Email remains the operating system of business relationships—and the preferred path for phishing, malware delivery, and business email compromise. This guide goes deeper than a single definition page: how attacks work, which controls actually reduce loss, and how finance and IT must work together.
Why email is still the front door
- Everyone has an address; attackers do not need a zero-day
- Trust and urgency are easy to forge in a thread
- A compromised mailbox is a platform for fraud against your customers and vendors
Threat landscape
- Phishing for credentials and MFA fatigue
- Malware and ransomware loaders via attachments/links
- Vendor email compromise (their tenant, your payments)
- Lookalike domains and display-name spoofing
- Internal lateral movement after mailbox takeover
Article: Email threat types explained.
Business email compromise deep dive
BEC often has little or no malware. Common patterns:
- Executive impersonation (“send this wire now”)
- Vendor bank detail changes mid-project
- Real compromised mailbox continuing a legitimate thread
- Payroll diversion
The highest ROI controls are frequently process: out-of-band verification for payment changes, dual control for wires, and cool-down periods.
Articles: BEC overview, How to prevent invoice fraud, Vendor email compromise.
Technical controls that matter
- MFA on every mailbox—especially shared and privileged accounts
- Anti-phishing policies and safe defaults for macros
- External sender warnings
- Disable risky automatic forwarding
- Monitor inbox rules that forward or hide mail
- DMARC/DKIM/SPF for domain spoofing resistance
Articles: DMARC, DKIM, and SPF explained, Defender for Office basics.
Process controls that stop wires
- Any bank detail change requires a phone call to a known number (not the one in the email)
- Dual approval above a dollar threshold
- Callback scripts for finance staff
- Vendor onboarding verification
Technology without process still loses money.
Microsoft 365 specifics
Most SMBs live in Exchange Online. Prioritize:
- Licensing-appropriate threat protection
- Conditional Access + MFA
- Privileged account separation
- Audit logging for mailbox access and forwarding rules
See M365 Security Guide.
When a mailbox is compromised
- Reset credentials and revoke sessions/tokens
- Remove malicious inbox rules and forwarding
- Check sent items and other mailboxes accessed
- Notify finance to freeze unusual payments
- Preserve logs; involve counsel/insurance when thresholds are met
Article: Responding to a compromised mailbox.
30-day email hardening plan
Week 1: MFA coverage audit; kill shared passwords; external tags on.
Week 2: Review forwarding rules; enable core anti-phish features; finance callback policy written.
Week 3: DMARC policy inventory (start monitoring if needed); train finance and executives.
Week 4: Tabletop a fake vendor bank-change email; fix gaps.
Want this applied to your environment?
Book a free 15-minute review. For a structured risk baseline, use ImpetraInsights™.