Phishing is a type of cyberattack in which threat actors impersonate trusted people or organizations to trick victims into handing over credentials, clicking on malicious links, or transferring money. The name comes from "fishing" — attackers cast a wide net and wait for someone to bite. Email phishing scams are by far the most common delivery method, but phishing has expanded to SMS (smishing), voice calls (vishing), and even QR codes.

What makes modern phishing so dangerous isn't just the volume — it's the sophistication. AI-powered tools let attackers craft grammatically perfect messages that mirror your company's exact communication style. They study your organization's structure, timing, and branding to make their lures nearly indistinguishable from the real thing. According to CISA Around 90% of cyber incidents start with phishing emails.

Traditional spam filters work by matching known malicious senders, flagging suspicious domains, and scanning links against blocklists. That approach catches a lot — but it has a critical blind spot. Filters are designed to evaluate incoming mail from external sources and are not as effective against novel tradecraft/zero-days. When an attacker uses a compromised Microsoft 365 account to send phishing emails internally, those messages originate from a trusted, authenticated source. The filter sees a legitimate user sending mail and lets it through.

This is why phishing protection can't stop at the email gateway. You need visibility into identity behavior — what accounts are doing after authentication — not just what's arriving at the perimeter.

How can you recognize a phishing email?

Knowing what to look for is your employees' first line of defense. While modern phishing attacks are far more convincing than the typo-ridden scam emails of the past, most still share a set of recognizable warning signs:

• Sender address mismatches: The display name looks legitimate, but the actual email domain is off — a subtle misspelling like "micros0ft.com" or an unrelated domain entirely.

• Urgency and pressure tactics: Messages demanding immediate action, threatening account suspension, or claiming your security has been compromised are designed to bypass critical thinking.

• Generic greetings: "Dear Customer" or "Dear Account Holder" instead of your actual name.

• Unexpected attachments: Unsolicited files, especially executables, compressed archives, or documents asking you to enable macros, should always raise a red flag.

• Suspicious URLs: Before clicking any link, hover over it to reveal the true destination. Phishing emails routinely hide malicious URLs behind innocent-looking anchor text.

• Requests for sensitive information: Legitimate organizations never ask for passwords, Social Security numbers, or payment details via email.

• Too-good-to-be-true offers: Prize notifications, unexpected refunds, or exclusive opportunities you didn't sign up for are classic phishing bait.

For a deeper breakdown of what to watch for, see our guide onhow to spot a phishing email.

The best place to stop a phishing attack is before it ever lands in your team's inbox. A layered set of technical controls — properly configured and actively maintained — significantly reduces the volume of email phishing scams that reach your employees.

Configure email security and anti-phishing tools

Email authentication protocols are foundational to any phishing protection strategy. Without them, attackers can freely spoof your domain and send malicious messages that appear to come from your own organization.

• SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain. Any message sent from an unauthorized server can be flagged or rejected.

• DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, allowing receiving servers to verify that the message wasn't tampered with in transit.

• DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and tells receiving mail servers what to do when a message fails authentication — quarantine it, reject it, or let it through. DMARC also provides reporting, so you can see when your domain is being spoofed.

Together, these three protocols form the backbone of email phishing protection. If you haven't configured them, or if your DMARC policy is still set to "none," your domain is vulnerable to spoofing — and so are your customers and partners.

Beyond authentication, deploy a capable email security gateway with anti-phishing capabilities. These tools apply machine learning and behavioral analysis to detect suspicious patterns that signature-based filters miss, including lookalike domains, newly registered sites, and impersonation of internal senders.

Implement multi-factor authentication (MFA) everywhere

MFA is one of the single most effective controls you can deploy against phishing. Here's why: even when a phishing attack succeeds in stealing a user's password, MFA blocks the attacker from using that credential to access your systems. Without the second factor, a push notification, authenticator code, or hardware key, stolen credentials are largely useless.

Enable MFA across every account and application in your environment, with priority on:

• Microsoft 365 and Azure AD

• Email and collaboration tools

• VPNs and remote access systems

• Admin and privileged accounts

Where possible, move beyond SMS-based MFA — SIM-swapping attacks can intercept text-based codes. App-based authenticators and hardware security keys (like FIDO2) offer significantly stronger protection against credential abuse.

Conditional access policies in Microsoft Entra ID (formerly Azure AD) can further restrict authentication by requiring MFA for specific locations, device compliance states, or risk levels — adding intelligent context to every login attempt.

Enable phishing protection in Microsoft 365

If your organization runs on Microsoft 365, you have a robust set of native anti-phishing tools available but many aren't enabled by default. Taking the time to configure Defender for Office 365 properly can significantly reduce your exposure to email phishing scams.

Key settings to enable and tune in your Microsoft 365 environment:

• Anti-phishing policies in Microsoft Defender for Office 365 let you configure impersonation protection for specific users and domains, enable mailbox intelligence to detect unusual sending patterns, and set thresholds for phishing confidence levels.

• Safe links rewrites URLs in emails and documents and checks them against Microsoft's threat intelligence at the time of click — not just at delivery. This helps catch links that were clean when the email arrived but have since been weaponized.

• Safe attachments sandboxes email attachments before delivery, detonating them in an isolated environment to detect malicious behavior that bypasses traditional signature scanning.

• Spoof intelligence in Microsoft 365 helps you identify when external senders are spoofing your domain or domains you do business with, so you can block or flag those messages before they reach users.

