing) attacks that complement email campaigns.
Technical Controls: The Non-Negotiable Layer
Human training alone cannot stop phishing. The statistics are consistent: even well-trained employees click phishing links at meaningful rates under realistic conditions. Technical controls are not a replacement for training — they are the layer of defense that limits the blast radius when a click happens.
Anti-Phishing Policies in Microsoft 365
Microsoft 365 Defender (included in Business Premium and higher, or available as an add-on) includes anti-phishing policies that provide several critical protections:
- Impersonation protection: Defines specific users and domains whose impersonation should trigger enhanced scrutiny. If an inbound email claims to be from your CEO but doesn't originate from your mail servers, the policy detects the mismatch and can quarantine the message or add a warning banner.
- Mailbox intelligence: Machine learning analyzes each user's normal communication patterns. Emails that deviate from established patterns — unusual senders, unusual request types — are flagged with higher suspicion scores.
- Spoof intelligence: Identifies emails that fail authentication checks (SPF, DKIM, DMARC) and handles them according to policy — quarantine, reject, or delivery with warning.
- First contact safety tips: Adds a visible banner to emails from senders the recipient has never communicated with before, increasing the psychological salience of scrutiny.
Safe Links and Safe Attachments
Microsoft Defender for Office 365 Safe Links rewrites every URL in inbound email, routing clicks through Microsoft's threat intelligence infrastructure in real time. When a user clicks a link, Microsoft checks the destination against its current threat database — including newly registered domains and dynamically generated phishing pages that would not have appeared on a blocklist at the time the email was delivered. If the destination is identified as malicious at click time, the user is blocked and warned.
Safe Attachments detonates email attachments in a cloud-based sandbox environment before delivering them to the recipient's mailbox. If the attachment exhibits malicious behavior during sandbox analysis, it is blocked before the user ever sees it. The detonation adds a small delivery delay (typically 1–3 minutes) but eliminates the risk of macro-embedded malware and zero-day exploits delivered via attachment.
Configuration reality: Safe Links and Safe Attachments must be explicitly configured and enabled — they are not active by default even when you have the required license. Many businesses paying for Defender for Office 365 are not actually protected because the policies were never set up. IT Center's managed email security service includes policy configuration, validation, and ongoing tuning.
DMARC Enforcement
Configuring DMARC with a policy of p=reject on your domain prevents attackers from spoofing your domain in outbound phishing campaigns targeting your clients, partners, and vendors. It does not protect you from inbound phishing, but it protects your reputation and your relationships. See our full SPF, DKIM, and DMARC guide for implementation details.
Phishing Simulation and Awareness Training
Microsoft 365 Defender includes Attack Simulation Training — a platform for sending realistic phishing simulation emails to your own employees, measuring click rates and credential submission rates, and automatically enrolling employees who click in targeted training modules.
The data from phishing simulation programs is consistent: untrained employees click phishing simulation emails at rates of 15–25%. After an initial simulation-plus-training cycle, that rate drops to 5–10%. After 12 months of regular simulation with immediate training on click, rates drop to 2–5%. The training works — but it requires consistency. A single annual training session produces a spike in awareness that fades within 60–90 days.
Effective phishing training programs run simulations monthly or quarterly, vary the simulation templates (credential harvesting, malware link, voice phishing precursors), use immediate "teachable moment" interventions when an employee clicks, and track improvement metrics over time rather than treating it as a checkbox exercise.
IT Center Managed Email Security
IT Center's managed email security service for Microsoft 365 environments includes the configuration, monitoring, and ongoing management of the full Defender for Office 365 stack: anti-phishing policies, Safe Links, Safe Attachments, DMARC enforcement, attack simulation scheduling, and monthly reporting on your organization's phishing risk posture.
For businesses on standalone email platforms, we deploy third-party email security gateways that provide equivalent protection layers independent of the Microsoft ecosystem. Our email security services page has the full scope of what managed email protection looks like under our program.
The question is not whether your business will be targeted by phishing — every business is targeted, every day, continuously. The question is whether the technical controls in place are sufficient to catch what humans will inevitably miss.
Is Your Email Security Actually Configured to Stop Phishing?
IT Center performs email security assessments for Southern California businesses — reviewing your Microsoft 365 policies, authentication records, and phishing simulation posture to identify what is protecting you and what isn't.
Get an Email Security AssessmentOr call us: (888) 221-0098 | [email protected]