We Found 979 Phishing Emails in 7 Days. Here's What Was Missing
24 March 2026
A large organisation came to us with a problem they didn't know the scale of. They were getting impersonation emails — messages spoofed to look like they came from the head of the organisation. The IT team had been creating individual mail flow rules to block each one as they spotted them. A manual game of whack-a-mole.
They knew it was happening. They didn't know how bad it was.
What We Found
We deployed a Microsoft Defender for Office 365 anti-phishing policy with spoof intelligence enabled. This is not a third-party tool or an expensive add-on — it's built into Microsoft 365 and included in most business licences. It was just never turned on.
Nearly a thousand emails in one week, all pretending to be from internal senders, all landing in people's inboxes alongside legitimate messages.
The manual mail flow rules had been catching a fraction of the actual volume. The real problem was orders of magnitude worse than anyone realised.
How the Fix Worked
The deployment was straightforward and took a single session:
- Spoof intelligence: Automatically identifies emails where the sender domain doesn't match authentication records. Instead of creating rules one by one, this catches the pattern.
- DMARC honour: Configured to respect DMARC policies — reject or quarantine emails that fail authentication. This is the standard that legitimate senders use to say "if an email fails these checks, don't deliver it."
- Unauthenticated sender indicators: Marks emails from unverified senders with a visual indicator in Outlook, so users can see at a glance whether a message is authenticated.
- Phased rollout: Started by routing suspicious emails to junk folders rather than quarantine, to monitor for false positives. After a week of clean results, moved to full quarantine enforcement.
Why This Matters for Every Business
This wasn't a sophisticated attack. There was no zero-day exploit, no advanced malware, no nation-state actor. It was basic email spoofing — one of the oldest tricks in the book — succeeding because the equally basic defences weren't in place.
And it's not unique to large organisations. Small businesses are hit by the same attacks — see our piece on why small businesses get targeted by hackers. The difference is that a 10-person office doesn't have someone monitoring the mail flow rules. The phishing emails just arrive, and people either catch them or they don't.
The tools to prevent this are already included in your Microsoft 365 subscription. Anti-phishing policies, spoof intelligence, DMARC configuration — they're all there. They just need to be turned on and configured correctly.
Key takeaway
The tools to stop email spoofing are already in your Microsoft 365 subscription. They just need to be turned on. An audit takes about an hour.
If you'd like us to run that check for you, our cybersecurity team can audit your existing Microsoft 365 setup.
Want to talk about this?
Book a free 15-minute call and we'll discuss how this applies to your business.
Book a Free CallGet IT tips in your inbox
Practical advice for small businesses. No spam.