Together, these controls raise the bar significantly for attackers trying to reach your inboxes. Pair them with your SPF/DKIM/DMARC configuration, and you've built a much harder target.

Technical controls are essential…but they're not enough on their own. Phishing attacks are specifically engineered to manipulate human behavior. That means your employees need to be trained to recognize what filters can't catch.

Deploy Managed Security Awareness Training (SAT)

Security awareness training (SAT) gives employees the knowledge and instincts to identify phishing attempts before they cause damage. The keyword here is managed — effective SAT is handled by a team of experts, removing the burden of curating and deploying regular, up-to-date training that reflects modern threats. This saves organizations over 10 hours a month while ensuring the program is continuous and evolving.

Huntress Managed Security Awareness Training delivers engaging content built on proven adult learning frameworks that teaches employees to spot the warning signs of a phishing email, understand the tactics attackers use (urgency, impersonation, spoofing), and report suspicious activity instead of falling victim to it. Huntress Threat Researchers use real-world threat intelligence to keep training modules  current so your team is prepared for the attacks actually hitting organizations today — not the ones from two years ago.

Run phishing simulations to test real-world responses

Training tells employees what to look for. Phishing simulations show you whether they actually do.Simulated phishing campaigns send realistic but harmless phishing emails to your team and track who clicks, who reports, and who ignores them.

This data is valuable in two ways. First, it identifies employees who need additional coaching before a real attacker targets them. Second, it gives your security team a measurable baseline for how your organization performs over time — and whether your training investment is actually working.

Simulations are most effective when they reflect current threat trends. Generic "your package has shipped" tests are useful, but so are simulations that mimic Microsoft 365 login pages, DocuSign requests, or internal IT communications — the kinds of lures attackers actually use against businesses like yours.

Create clear policies for how to report a phishing email

Your employees will encounter suspicious emails. When they do, you want them to report it immediately, not hesitate, not delete it, and definitely not click anything first. Clear, organization-wide policies for how to report a phishing email are a critical part of your defense.

Establish and communicate a simple reporting process:

1. Don't click, reply, or forward. Even clicking "unsubscribe" can confirm your address is active and invite more attacks.

2. Use the built-in report button. Both Microsoft Outlook and Gmail have built-in phishing report features, and our Managed SAT service also provides a dedicated "Report Phishing" button. You have the choice to use either the built-in option or the Managed SAT button, both of which route suspicious messages to your security team and contribute to improved email filters.

3. Notify IT or security. Employees should know exactly who to contact and how — via Slack, email, a ticketing system, or a dedicated security hotline.

4. Alert your colleagues. Phishing campaigns frequently target multiple employees at once. One reported email can protect the entire team.

Even with the best email controls and a well-trained team, some phishing attacks get through. And when they do — when a credential is stolen and an attacker gains access to a legitimate Microsoft 365 account — the threat looks nothing like an email phishing scam anymore. It looks like a normal user logging in.

This is where traditional security tools go silent. And it's exactly where Huntress Managed ITDR picks up.

Why you need identity monitoring for phishing protection

Most phishing attacks aren't the end goal — they're the entry point. A credential-harvesting phishing email succeeds not when someone clicks the link, but when the attacker uses those stolen credentials to log into your Microsoft 365 environment undetected.

Once inside, they can access email, SharePoint, and Teams. They can set up forwarding rules to exfiltrate communications. They can send internal phishing emails from a trusted account — emails your gateway will never flag because they're coming from you. They can reset passwords, grant themselves admin privileges, and move laterally across your environment.

Traditional email security can't see any of this. It's looking at the perimeter. Identity monitoring watches what happens after authentication — the behavior inside your environment that signals something has gone wrong.

How Managed ITDR Detects Credential Abuse and Account Takeover

Huntress Managed ITDR monitors your Microsoft 365 environment continuously, analyzing sign-in activity, session behavior, and configuration changes for indicators of compromise that email filters were never designed to detect.

Specifically, Managed ITDR watches for identity and mailbox behaviors that commonly show up in business email compromise and account-takeover incidents, including:

• Suspicious sign-in activity that suggests credentials or sessions are being used from unexpected locations or devices.

• Malicious or unusual inbox and forwarding rules that forward mail externally or hide messages from the user—classic post-compromise “shadow workflow” behavior.

• Rogue or over-privileged OAuth applications that have been granted access to mailboxes and files and can be abused for persistence and data access.

• Other risky identity and configuration changes inside Microsoft 365 / Entra ID that indicate unwanted access and require investigation by the Huntress SOC.

When these signals appear, Huntress's 24/7 Security Operations Center (SOC) doesn't just generate an alert — analysts investigate, validate the threat, and deliver a clear remediation plan so your team can act immediately. No alert fatigue. No chasing false positives. Just the intelligence you need to shut down a phishing-driven account takeover before it becomes a breach

Phishing isn't going away — and as attackers get more sophisticated, the gap between what email filters catch and what actually reaches your team is only growing. Stopping phishing emails today means combining strong technical controls at the email gateway, continuous user training, and identity-level monitoring that detects compromise even when the phishing email itself slips through.

Huntress is built to complement your existing email security stack. Managed Security Awareness Training (SAT) turns employees into an active line of defense with story-driven episodes and realistic phishing simulations based on real-world tradecraft. Managed ITDR continuously monitors your Microsoft 365 identities and email for account takeover, business email compromise behaviors, malicious inbox rules, rogue apps, and other identity-driven threats that traditional email gateways can’t see.