Microsoft 365 Email Security: What It Protects and What It Doesn't
Let's start with something important: Microsoft 365 email security works.
The native protections built into Microsoft 365 and Microsoft Defender for Office 365 stop an enormous volume of spam, malware, and known phishing attacks every day. For many organisations, these controls provide a strong foundation for email security.
But here's what we continue to see when working with customers: suspicious emails still reach user inboxes.
Urgent payment requests that appear to come from senior executives. Credential-harvesting emails that look identical to legitimate login pages. Supplier impersonation attacks that are almost impossible to distinguish from genuine communications.
When we ask, "How did this get through?", the answer is often simple:
The email wasn't technically malicious enough to trigger a block.
And that's where the challenge begins.
Most organisations operate from a reasonable assumption:
"We're paying for Microsoft 365, so our email security is covered."
It's understandable.
Microsoft provides built-in security controls, anti-spam filtering, anti-malware protection, Safe Links, Safe Attachments, and a range of advanced threat protection capabilities depending on your licensing.
Those tools are valuable and effective.
But modern email attacks have evolved significantly.
Attackers are no longer relying solely on malicious attachments, obvious phishing attempts, or known malware signatures. Increasingly, they're targeting the human behind the keyboard.
As a Microsoft-accredited partner, Peritus works with organisations every day to understand not only what Microsoft protects against, but where additional visibility and controls may be required.
Consider a scenario we've seen repeatedly.
A finance manager receives an email appearing to come from their CFO.
The address looks legitimate.
The language sounds authentic.
The request is urgent.
A supplier payment needs approving immediately.
The email passes through Microsoft's filters and lands in the user's inbox.
Nobody in IT sees it.
By the time the organisation realises the request wasn't genuine, the funds have already been transferred.
This is Business Email Compromise (BEC) — one of the most financially damaging forms of cybercrime.
Microsoft includes anti-impersonation and anti-BEC protections, but like every security platform, no solution catches every attack. Highly targeted and carefully crafted campaigns can still succeed.
The same applies to phishing.
A user receives an email that appears to come from their bank, software provider, or a trusted supplier. The branding is accurate. The wording is professional. The links appear legitimate.
There is no malware attached.
No suspicious file.
Just a convincing request designed to manipulate a human decision.
These are not rare edge cases. According to Verizon's Data Breach Investigations Report, human interaction continues to play a significant role in successful breaches.
The challenge isn't necessarily technical anymore.
It's behavioural.
This isn't a Microsoft problem.
It's an attacker problem.
Over the last decade, organisations have become much better at securing infrastructure, patching vulnerabilities, and detecting malware.
Attackers have adapted.
Instead of asking:
"How do we break the technology?"
They're asking:
"How do we convince a person to let us in?"
And increasingly, they're using AI to help.
Generative AI allows attackers to create highly convincing phishing emails at scale, with realistic grammar, personalised messaging, and contextual information pulled from public sources such as LinkedIn, company websites, and social media.
The result is a new generation of attacks that are significantly harder for users to identify.
Even well-trained employees can be caught out.
For most mid-market organisations, email security isn't the only priority.
A typical IT manager or security lead might be responsible for:
Email security is just one part of a much larger workload.
This creates four common challenges:
Security tools generate hundreds of notifications and alerts.
When teams are stretched, genuine threats can become lost among routine noise.
Email, identity, endpoint, and cloud security data often sit in different consoles.
Understanding whether an email attack led to suspicious endpoint activity can be difficult without consolidated visibility.
When a suspicious email appears, teams often need to make quick decisions.
Is it malicious?
Is it targeted?
Has anyone interacted with it?
Without context, investigation becomes time-consuming.
Many organisations already own security capabilities within Microsoft 365 that are not fully configured, monitored, or understood.
The issue isn't necessarily a lack of security tools.
It's understanding whether those tools are delivering the protection expected.
In a recent engagement with a UK healthcare organisation, we identified significant security gaps linked to Microsoft 365 configuration and identity management.
The organisation had invested in security technologies, but several capabilities were not fully configured or actively monitored.
This is far from unusual.
Many businesses discover they already own security functionality that could reduce risk substantially — if it were correctly configured and operationalised.
Organisations that successfully reduce email risk tend to focus on three key areas.
No single platform catches everything.
Microsoft provides an excellent foundation, but many organisations choose to supplement native controls with additional detection and visibility capabilities designed to identify sophisticated phishing, impersonation, and social engineering attacks.
It's important to understand not only what has been blocked, but also what is successfully reaching user inboxes.
Visibility into delivered threats often reveals risks that traditional reporting misses.
Technology alone cannot eliminate email-based attacks.
Practical, relevant security awareness and user education remain essential components of a modern email security strategy.
The question isn't:
"Do we need more security tools?"
The better question is:
"Do we understand what is actually reaching our users?"
Most organisations don't.
Some assume Microsoft is handling everything.
Others suspect gaps exist but lack the visibility to confirm them.
Understanding your baseline is the first step towards making informed security decisions.
No sales pressure.
No obligation.
Just a clear picture of your current security posture and practical recommendations for improvement.
Find out what's actually landing in your users' inboxes.
Book your free Microsoft 365 Security & Optimisation Health Check today.
Browse more content in this category and keep building your knowledge with helpful insights, tutorials, and real-world tips.
Independent UK-based specialists in cloud and cyber security.
St Albans & London UK
Connect on LinkedIn
