Publish date: 07.07.25

Phishing isn’t just a headline anymore — it’s personal. I’ve sat across from IT teams after they’ve discovered a finance director’s mailbox had been quietly taken over for weeks. I’ve worked with HR departments who unknowingly shared sensitive files because the link looks legitimate. And I’ve seen what happens when phishing attacks slip through the net: downtime, panic, reputational damage, and, all too often, significant figures when it comes to lost revenue.

Phishing attacks today are clever, targeted, and increasingly accelerated with AI. They exploit trust, fatigue, and human nature. More than 90% of breaches still start with a simple email. That’s why your defences need to go beyond the inbox and stay ahead of evolving threats. 

Here are nine practical, tested strategies — the kind I’ve seen work in real-world incidents — to help you build a stronger, smarter phishing defence posture across Microsoft 365, your endpoints, and cloud-native platforms.  

  1. Use Behaviour-Based Email Threat Detection 

Rather than relying solely on blocklists or static filters, organisations should deploy AI-powered threat detection. I remember a case where a single spoofed email led to the fraudulent transfer of six figures — all because it mimicked the CEO’s writing style. Traditional filters didn’t catch it. 

That’s why static blocklists and keyword rules are no longer enough. To counter today’s threats, you need AI-driven analysis that examines how your users communicate — their phrasing, timing, and patterns — and flags anomalies like urgent wire transfer requests or odd login behaviour. The system should also work natively with Microsoft 365 and doesn’t reroute mail, keeping things fast and reliable. This allows for swift detection of business email compromise (BEC), zero-day payloads, and polymorphic phishing attacks. 

  1. Train Users in a Way That Actually Works in the Real World 

One client had been running the same phishing test for months. Everyone passed — on paper. But when a real phishing email hit, five employees clicked within the space of an hour. The problem? The training had become predictable, which led to increased complacency among users. 

To combat this, you need adaptive training that changes based on how users behave. If someone clicks a simulated phishing attempt, they should get more training — not just a slap on the wrist. Tie it to their role too: your finance team faces different threats than your developers. And don’t forget to automate enrolment and reporting. It should run in the background, not be a burden. 

Integration with identity platforms like LDAP or Azure AD can enable automated provisioning and role-based reporting, making the training program scalable and auditable. Adaptive training improves user confidence and ultimately helps reduce false positives. 

  1. Watch for Account Takeover — Especially After Login 

One of the most damaging attacks I’ve seen involved a compromised mailbox that was quietly sending internal phishing emails for weeks. On the surface, these emails looked like internal comms, so nobody questioned them — until the sender started asking for gift card purchases. 

Post-login monitoring is crucial. Look at logins from unusual locations, unexpected forwarding rules, and sudden behaviour changes. Keep an eye out for OAuth abuse too — where attackers gain access without even stealing a password through malicious third-party app consents. Spotting that early means you can lock it down before the attacker does real harm. Early detection of compromised accounts can enable rapid containment—such as quarantining accounts or blocking their ability to send further messages.  

  1. Lock Down Your Domain with SPF, DKIM, and DMARC 

If you haven’t done this already, make it a priority. I once worked with a company whose domain was being spoofed so convincingly, customers were getting fake invoices from “[email protected].” They hadn’t implemented DMARC — so there was nothing stopping attackers from pretending to be them. 

Authenticate every email your domain sends. Implementing SPF, DKIM, and DMARC protocols is essential to prevent domain spoofing and unauthorised use of your email domains. Tools that provide visibility into email traffic sources and guide remediation of misconfigured third-party senders make it easier. The result? Only your authorised systems can send on your behalf — and fakes are blocked.  

  1. Don’t Forget Collaboration Tools — They’re the ‘New Email’ 

Attack vectors are also something that has evolved in recent times. In one breach, an attacker dropped a malicious Excel macro into a Microsoft Teams conversation between a project manager and a vendor. Like a lot of similar attacks, it was weeks before anyone realised what had happened and the breach was discovered. It’s crucial that your users know that a shared link can be just as dangerous as an email attachment and that phishing doesn’t stop at the inbox. 

Attackers love Teams, OneDrive, and SharePoint for a reason — they’re trusted by companies and employees alike. Protect these platforms using immutable backup solutions that provide versioning, granular restores, and independence from native retention policies. This ensures data recovery during ransomware events or targeted attacks, and helps meet compliance obligations such as GDPR or ISO 27001. 

  1. Automate Incident Response Before You Need It 

When you’re staring at 2,000 inboxes and a phishing email just hit “Reply All” you don’t have time for manual clean-up. I’ve seen teams lose hours chasing down emails one by one — only to realise a second variant got through during the chaos. 

You need tooling that can search, identify, and remove malicious emails at scale. Workflow automation enables Tier 1 analysts to handle remediations typically requiring higher-level intervention, reducing response times. The faster your response, the less damage is done – rapid containment is essential after a phishing incident. Automated response tools should allow your security team to retrospectively search and remove malicious emails across user mailboxes. 

  1. Protect Against Phishing Outside of Email 

QR code scams. Fake browser pop-ups. SMS messages that link to credential harvesters. I’ve seen them all — and they often bypass traditional email security entirely. 

This is where web filtering comes in. You want to block malicious domains at the DNS layer before the connection even happens. Whether someone clicks from their work laptop or personal mobile on guest Wi-Fi, they should be protected by the same policies. These tools should be deployable across cloud, endpoint, and hybrid environments, ensuring consistent enforcement of access policies, including for remote or BYOD users. 

  1. Adopt Zero Trust with App Access 

I once worked with a team where one compromised user credential led to multiple internal systems being breached. Why? Once inside the VPN, attackers had the keys to everything. But credential compromise doesn’t have to lead to lateral movement. 

Zero Trust Network Access (ZTNA) changes that. It evaluates the user, the device, their location, and the app they’re accessing. You get per-session, conditional access — not a free-for-all once they’re in. Think of it as “just enough access”, not “all access all the time”.  

  1. Monitor, Audit, and Tune Constantly 

Static settings get stale fast. In one case, we found phishing emails slipping through simply because the threat patterns had evolved — but the filters hadn’t. 

Use dashboards and SIEM/XDR integrations to correlate data across email, endpoints, and identity platforms. Track how users are interacting with emails, what they’re clicking, and how often they’re being tested. Then use that data to tweak your defences — and your training — continuously. 

 We’ve seen what happens when phishing gets through 

I’ve also seen how much more resilient businesses become when they take a layered, adaptive approach. 

These strategies aren’t just theory. They’re pulled from real-world incidents, recovery efforts, and lessons learned the hard way. If you’re reading this and wondering where to start — start with visibility, start with training, and start now.