Phishing Still Pays: A Microsoft 365 Action Plan for UK SMEs

Phishing still pays because it scales well for the attacker and badly for the target.

One campaign can hit thousands of inboxes. Most of it is junk, some of it is obvious, and one or two messages are just convincing enough to get a click, a reply or a rushed payment approval. That is usually all it takes.

For UK businesses, this is not a niche problem. The UK government's Cyber Security Breaches Survey continues to show that phishing is one of the most common forms of attack or attempted attack. Microsoft sees the same thing from the platform side: attackers lean on identity theft, malicious links, business email compromise and mailbox abuse because it is cheap and it keeps working.

The answer is not "train users harder" and hope for the best.

Training matters, but training without controls becomes blame management. You need a stack that assumes normal human behaviour: people skim, people trust familiar names, and finance teams work under time pressure.

Start with the layered controls that matter

For a Microsoft 365 tenant, I would want these layers in place before spending too much time on clever extras:

1. Defender for Office 365 preset policies, scoped properly.
2. Safe Links and Safe Attachments.
3. Anti-phishing protections for executive, finance and brand impersonation.
4. SPF, DKIM and DMARC aligned for your own domains.
5. User reporting that feeds an actual review process.
6. MFA enforced through Conditional Access, especially for admin and high-risk roles.
7. External forwarding blocked by default unless there is a documented reason.
8. A simple runbook for compromised mailboxes.

None of that is exotic. That is the point.

Most tenants that struggle with phishing do not fail because they lack some futuristic control. They fail because the basic layers are half-enabled, badly scoped or not reviewed after rollout.

The small-business trap

There is a pattern I see a lot in smaller tenants:

• the security settings are "mostly there"
• reporting is inconsistent
• finance still approves changes off email alone
• mailbox forwarding is not fully locked down
• nobody can say which executives are covered by impersonation protection

That combination is exactly why phishing keeps paying.

The technical controls reduce exposure, but the business process finishes the job. If bank detail changes, payroll changes or urgent supplier requests can be approved from a single email thread, the attacker does not need to beat Microsoft 365. They just need to look plausible for five minutes.

A 20-minute tenant check

If you want a quick reality check, take the last few suspicious messages that reached users and ask:

Question	What you want to know
Did Defender detect the message?	If not, what will be tuned?
Did a user report it?	If not, is the reporting path visible and trusted?
Was the user click behaviour checked?	Confirmed, not guessed
Were the sender and URL analysed in the tenant?	Enough visibility to decide quickly
Would a compromised account have been able to auto-forward mail?	Policy should answer this clearly

This test is useful because it exposes operational blind spots fast. If the answers are vague, the issue is not only phishing. It is ownership.

The action plan I would actually run

1. Tighten the high-value identities first

Do not treat every mailbox as equal risk. Protect the people who can approve payments, change access or move sensitive data. That means leadership, finance, payroll, admins and key supplier-facing staff.

2. Fix the mailbox escape routes

Forwarding rules, suspicious inbox rules and old transport rules can turn one compromised account into a quiet surveillance point. If you have not checked them lately, you should assume you have blind spots.

3. Make reporting useful

User reporting is worth much more when someone reviews it properly. If users report messages and hear nothing back, they stop reporting. Then the organisation loses one of its best feedback loops.

4. Treat payment workflows as a control surface

NCSC guidance is clear on verifying unexpected requests and treating email with caution. In practice that means bank detail changes, new payment instructions and last-minute urgency need a second channel. Not a reply to the same thread. A separate call or known contact path.

5. Rehearse compromise response

If an account is phished, the basics should happen quickly: revoke sessions, reset credentials, confirm MFA state, remove forwarding and malicious rules, and assess who else may have been exposed. Waiting for a perfect incident process is not the same as having one.

A useful way to measure progress

I would rather see these indicators than a vague statement that "awareness is improving":

Measure	Why it matters
Number of high-risk users under stricter anti-phishing controls	Shows whether scope matches risk
External forwarding exceptions with named owners	Reveals hidden exposure
User-submitted phish reviewed within agreed time	Tests whether the queue is real
Payment-change process requiring second-channel verification	Reduces business email compromise risk
Repeat sender or domain patterns seen in quarantine or reports	Helps tune based on evidence

That gives you something concrete to improve month by month.

Phishing is not going away. Fair enough. The real question is whether your tenant and your business process make it expensive for the attacker to succeed. That is a much more useful goal than hoping staff simply spot every bad email forever.

References

• Cyber Security Breaches Survey 2025
• NCSC guidance: Phishing attacks
• Recommended settings for EOP and Microsoft Defender for Office 365 security
• Responding to a compromised email account in Microsoft 365