Skip to main content
Back to Notes
security resilience 9 min read

Your Email Filter Is Not as Smart as You Think

Aloha!

I have a confession. I used to think Gmail’s spam filter was basically unbeatable. Then I started doing security work for growing organizations and saw firsthand how many dangerous emails were sitting quietly in people’s inboxes, completely untouched by any filter.

Over 3.8 million phishing attacks were recorded in 2025 (Keepnet Labs, 2025). The FBI says phishing is still the most-reported cybercrime type, with 193,407 complaints in 2024 alone (FBI IC3 Annual Report, 2024). That is not a failure of technology. It is a blind spot in how most organizations configure the technology they already have.

This post walks you through exactly what is happening, what settings to change, and what free tools actually help.

How Does Modern Phishing Actually Work?

The “Nigerian prince” era is long gone. Today’s phishing is targeted, AI-assisted, and designed to look like the emails you get every day. Business Email Compromise (BEC) alone caused $2.77 billion in U.S. losses in 2024 (FBI IC3 Annual Report, 2024).

Here is what I see most often in the organizations I work with.

Credential Harvesting on Trusted Platforms

The attacker sends what looks like a login notification from Microsoft or Google. The link goes to a fake login page. You type your password. They have it.

What has changed is where these fake pages live. Attackers now host them on Google Cloud, Cloudflare Workers, and other trusted platforms (Malwarebytes, January 2026). Your email filter sees a link to google.com and lets it through. That is the hidden risk.

Business Email Compromise

BEC does not use malware or fake links. The attacker impersonates a CEO or vendor and asks for a wire transfer or updated payment details. These emails often come from compromised legitimate accounts, not spoofed addresses. In fact, 57.9% of phishing emails originate from compromised accounts (Cofense, 2025).

Your filter sees a real sender, valid authentication, and clean content. Nothing to flag. That is the quiet failure.

QR Code Phishing

QR code phishing surged 331% year-over-year according to Cofense. About 12% of all phishing attacks now use a QR code instead of a clickable link (Keepnet Labs, 2025). Most email filters cannot read QR code destinations. You scan it on your phone, and every desktop security tool is bypassed entirely.

Why Your Filter Misses These

Modern attackers exploit specific blind spots:

  • Compromised accounts: The email comes from a real address. Authentication passes. Nothing looks wrong.
  • Delayed-activation links: The link is clean when the email arrives. Hours later, the destination changes.
  • OAuth exploits: A recent campaign hit over 340 Microsoft 365 organizations using device code phishing that bypasses MFA (The Hacker News, March 2026).
  • Routing gaps: Attackers exploit DMARC misconfigurations to deliver spoofed messages through legitimate infrastructure (CSO Online, 2025).

What Should You Change in Google Workspace?

Google Workspace has advanced phishing protections that most administrators never turn on (Google Workspace Admin Help, 2026). I walk clients through this all the time, and the reaction is almost always the same: “I did not know these settings existed.”

Log into admin.google.com. Navigate to Apps > Google Workspace > Gmail > Safety.

Attachments

  • Turn on Protect against encrypted attachments from untrusted senders
  • Turn on Protect against attachments with scripts from untrusted senders
  • Turn on Protect against anomalous attachment types in emails
  • Turn on Identify links behind shortened URLs
  • Turn on Scan linked images
  • Turn on Show warning prompt for any click on links to untrusted domains

Spoofing and Authentication

  • Turn on Protect against domain spoofing based on similar domain names
  • Turn on Protect against spoofing of employee names
  • Turn on Protect against inbound emails spoofing your domain
  • Turn on Protect against any unauthenticated emails

Enhanced Pre-Delivery Scanning

Navigate to Security > Advanced settings and enable Enhanced pre-delivery message scanning. This holds suspicious messages for deeper analysis before delivering them (Google Workspace Admin Help, 2026).

If you are on Enterprise or Education Plus, also enable Security Sandbox under Gmail > Safety. It opens suspicious attachments in a virtual environment before delivery.

The whole process takes about 15 minutes. That is a pretty good tradeoff for the protection it adds.

What Should You Change in Microsoft 365?

Microsoft Defender for Office 365 includes strong anti-phishing features, but most organizations run with default settings (Microsoft Learn, 2026). The defaults are conservative. Microsoft’s own documentation recommends the Standard preset as a minimum.

Enable Preset Security Policies

  1. Go to security.microsoft.com > Email & collaboration > Policies & rules > Threat policies
  2. Select Preset security policies
  3. Enable Standard protection for all users
  4. Enable Strict protection for executives and admin accounts

This single step enables Safe Links, Safe Attachments, and anti-impersonation detection.

Fine-Tune Anti-Phishing Policies

For more control, configure these settings:

  • Enable mailbox intelligence: Machine learning on each user’s email patterns
  • Add impersonation protection: For your CEO, CFO, and finance team
  • Enable first contact safety tips: Warns when receiving email from a new sender
  • Honor DMARC policy: Set action to quarantine when the sender fails DMARC

Under the Standard preset, these should already be on. Verify:

  • Safe Links rewrites URLs at time of click, not delivery. This catches delayed-activation attacks.
  • Safe Attachments opens files in a sandbox before delivering them.

