Strategies Against Phishing in Microsoft 365: Protect Your Inbox

The inherent vulnerability of email is evidenced in a report from last year that found that roughly 20% of all phishing emails found were marked as clean by the Microsoft 365 Exchange Online Protection (EOP) and reached the users' inboxes. This article will discuss the limitations of Microsoft 365 that have led to Microsoft 365 phishing vulnerabilities, schemes that attackers use to bypass security filters, and how you can protect your email from phishing attempts.

What Are Microsoft 365 Security Limitations?

Late in 2024, Microsoft showed up in more phishing scams than any other brand—35% of them, to be exact. And despite built-in defenses like Exchange Online Protection and Defender for Office 365, a lot of those fake messages still made it through. It’s something attackers count on. If your team is only leaning on Microsoft’s default filters, there’s a real chance a threat could land in someone’s inbox without anyone catching it. Limitations in EOP create vulnerabilities that businesses can no longer afford. These limitations include:

Protection is Subpar

EOP is static, single-layered, takes a retrospective approach to identify phishing attacks and stop malware attacks that do not safeguard against human error, and fails to anticipate emerging zero-day attacks, malicious URLs, and attachments that are not included in its static lists. These weaknesses contribute to high-confidence phishing bypass incidents.

Lack of Customization for Businesses’ Unique Needs

EOP is not customizable, resulting in a limited ability to identify suspicious emails and social engineering attacks, leaving businesses vulnerable to account takeovers and targeted spear phishing attacks that often result in credential theft. The phishing protection that Office 365 users expect doesn’t always account for these tailored attacks.

Attackers Have an Easier Time Bypassing Defenses Because of Homogeneous Architecture

The homogeneity of the Microsoft 365 security system enables cyber thieves to open any account, test their methods until they are able to bypass default filters, and reuse these methods in attacks targeting thousands of different accounts. M365 phishing campaigns take advantage of this predictable structure.

Difficult to Configure & Manage Securely 

Setting up and configuring requires expert IT, which many SMBs lack. At the same time, Microsoft also fails to assist with setup and ongoing system monitoring, maintenance, and support to prevent misconfiguration vulnerabilities and keep customers secure. Microsoft 365 also lacks support for hybrid work environments, so these businesses often find it difficult to understand how to effectively layer and combine the different Microsoft security solutions available. These complications lead some to look for alternatives to stop phishing emails that Office 365 defenses miss, especially when attackers bypass the spam filter in Office 365 and evade detection.

What Are Common Phishing Methods Used in Attacks?

A recent study found that brand impersonation, a display name deception tactic, was widely used by cybercriminals to get a victim to click on a malicious link or compromise account credentials on a fraudulent login page. The report stated that there is likely at least one phishing email in every 25 branded emails, some classified as high-confidence phishing, despite being malicious. 

The same study found that obfuscation methods are often seen in Office 365 phishing, where links are distorted just enough to bypass detection. For example, cybercriminals can obfuscate a URL to make it unrecognizable to Office 365 security, rendering its capability to block malicious content useless. This often results in an Office 365 phishing filter failure.
Abusing a rarely used file format can also be used to evade detection. Threat actors behind spam campaigns have abused rarely used file types to conceal malware attachments and employed Office 365 bypass techniques to evade spam filters. When this technique is used, the structure of file types can be compromised to evade detection methods or to bypass spam filters that Office 365 deployments rely on.

How Can I Protect Against Phishing Attacks?

Education and awareness are critical when it comes to phishing protection, especially concerning deepfake phishing, which is that much more difficult to detect. Some simple practices that you should implement to avoid taking the bait in a phishing attack include:

• Check for spelling and grammatical errors, which can indicate that an email is fraudulent or malicious.
• Keep an eye out for suspicious subject lines and signatures.
• Don’t trust the display name. Just because an email says it’s from a known and trusted sender doesn’t necessarily mean it really is. Even if the email address is legitimate, the message could be coming from a compromised account.
• Be cautious of nonspecific language. Phishers typically use vague language in their campaigns to evade spam filters.
• If an email appears strange in any way, make a phone call to the sender to confirm the legitimacy of the email. Reviewing an Office 365 phishing email example can help train staff to identify suspicious messages more effectively.
• If you receive an email from a source you know, but it seems suspicious, contact that source with a new email, rather than just hitting reply.
• Beware of urgency. Phishing emails often try to convince recipients to act quickly, without thinking things through.
• Scan all attachments for viruses or dangerous code.
• Training employees on how to spot signs of deception can help stop phishing emails that Office 365 filters overlook.

To bolster built-in email protection, especially where phishing protection in Office 365 falls short, businesses should implement a proactive, multi-layered supplementary email security solution that is specifically designed to fill the critical voids in built-in Microsoft 365 email protection. Doing so can help prevent email spoofing, which Office 365 filters sometimes miss.

Universities Targeted in Email Phishing Attacks

Back in March 2025, Brandeis University dealt with one of its more disruptive phishing attacks in recent memory.

The emails were convincing—some warned students and staff about account lockouts, while others offered bogus remote job opportunities. Since they looked like they came from real Brandeis addresses, a lot of people got caught off guard.

The attack played out in two phases. First, spoofed messages were sent from domains that weren’t tied to the university — a common tactic in a well-planned M365 phishing campaign. These emails pushed recipients to “verify” their login info. The link brought users to a convincing fake login page, where many unknowingly entered their passwords along with multi-factor authentication codes. From there, the attackers moved to phase two—using the compromised accounts to send additional phishing emails from inside the Brandeis system, aiming for targets like payroll and direct deposit information.

And it wasn’t just Brandeis. A 2024 report found that cyberattacks targeting higher education jumped by around 70% in just a year. More than 100 schools across the U.S. were hit, many dealing with stolen personal information or even ransom demands. These types of attacks often bypass native defenses, contributing to the rise in Microsoft Defender email scams targeting educational institutions. 
Universities are attractive targets—they hold a ton of sensitive data, but don’t always have the same level of protection as private companies. In some cases, the fallout included leaked names, Social Security numbers, home addresses, and even academic transcripts. As phishing schemes become increasingly sophisticated, colleges face significant pressure to enhance their security to prevent phishing emails that Office 365 tools may miss.

Keep Learning About Improving Microsoft 365 Email Security

Businesses face great risk in Microsoft 365 without the implementation of effective supplementary email security defenses and the accompanying expert ongoing system management and support necessary to ensure they remain effective in protecting against the latest, most sophisticated threats.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following external email warning best practices and other proven guidelines.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.