Short answer: To stop phishing and business email compromise in Microsoft 365, do four things in order — authenticate your own domain with SPF, DKIM and DMARC so attackers can't spoof you; turn on Defender for Office 365's Safe Links, Safe Attachments and impersonation protection; enforce multi-factor authentication so a stolen password isn't enough; and train your people to slow down on payment and login requests. No single control is enough on its own — layering them is what works.
What BEC is — and why it beats basic filters
Phishing is any email that tries to trick a recipient into clicking a malicious link, opening a weaponised attachment, or handing over credentials. Business email compromise (BEC) is a more targeted, more expensive cousin: the attacker impersonates someone trusted — a director, a supplier, the bookkeeper — to get money moved or data sent.
The reason BEC is so effective is that it often carries no malware and no bad link. It's a plausible email that says "we've changed our bank details, please update the payment" or "can you buy some gift cards for a client, I'm in a meeting". A spam filter has nothing obvious to catch. That's why stopping it takes a mix of technical authentication, impersonation detection, account security and human process — not just a filter.
1. Authenticate your domain: SPF, DKIM and DMARC
SPF, DKIM and DMARC are the three email-authentication standards. Together they let receiving mail servers verify that a message claiming to be from your domain really came from a source you authorised — and let you instruct them to reject the ones that didn't.
Sender Policy Framework. A DNS TXT record that lists which mail servers are allowed to send email for your domain. Publish one that includes Microsoft 365 (include:spf.protection.outlook.com) plus any other legitimate senders you use (marketing platform, CRM, accounting tool). End it with -all once you're confident the list is complete.
DomainKeys Identified Mail. Adds a cryptographic signature to outgoing mail so receivers can confirm it wasn't altered and genuinely came from your domain. In Microsoft 365 you enable DKIM per domain in the Defender portal and publish the two CNAME records Microsoft gives you.
Domain-based Message Authentication, Reporting & Conformance. Ties SPF and DKIM together and tells the world what to do with mail that fails: monitor (p=none), quarantine, or reject. Start at p=none with a reporting address so you can see who's sending as you, then tighten to p=quarantine and finally p=reject once legitimate senders all pass.
The order matters. Get SPF and DKIM passing for every legitimate sender before you move DMARC past p=none. Jumping straight to p=reject can silently block your own newsletters, invoices or CRM mail. Read the DMARC reports for a couple of weeks first.
2. Turn on Microsoft Defender protections
Every mailbox includes Exchange Online Protection, which handles spam, known malware and the SPF/DKIM/DMARC checks above. To catch the cleverer attacks you want Microsoft Defender for Office 365 (included with Business Premium):
- Safe Links rewrites and re-checks URLs at the moment a user clicks, so a link that was clean on delivery but weaponised later is still scanned. It covers email, Teams and Office apps.
- Safe Attachments detonates attachments in an isolated environment before delivery, catching malicious files that signature-based scanning misses.
- Preset security policies (Standard or Strict) let you apply Microsoft's recommended anti-phishing, anti-spam and anti-malware settings to everyone at once, instead of hand-tuning dozens of toggles.
If you have Business Premium, turning on the Standard preset and assigning it to all users is the single fastest way to get a sensible baseline.
3. Impersonation and look-alike protection
This is the part that specifically targets BEC. In Defender's anti-phishing policy you can:
- Protect specific people — add your directors, finance staff and anyone who authorises payments as "protected users", so mail impersonating their display name is flagged or quarantined.
- Protect your domains — flag mail from look-alike domains (the classic swap of a lowercase L for a capital I, or
.cofor.com.au). - Enable mailbox intelligence — lets Defender learn each user's normal contacts and flag when a familiar name suddenly writes from an unfamiliar address.
- Add safety tips and first-contact warnings so recipients see a visible banner on unusual or external mail.
An external-sender banner on every inbound email from outside your organisation is cheap, non-technical and genuinely useful — it gives staff a moment's pause before acting on a "supplier" request.
4. Make a stolen password useless: MFA and account protection
A large share of email compromise starts with a phished or reused password rather than malware. Multi-factor authentication is the control that stops a stolen password from becoming a hijacked mailbox. Enforce it for every account — especially administrators — and prefer an authenticator app or passkey over SMS codes.
Alongside MFA, block legacy authentication protocols (they bypass MFA entirely) and use conditional access to limit sign-ins to expected locations and compliant devices. We cover the how-to in the MFA for business guide and the M365 security checklist.
5. Train your people — and fix the process
Technology reduces the volume that reaches inboxes; people and process handle what gets through. The highest-value habits:
- Verify payment and bank-detail changes out of band — a phone call to a known number, never a reply to the email that requested the change. Make this a written rule, not a preference.
- Slow down on urgency — "urgent", "confidential", "before you leave" and gift-card requests are BEC hallmarks.
- Report, don't just delete — give staff a one-click way to report suspicious mail (the Report button in Outlook) so you can investigate and, if needed, purge it from other inboxes.
- Run occasional simulated phishing so training is practised, not just read.
If you only do three things this week: turn on MFA for everyone, apply the Defender Standard preset (or its equivalent) to all users, and write down a rule that bank-detail changes are verified by phone. Those three cover the most common paths to a costly compromise.
Frequently asked questions
What is business email compromise (BEC)?
BEC is a scam where an attacker impersonates a trusted person — an executive, supplier or colleague — to trick someone into transferring money or sharing sensitive data. It often uses look-alike domains or a genuinely hijacked mailbox, and frequently carries no malware, which is why it slips past basic filters.
Does SPF, DKIM and DMARC stop phishing?
They stop attackers from convincingly spoofing your own domain, and DMARC lets you tell other mail systems to reject that spoofed mail. They don't stop look-alike domains or a compromised account, so they're necessary but not sufficient — pair them with impersonation protection, Safe Links and user training.
Which Microsoft 365 licence do I need for anti-phishing?
Exchange Online Protection is included with every mailbox and covers SPF, DKIM, DMARC handling and basic spam and malware filtering. Safe Links, Safe Attachments and advanced impersonation protection are part of Microsoft Defender for Office 365, included with Business Premium or available as an add-on.
Want your Microsoft 365 security checked and locked down properly?
That's what SG1 Consulting does — email authentication, Defender configuration, MFA rollout and impersonation protection, set up correctly for Australian businesses.
Talk to SG1 →