Email Security Guide | De4sec Technology

Contents

Why Email Is the Top Attack Vector
Email Authentication: SPF, DKIM, DMARC
Microsoft Defender for Office 365
Mailbox Security Configuration
Business Email Compromise Prevention
De4sec Email Security Service

Why Email Is the Top Attack Vector

Email remains the primary entry point for cyber attacks — phishing, malware delivery, business email compromise, and domain spoofing all begin with email. Securing email is not optional; it is the foundation of any business security posture.

The ACSC reports that over 60% of cyber incidents reported by Australian businesses involve email as the initial attack vector.

Email Authentication: SPF, DKIM, DMARC

Standard	Function	Without it
SPF	Authorises which servers can send on your behalf	Domain spoofing is trivial
DKIM	Cryptographic signature on outbound email	Email can be forged or modified in transit
DMARC	Enforcement policy for failed authentication	Even with SPF+DKIM, no action taken on spoofed email

Target: DMARC p=reject. This eliminates domain spoofing — attackers cannot send email appearing to come from your domain. Configuration takes 2–4 hours; the impact is immediate and permanent.

Microsoft Defender for Office 365

Safe Links

Rewrites all URLs in emails. At click-time, the URL is scanned in real-time — even if the destination becomes malicious after delivery. This is critical because attackers often send clean links and weaponise them later.

Safe Attachments

Detonates attachments in an isolated sandbox before delivery. Malicious attachments are blocked before the user sees them — even unknown malware types with no signature.

Anti-Phishing Policies

Protects specific users (CEO, CFO, IT admin) from impersonation. Alerts when email appears to be from a protected user but originates externally.

Mailbox Security Configuration

✓Disable email forwarding rules by default — attackers set up auto-forward rules after compromising an account

✓Audit logging enabled on all mailboxes — detect suspicious access, forwarding rule creation, mass deletion

✓External sender warning banners — visually mark external email so staff can identify unexpected senders

✓Shared mailbox access via Entra ID groups — not individual account assignment

✓Mail transport rules — block certain attachment types (exe, bat, vbs) from external senders

Business Email Compromise Prevention

BEC involves impersonating executives, suppliers, or IT staff to redirect payments or obtain sensitive information. Technical controls reduce risk but cannot eliminate it — process controls are essential.

✓Payment verification procedure: any payment request received by email requires phone confirmation to a pre-known number

✓Supplier change verification: any request to update bank details triggers a call to the existing supplier contact

✓Executive travel alerts: when the CEO is travelling, finance is alerted that payment request emails may increase

✓Dual approval for large transactions: any payment above a threshold requires two approvers

De4sec Email Security Service

Email Authentication

SPF, DKIM, DMARC configuration, testing, and ongoing monitoring. DMARC reporting reviewed monthly.

Defender for Office 365

Safe Links, Safe Attachments, anti-phishing policy configuration. Tailored to reduce false positives.

Security Awareness

Staff training on identifying phishing and BEC. Simulated phishing exercises. Click-rate tracking.

Incident Response

When a phishing email is clicked or account compromised: containment, credential reset, investigation, post-incident report.

// NEXT STEP

Ready to implement this?

De4sec provides hands-on implementation. Book a free discovery call — we assess your environment at no cost.

Book a Free Discovery Call →de4sec.technology

© 2026 DE4SEC TECHNOLOGY.