Email remains the number one attack vector for Australian businesses. Learn how to protect your organisation with DMARC, DKIM, SPF, and practical email security strategies.
Email is the primary entry point for cyber attacks against Australian businesses. The ACSC’s Annual Cyber Threat Report consistently identifies phishing, business email compromise (BEC), and email-based malware delivery as the leading attack vectors. And it is not getting better — AI-generated phishing content has made email attacks more convincing and more scalable simultaneously.
This guide covers the complete email security stack: the technical authentication standards that prevent spoofing, the Microsoft 365 features that filter malicious content, and the procedural controls that stop BEC.
Understanding the Three Types of Email Attack
Email Spoofing
Spoofing is when an attacker sends an email that appears to come from your domain or a domain you trust. A spoofed email from ceo@yourcompany.com.au (when your actual CEO never sent it) can deceive staff into taking action.
Spoofing is enabled by the fundamental design of email — nothing in the original email protocol prevents any server from claiming to be any domain. The fix is email authentication: SPF, DKIM, and DMARC.
Phishing
Phishing emails attempt to trick recipients into clicking malicious links or opening malicious attachments. The malicious link typically leads to a credential harvesting page (a fake Microsoft 365 login page) or a malware download. Malicious attachments contain executable payloads or macro-enabled Office documents.
Modern phishing is highly convincing. AI-generated phishing emails are grammatically perfect, contextually appropriate, and personalised to the recipient. Technical filtering catches a high percentage, but some inevitably reaches users.
Business Email Compromise (BEC)
BEC is the most financially damaging form of email attack. It involves either compromising a legitimate email account (via phishing or credential theft) or spoofing a trusted sender to authorise fraudulent financial transactions.
Common BEC scenarios:
- CEO fraud: Email appearing to be from the CEO instructing finance to make an urgent wire transfer
- Supplier invoice fraud: Email appearing to be from a real supplier with changed bank account details
- Payroll fraud: Email requesting a change to an employee’s bank account for payroll
BEC losses in Australia run to hundreds of millions of dollars annually. The ACCC’s Scamwatch reports BEC as one of the highest-value categories of business fraud.
Technical Defence Layer 1: Email Authentication (SPF, DKIM, DMARC)
Email authentication prevents your domain from being spoofed. It does not prevent all phishing, but it eliminates a significant category of attack.
SPF (Sender Policy Framework)
SPF is a DNS record that lists the mail servers authorised to send email for your domain. Receiving mail servers check whether the sending server is on the list.
For Microsoft 365: Add this TXT record to your domain DNS:
v=spf1 include:spf.protection.outlook.com -allIf you send email from third-party services (Mailchimp, Xero, HubSpot), include their sending infrastructure in your SPF record.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to outbound emails, verified against a public key in your DNS. It proves the email genuinely came from your domain and was not modified in transit.
For Microsoft 365: Enable DKIM in Microsoft 365 Defender → Email & Collaboration → Policies → Email authentication → DKIM. This requires publishing two CNAME records in your DNS.
DMARC (Domain-based Message Authentication Reporting & Conformance)
DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks, and sends you reports of all email sent from your domain.
Recommended DMARC record (start here):
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.auRun at p=none for 4-6 weeks while reviewing reports, then move to p=quarantine and eventually p=reject.
DMARC at enforcement (p=reject) is now required by many cyber insurance policies and is increasingly expected by clients in regulated industries.
Technical Defence Layer 2: Microsoft 365 Email Security
Microsoft Defender for Office 365 (MDO)
MDO Plan 1 (included in M365 Business Premium) provides significantly better protection than the baseline Exchange Online Protection:
Safe Links: Rewrites all URLs in emails and checks them at click time. If a link was safe when delivered but became malicious later (a compromised website, a URL that was registered after delivery), Safe Links blocks it when clicked.
Safe Attachments: Detonates email attachments in an isolated sandbox before delivery. Attachments that contain malware or exhibit malicious behaviour are blocked before reaching the recipient.
Anti-phishing: Provides impersonation protection — detecting attempts to impersonate your senior staff or trusted external domains. Configure protected users (CEO, CFO, board members) and protected domains.
Outbound Spam Filtering
Configure outbound spam policies to alert you if an account in your organisation starts sending unusual volumes of email — a strong indicator of account compromise.
Where: Microsoft 365 Defender → Email & Collaboration → Policies → Anti-spam → Outbound spam filter policy.
Procedural Defence: Stopping BEC
Technical controls catch most spoofed and phishing emails. BEC is harder to stop technically because it often uses legitimate email accounts or domains that pass authentication. Procedural controls are the primary defence.
Dual Authorisation for All Payments
No single person should be able to authorise a payment above a defined threshold. Two people must independently approve.
This single control stops CEO fraud and most supplier fraud — the attacker would need to compromise two separate people simultaneously.
Call-Back Verification for Payment Changes
Any request to change supplier bank account details requires a verification call to the supplier using a phone number from your existing records — not a number provided in the email requesting the change.
This is the non-negotiable defence against supplier invoice fraud.
Train Staff on Common BEC Scenarios
Staff who understand how BEC works are significantly less likely to be deceived. Training should cover:
- The CEO fraud pattern (urgent payment request from senior staff via email)
- Supplier bank account change fraud
- Payroll redirect fraud
- What to do when a request creates urgency or pressure to bypass normal processes (stop, verify independently, do not comply without verification)
Checking Your Current Email Security Posture
Use these free tools:
- MXToolbox (mxtoolbox.com): Check SPF, DKIM, DMARC, and blacklist status
- Microsoft Secure Score: Review email-specific security recommendations for your M365 tenant
- mail-tester.com: Send a test email and receive a deliverability and authentication score
CX IT Services configures the complete email security stack for Melbourne businesses — SPF, DKIM, DMARC, Microsoft Defender for Office 365, and staff awareness training. Book a Right Fit Call to assess your current email security posture.
