Your Microsoft (and Google) Email Filter Is Not Enough: How to Close the Gap

Your Microsoft 365 or Google Workspace subscription came with email filtering turned on. It is easy to assume that takes care of your phishing problem. It does not — and the distance between what those built-in filters catch and what attackers actually send carries real consequences for a small office that handles client funds, medical records, or confidential case files.

The short answer: Microsoft 365 and Google Workspace include baseline email filtering designed to block bulk spam, not to stop sophisticated phishing, business email compromise, or novel malware. A small firm closes the gap by layering a dedicated email security tool on top, enforcing multi-factor authentication, activating link and attachment scanning, training staff regularly, and establishing a clear process for reporting suspicious messages.

What the built-in filter actually does

Both Microsoft's Exchange Online Protection and Google's built-in filtering work by matching incoming messages against known threat signatures and reputation databases. They block most mass-mailed spam and flag many known phishing domains. For generic junk, they do their job. The problem is the category of attacks they were not built to catch.

Where built-in filtering falls short

• Business email compromise (BEC). An attacker impersonates your bookkeeper, a vendor, or a client contact and requests a wire transfer or a sensitive document. These messages contain no malware and no suspicious link. Signature-based filters rarely flag them.
• Lookalike domains. Attackers register domains like vendorname-invoice.com or c1ientname.com hours before sending. The domain is brand new with no reputation, so it passes right through.
• Zero-day malware in attachments. A PDF or spreadsheet carrying a newly created payload has not yet appeared on any blocklist. It arrives looking clean.
• Links that turn malicious after delivery. Some phishing URLs point to a legitimate site at the time of filtering, then redirect to a credential-harvesting page once the message is already in your inbox.
• Fake login pages with no payload. A convincing copy of your Microsoft or Google sign-in screen — no file, no macro, just a form that sends your password to an attacker. Many filters miss it entirely.

Any one of those scenarios can produce a reportable incident. In a regulated industry, that means notifying clients, regulators, or both.

Five steps a small firm takes to close the gap

Step 1: Add a dedicated email security layer

A third-party email security platform applies a separate set of detection engines alongside your built-in filter. Microsoft offers Defender for Office 365 as a paid add-on for 365 subscribers; Google Workspace users can add comparable tools through the Workspace Marketplace or a managed provider. The critical feature is attachment sandboxing — detonating a suspicious file inside a contained environment before it ever reaches your inbox. This catches threats that have no prior reputation to flag.

Step 2: Enforce multi-factor authentication on every account

MFA stops most credential-theft phishing attacks in their tracks. Even when an attacker captures a password through a fake login page, they cannot complete sign-in without the second factor. Enable MFA for every user in your tenant — including shared mailboxes and administrative accounts. Use an authenticator app rather than SMS where your platform allows it; SMS codes can be intercepted through SIM-swapping attacks.

Step 3: Activate link and attachment scanning

Microsoft's Safe Links rewrites every URL in an incoming message so that each click is checked at the moment it happens, not just at the time of delivery. Safe Attachments opens files in a sandbox before releasing them. Google's advanced phishing and malware protection settings provide comparable controls. These features are sometimes off by default depending on your subscription tier and how your account was originally configured. Confirm with your IT provider that they are active and set correctly.

Step 4: Run short, regular phishing training

A one-time onboarding session is not training. Phishing simulations — realistic but harmless test messages sent to your staff — identify who is clicking before a real attacker does. Keep modules short. A five-minute awareness video followed by a simulated phishing test is more effective than an annual all-hands presentation. A managed IT provider can run these on a recurring schedule without adding anything to your workload.

Step 5: Build a simple process for reporting suspicious email

Your staff needs to know exactly what to do when something looks wrong: do not click, do not forward, report immediately. Most email security platforms provide a one-click report button inside Outlook or Gmail. If yours does not, write the procedure in plain language and post it somewhere visible. Designate one contact point — your IT provider or a named person in the office — so there is no confusion about where to call when it happens.

A quick checklist before you move on

Confirm the following on your Microsoft 365 or Google Workspace tenant today:

• MFA is enabled for all users, including admin and shared accounts.
• Link scanning is configured to run at time of click, not only at message delivery.
• Attachment sandboxing is active.
• A second email security layer sits alongside the platform default.
• Every person in the office can answer: "What do I do if I get a suspicious email?"

If any of those answers is uncertain, that is where to start. The built-in filter handles the easy attacks. These five steps handle the ones that matter to your clients, your regulators, and your firm.

Frequently asked questions

Is Microsoft Defender for Office 365 enough on its own?

Defender for Office 365 Plan 2 is substantially stronger than the base Exchange Online Protection included with standard subscriptions, but it still works best alongside enforced MFA, user training, and a documented reporting process. No single control replaces defense in depth.

How does multi-factor authentication help with email security specifically?

Most credential-theft phishing attacks fail at the MFA step. An attacker who captures your password through a fake login page still cannot access your account without the second factor. It is one of the highest-return controls a small firm can put in place with relatively little effort.

What is business email compromise and why do filters miss it?

Business email compromise is when an attacker impersonates a colleague, vendor, or executive to request a wire transfer or sensitive data. These messages typically contain no malware and no suspicious links, so signature-based filters rarely flag them. Human awareness is the primary defense against BEC.

How do I run phishing training without a dedicated IT person on staff?

Several security platforms automate phishing simulations and short awareness modules on a recurring schedule with minimal hands-on administration after initial setup. A managed IT provider can operate the entire training program on your behalf.

What should my employees do when they receive a suspicious email?

Do not click any link or open any attachment. Do not forward the message. Use the report button in your email client or contact your designated IT support immediately. Write this procedure down and make it visible to everyone in the office — not just in the employee handbook no one reads.