CT · NY · NJ · Stamford HQ

Email remains the operating system of business relationships—and the preferred path for phishing, malware delivery, and business email compromise. This guide goes deeper than a single definition page: how attacks work, which controls actually reduce loss, and how finance and IT must work together.

Why email is still the front door

  • Everyone has an address; attackers do not need a zero-day
  • Trust and urgency are easy to forge in a thread
  • A compromised mailbox is a platform for fraud against your customers and vendors

Threat landscape

  • Phishing for credentials and MFA fatigue
  • Malware and ransomware loaders via attachments/links
  • Vendor email compromise (their tenant, your payments)
  • Lookalike domains and display-name spoofing
  • Internal lateral movement after mailbox takeover

Article: Email threat types explained.

Business email compromise deep dive

BEC often has little or no malware. Common patterns:

  • Executive impersonation (“send this wire now”)
  • Vendor bank detail changes mid-project
  • Real compromised mailbox continuing a legitimate thread
  • Payroll diversion

The highest ROI controls are frequently process: out-of-band verification for payment changes, dual control for wires, and cool-down periods.

Articles: BEC overview, How to prevent invoice fraud, Vendor email compromise.

Technical controls that matter

  • MFA on every mailbox—especially shared and privileged accounts
  • Anti-phishing policies and safe defaults for macros
  • External sender warnings
  • Disable risky automatic forwarding
  • Monitor inbox rules that forward or hide mail
  • DMARC/DKIM/SPF for domain spoofing resistance

Articles: DMARC, DKIM, and SPF explained, Defender for Office basics.

Process controls that stop wires

  • Any bank detail change requires a phone call to a known number (not the one in the email)
  • Dual approval above a dollar threshold
  • Callback scripts for finance staff
  • Vendor onboarding verification

Technology without process still loses money.

Microsoft 365 specifics

Most SMBs live in Exchange Online. Prioritize:

  • Licensing-appropriate threat protection
  • Conditional Access + MFA
  • Privileged account separation
  • Audit logging for mailbox access and forwarding rules

See M365 Security Guide.

When a mailbox is compromised

  1. Reset credentials and revoke sessions/tokens
  2. Remove malicious inbox rules and forwarding
  3. Check sent items and other mailboxes accessed
  4. Notify finance to freeze unusual payments
  5. Preserve logs; involve counsel/insurance when thresholds are met

Article: Responding to a compromised mailbox.

30-day email hardening plan

Week 1: MFA coverage audit; kill shared passwords; external tags on.

Week 2: Review forwarding rules; enable core anti-phish features; finance callback policy written.

Week 3: DMARC policy inventory (start monitoring if needed); train finance and executives.

Week 4: Tabletop a fake vendor bank-change email; fix gaps.

Want this applied to your environment?

Book a free 15-minute review. For a structured risk baseline, use ImpetraInsights™.