Cybersecurity // Email Security & Anti-Phishing

Email is still how attackers walk in the front door.

Today's phishing emails are written by AI, sent to your team by name, and reference real meetings from your calendar. Generic spam filters miss them. We layer better filtering on top of Microsoft or Google, lock down your domain so nobody can fake messages from your firm, and clean up fast when something slips through.

9 in 10
Of all break-ins still start with someone clicking an email
Inbox alert notification
fig.01
Threat landscape

What 2026 phishing looks like.

If your last security awareness slide showed a Nigerian prince, this is the gap. The 2026 attacker uses your stack against you.

01

GenAI-personalized spear-phish

Public LinkedIn posts and recent press become the body copy. The voice matches your VP of Sales because the model trained on her social.

02

Deepfake vishing callbacks

Email asks finance to expect a call. A cloned voice — 30 seconds of audio is enough — wires the funds. The email looked clean because it was clean.

03

QR-code phishing ('quishing')

Malicious links rendered as QR codes inside PDFs, bypassing URL scanners. Recipient scans with personal phone and lands on the credential harvester off your defended network.

04

MFA-fatigue chain

Credentials phished today, MFA push spam fired tomorrow. The email was just the on-ramp.

05

Calendar-invite phishing

Malicious invite skips inbox triage and lands directly on the calendar with a one-tap-join link. Email filters don't read calendar events.

What you get

What's included.

  • 01

    Inbound filtering layer

    Mimecast, Proofpoint, Defender for Office 365 P2, or Abnormal Security — deployed, tuned, and tested against your real traffic.

  • 02

    DMARC / DKIM / SPF authority

    Full deployment plus the ongoing report monitoring most teams skip. The journey from p=none to p=reject without breaking newsletters is a project, not a setting.

  • 03

    Banner injection + link rewriting

    External-sender warnings on every external message; time-of-click URL analysis on every link. No surprises in fonts that look the same.

  • 04

    Attachment sandboxing

    Detonate office docs and PDFs in an isolated environment before delivery. Stops macros, embedded payloads, and most VBA tricks.

  • 05

    Monthly phishing report

    What was blocked, what was reported by users, which campaigns are targeting your domain, and what changed in your DMARC posture.

Stack & integrations

Platforms we deploy.

Microsoft 365 path
Defender for Office 365 (P1/P2)Exchange Online ProtectionMicrosoft Sentinel for forwarding
Third-party gateways
Proofpoint Essentials / TAPMimecast Email SecurityAbnormal Security (behavioral)Material Security
Google Workspace path
Workspace Enterprise SecurityGoogle Security OperationsAdd-on: Sublime Security
How it works

The DMARC enforcement journey.

Most clients we meet have DMARC at p=none — monitoring only, reject nothing. They've been there for years. We get them to p=reject without breaking a single legitimate sender.

  1. 01

    Inventory legitimate senders

    Parse 30 days of DMARC reports to enumerate every system sending mail in your name. Marketing, billing, HR — there are always surprises.

  2. 02

    Align each sender (SPF + DKIM)

    Work with vendors to get DKIM signing on every legitimate path. SPF alone is brittle — DKIM survives forwarding.

  3. 03

    Move to p=quarantine

    Failures route to junk for 30-60 days. We watch reports daily for missed legitimate senders and fix.

  4. 04

    Move to p=reject

    Failures bounce. Your domain is no longer spoofable. We don't move on until quarantine is clean.

  5. 05

    Maintain

    Monthly DMARC posture report. New vendors get onboarded into the policy before they go live.

Response runbook

When an employee clicks.

Most credential-phish incidents are recoverable if the response is fast. This is what 'fast' looks like.

  1. T+00:00
    User reports the click — or, more often, we see the post-click event in identity logs first.
  2. T+00:02
    Identity session revoked across all active devices; MFA factors invalidated.
  3. T+00:05
    Password reset forced. New MFA enrollment required.
  4. T+00:10
    Outbound mail from the affected account pulled for the prior 30 days.
  5. T+00:15
    Inbox rules and forwarding rules audited — attackers create these in the first minute.
  6. T+00:30
    Affected external contacts notified directly if any malicious outbound went out.
  7. T+Day 1
    Written incident report with controls updated to prevent the same vector.
Who needs this

Who needs this.

  • Any firm where a wire transfer or credentials in email could be financially material — which is almost every firm.
  • Anyone whose DMARC is still at p=none (run a check: most firms are).
  • Firms receiving forwarded mail from spoofable suppliers and vendors.
  • Healthcare, legal, and financial firms where mail content itself is regulated data.
FAQ
Q01

Doesn't Microsoft or Google catch this already?

They catch most generic spam. The targeted 2026 attacks — AI-personalized, low-volume, well-crafted — slip through because they don't look like spam. That's where third-party gateways and behavioral filters earn their cost.

Q02

What's DMARC and why do I care?

DMARC tells receiving mail servers what to do with mail that claims to be from your domain but fails authentication. With p=reject, attackers can't spoof you. Without it, they can — and they will.

Q03

QR-code phishing — really?

Really. It's the fastest-growing 2026 phishing technique because most secure email gateways scan URLs but don't extract URLs from rendered QR codes inside PDFs.

Q04

How do you tell a deepfake voice from the real CEO?

Out-of-band verification: any wire request authenticated by voice must be re-confirmed via a known channel (Teams DM, in-person, callback to a known number). We help your AP team build the muscle.

Q05

Do you train my staff too?

Yes — that's a separate sub-service (Security Awareness). The two work together: gateway catches what it can, training and simulations handle what gets through.

Next step

Free DMARC posture scan.

We'll show you who is spoofing your domain right now and what it would take to stop them. No commitment.

Get the scan