Home › Stop phishing & BEC in Microsoft 365

How to stop phishing and business email compromise (BEC) in Microsoft 365

Guide 01 · Email & M365 security for Australian SMBs

Short answer: To stop phishing and business email compromise in Microsoft 365, do four things in order — authenticate your own domain with SPF, DKIM and DMARC so attackers can't spoof you; turn on Defender for Office 365's Safe Links, Safe Attachments and impersonation protection; enforce multi-factor authentication so a stolen password isn't enough; and train your people to slow down on payment and login requests. No single control is enough on its own — layering them is what works.

What BEC is — and why it beats basic filters

Phishing is any email that tries to trick a recipient into clicking a malicious link, opening a weaponised attachment, or handing over credentials. Business email compromise (BEC) is a more targeted, more expensive cousin: the attacker impersonates someone trusted — a director, a supplier, the bookkeeper — to get money moved or data sent.

The reason BEC is so effective is that it often carries no malware and no bad link. It's a plausible email that says "we've changed our bank details, please update the payment" or "can you buy some gift cards for a client, I'm in a meeting". A spam filter has nothing obvious to catch. That's why stopping it takes a mix of technical authentication, impersonation detection, account security and human process — not just a filter.

1. Authenticate your domain: SPF, DKIM and DMARC

SPF, DKIM and DMARC are the three email-authentication standards. Together they let receiving mail servers verify that a message claiming to be from your domain really came from a source you authorised — and let you instruct them to reject the ones that didn't.

SPF

Sender Policy Framework. A DNS TXT record that lists which mail servers are allowed to send email for your domain. Publish one that includes Microsoft 365 (include:spf.protection.outlook.com) plus any other legitimate senders you use (marketing platform, CRM, accounting tool). End it with -all once you're confident the list is complete.

DKIM

DomainKeys Identified Mail. Adds a cryptographic signature to outgoing mail so receivers can confirm it wasn't altered and genuinely came from your domain. In Microsoft 365 you enable DKIM per domain in the Defender portal and publish the two CNAME records Microsoft gives you.

DMARC

Domain-based Message Authentication, Reporting & Conformance. Ties SPF and DKIM together and tells the world what to do with mail that fails: monitor (p=none), quarantine, or reject. Start at p=none with a reporting address so you can see who's sending as you, then tighten to p=quarantine and finally p=reject once legitimate senders all pass.

The order matters. Get SPF and DKIM passing for every legitimate sender before you move DMARC past p=none. Jumping straight to p=reject can silently block your own newsletters, invoices or CRM mail. Read the DMARC reports for a couple of weeks first.

2. Turn on Microsoft Defender protections

Every mailbox includes Exchange Online Protection, which handles spam, known malware and the SPF/DKIM/DMARC checks above. To catch the cleverer attacks you want Microsoft Defender for Office 365 (included with Business Premium):

If you have Business Premium, turning on the Standard preset and assigning it to all users is the single fastest way to get a sensible baseline.

3. Impersonation and look-alike protection

This is the part that specifically targets BEC. In Defender's anti-phishing policy you can:

An external-sender banner on every inbound email from outside your organisation is cheap, non-technical and genuinely useful — it gives staff a moment's pause before acting on a "supplier" request.

4. Make a stolen password useless: MFA and account protection

A large share of email compromise starts with a phished or reused password rather than malware. Multi-factor authentication is the control that stops a stolen password from becoming a hijacked mailbox. Enforce it for every account — especially administrators — and prefer an authenticator app or passkey over SMS codes.

Alongside MFA, block legacy authentication protocols (they bypass MFA entirely) and use conditional access to limit sign-ins to expected locations and compliant devices. We cover the how-to in the MFA for business guide and the M365 security checklist.

5. Train your people — and fix the process

Technology reduces the volume that reaches inboxes; people and process handle what gets through. The highest-value habits:

If you only do three things this week: turn on MFA for everyone, apply the Defender Standard preset (or its equivalent) to all users, and write down a rule that bank-detail changes are verified by phone. Those three cover the most common paths to a costly compromise.

Frequently asked questions

What is business email compromise (BEC)?

BEC is a scam where an attacker impersonates a trusted person — an executive, supplier or colleague — to trick someone into transferring money or sharing sensitive data. It often uses look-alike domains or a genuinely hijacked mailbox, and frequently carries no malware, which is why it slips past basic filters.

Does SPF, DKIM and DMARC stop phishing?

They stop attackers from convincingly spoofing your own domain, and DMARC lets you tell other mail systems to reject that spoofed mail. They don't stop look-alike domains or a compromised account, so they're necessary but not sufficient — pair them with impersonation protection, Safe Links and user training.

Which Microsoft 365 licence do I need for anti-phishing?

Exchange Online Protection is included with every mailbox and covers SPF, DKIM, DMARC handling and basic spam and malware filtering. Safe Links, Safe Attachments and advanced impersonation protection are part of Microsoft Defender for Office 365, included with Business Premium or available as an add-on.

Want your Microsoft 365 security checked and locked down properly?

That's what SG1 Consulting does — email authentication, Defender configuration, MFA rollout and impersonation protection, set up correctly for Australian businesses.

Talk to SG1 →