Under Strict, Safe Links also scans links inside Microsoft Teams messages. That matters because phishing attempts increasingly land there.

Set Up Email Authentication (SPF, DKIM, DMARC)

This is the single most effective defense against domain spoofing. Without it, anyone can send emails that appear to come from your domain. All three protocols work together; missing any one leaves a gap.

SPF

SPF tells receiving servers which IPs can send email for your domain.

  • Google Workspace: Add v=spf1 include:_spf.google.com ~all to your DNS
  • Microsoft 365: Add v=spf1 include:spf.protection.outlook.com ~all

DKIM

DKIM adds a cryptographic signature proving emails have not been tampered with.

  • Google Workspace: Admin Console > Apps > Gmail > Authenticate email > Generate DKIM key
  • Microsoft 365: Defender portal > Email & collaboration > Policies > DKIM > Enable

DMARC

DMARC tells receiving servers what to do when authentication fails. Use a graduated approach:

  1. Week 1-2: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com (monitor only)
  2. Week 3-4: Review reports. Fix legitimate senders that fail.
  3. Month 2: p=quarantine (suspicious emails go to spam)
  4. Month 3+: p=reject (spoofed emails blocked entirely)

I cannot tell you how many organizations I have seen that set up DMARC in monitor mode and never progressed. That is false comfort. Until you reach p=reject, spoofed emails still reach inboxes.

What Free Tools Actually Help?

Even with admin settings locked down, some attacks still get through. The average click rate on simulated phishing emails is 34% before training (Keepnet Labs, 2025). Here are the free tools I recommend most.

Netcraft Browser Extension (netcraft.com): Blocks known phishing sites in real time across Chrome, Firefox, Edge, and Opera. Free for individual use.

KnowBe4 Free Phishing Security Test (knowbe4.com): Sends a simulated phishing campaign to up to 100 users. Shows you exactly who clicked. Completely free.

GoPhish (github.com/gophish/gophish): Open-source phishing simulation framework. You host it, design your own templates, and track results. More technical to set up but fully customizable.

Microsoft Standard Preset Policy: If you are on Business Premium or E3/E5, this is included at no extra cost. Many organizations just have not turned it on.

ToolStarting PriceWhat It Adds
IRONSCALES$3.49/mailbox/monthAI detection plus built-in phishing simulation
Proofpoint Essentials~$3.03/user/monthURL defense and impostor detection
Barracuda Email ProtectionCustom quoteAI detection plus incident response
Mimecast$5-15/user/monthURL rewriting and attachment sandboxing
Cloudflare Email SecurityCustom quotePreemptive threat detection

These tools add behavioral AI that learns your organization’s communication patterns. They re-scan URLs at the moment of click. They extract and analyze QR code destinations. Built-in filters do none of that.

The Mistakes I See Most Often

Never moving DMARC past monitor mode. Organizations set p=none, see reports, and assume they are protected. They are not. That is risk debt accumulating quietly.

Trusting the defaults. Both Google Workspace and Microsoft 365 ship with conservative settings. The advanced protections exist but are turned off. The tradeoff of occasionally delayed legitimate email is worth it.

Ignoring mobile devices. QR code phishing specifically targets the gap between desktop security tools and mobile browsers. If your strategy only covers desktop, you are missing 12% of current attacks.

Running SPF without DKIM and DMARC. SPF alone does not prevent spoofing. All three work together. Missing any one leaves a gap.

Never testing your team. Most organizations invest in tools but never run a simulation. Free tools like KnowBe4 take 15 minutes to set up and give you a real baseline.

Frequently Asked Questions

Are Gmail and Microsoft 365 filters good enough on their own?

They catch most commodity phishing. They are not enough for BEC, QR code attacks, or emails from compromised legitimate accounts. Enabling the advanced admin settings and adding a third-party tool closes most of the gap.

What is the single most impactful thing I can do today?

Enable DMARC with at least p=quarantine on your domain, and turn on the advanced phishing protections in your admin console. Both take under 30 minutes. Both cost nothing.

Do small teams need a paid email security tool?

Not necessarily. For teams under 25, the built-in advanced settings plus SPF, DKIM, and DMARC give you strong coverage. Add a free phishing simulation to test your team. Paid tools become more valuable as headcount grows.

How do I know if my team is clicking on phishing emails?

Run a simulation. KnowBe4 offers a free test for up to 100 users. GoPhish is a free open-source alternative. The industry average click rate is around 34% before training (Keepnet Labs, 2025).

Have them change their password immediately. Enable MFA if it is not already on. Check the account’s recent activity log. If credentials were entered on the phishing page, treat the account as compromised and notify your IT team.

If you are not sure where your organization stands on email security (or the other blind spots I see every week), I would be happy to talk it through. Reach out on LinkedIn or book a conversation.

#email-security #phishing #cybersecurity #google-workspace #microsoft-365

Read Next

Build a Professional Website for Free with AI (No Coding Required)

I built two professional websites in a weekend without writing code. Here is every prompt you need to do the same, from zero to a live site on Cloudflare.