How to Stop Phishing Emails Your Filter Missed (2026)

Your Email Filter Isn’t Catching Everything

Over 3.8 million phishing attacks were recorded in 2025, and 82.6% of phishing emails now use AI-generated content (Keepnet Labs, 2025). Gmail and Microsoft 365 have solid built-in protections, but attackers have learned exactly how to slip past them. The result: phishing remains the most-reported cybercrime type, accounting for 193,407 complaints to the FBI in 2024 alone (FBI IC3 Annual Report, 2024).

This guide walks you through what to do about it. You’ll learn how modern phishing works and which admin settings to lock down. You’ll also find free and paid tools that fill the gaps your built-in filters leave open.

Key Takeaways

• AI-crafted phishing emails hit 54% click rates vs 12% for human-written (Keepnet Labs, 2025)
• 58% of phishing emails come from compromised accounts, not spoofed addresses
• Google Workspace and M365 have anti-phishing settings most admins never enable
• Free tools like KnowBe4 and Netcraft add real protection at zero cost
• SPF, DKIM, and DMARC together are the most effective defense against domain spoofing

If you’ve already locked down your passwords, great. If you haven’t, start with our guide on why every growing organization needs a password manager and then check whether your credentials have been exposed. Both are critical foundations for what follows here.

How Do Modern Phishing Emails Actually Work?

Phishing has evolved well beyond the “Nigerian prince” era. Business Email Compromise (BEC) alone caused $2.77 billion in U.S. losses in 2024 (FBI IC3 Annual Report, 2024). Today’s attacks are targeted, AI-assisted, and designed to bypass the exact filters protecting your inbox.

Here’s what a modern phishing attack looks like:

Credential Harvesting

The attacker sends an email that looks like a login page notification from Microsoft, Google, or a service your team uses. The link leads to a pixel-perfect fake login page. You enter your credentials. The attacker now has them.

What’s changed: attackers now host these fake pages on trusted cloud platforms like Google Cloud and Cloudflare Workers. Your email filter sees the link points to google.com or cloudflare.com and lets it through (Malwarebytes, January 2026).

Business Email Compromise (BEC)

BEC doesn’t use malware or fake links. The attacker impersonates a CEO, vendor, or colleague and asks for a wire transfer, updated payment details, or sensitive data. These emails often come from compromised legitimate accounts, not spoofed addresses. In fact, 57.9% of phishing emails originate from compromised accounts (Cofense, 2025).

QR Code Phishing (Quishing)

QR code phishing surged 331% year-over-year according to Cofense. About 12% of all phishing attacks now embed a QR code instead of a clickable link (Keepnet Labs, 2025). Most email filters can’t read or analyze QR code destinations. The user scans the code on their phone, bypassing every desktop-based security tool entirely.

Why Filters Miss These

Modern attackers exploit specific blind spots:

• Compromised accounts: The email comes from a real, trusted address. SPF and DKIM pass. The filter sees nothing wrong.
• Delayed-activation links: The link is clean when the email arrives. Hours later, the attacker swaps the destination to a phishing page.
• OAuth device code exploits: A recent campaign hit over 340 Microsoft 365 organizations using OAuth device code phishing, which bypasses MFA entirely (The Hacker News, March 2026).
• Email routing gaps: Attackers exploit DMARC misconfigurations and routing inconsistencies to deliver spoofed messages through legitimate mail infrastructure (CSO Online, 2025).

How Do You Lock Down Google Workspace Admin Settings?

Organizations that enable all available Gmail safety toggles block up to 99.9% of spam and malicious email (Google Workspace Admin Help, 2026). Yet most Google Workspace administrators never turn on the advanced settings. The full configuration takes about 15 minutes and significantly reduces the attack surface your team faces.

Log into your Google Admin Console at admin.google.com and navigate to Apps > Google Workspace > Gmail > Safety.

Attachments

• Turn on Protect against encrypted attachments from untrusted senders
• Turn on Protect against attachments with scripts from untrusted senders
• Turn on Protect against anomalous attachment types in emails

Links and External Images

• Turn on Identify links behind shortened URLs
• Turn on Scan linked images
• Turn on Show warning prompt for any click on links to untrusted domains

Spoofing and Authentication

• Turn on Protect against domain spoofing based on similar domain names
• Turn on Protect against spoofing of employee names
• Turn on Protect against inbound emails spoofing your domain
• Turn on Protect against any unauthenticated emails (emails that fail SPF or DKIM)

Enhanced Pre-Delivery Message Scanning

Navigate to Security > Advanced settings and enable Enhanced pre-delivery message scanning. This holds suspicious messages briefly for deeper analysis before delivering them, catching threats that basic filtering misses (Google Workspace Admin Help, 2026).

Pro tip: If you’re on Google Workspace Enterprise or Education Plus, also enable Security Sandbox under Gmail > Safety. It opens suspicious attachments in a virtual environment to detect zero-day malware before delivery.

How Do You Lock Down Microsoft 365 Admin Settings?

Microsoft Defender for Office 365 includes strong anti-phishing features, but most organizations run with default settings that are far less aggressive than they should be (Microsoft Learn, 2026). Microsoft’s own documentation recommends the Standard preset as a minimum baseline, yet the majority of tenants have never enabled it.

Microsoft recommends a tiered approach: Standard preset security policy for all users, and Strict for high-value targets (executives, finance, IT admins).

Enable Preset Security Policies

1. Go to security.microsoft.com > Email & collaboration > Policies & rules > Threat policies
2. Select Preset security policies
3. Enable Standard protection for all users
4. Enable Strict protection for executives and admin accounts

This single step enables Safe Links, Safe Attachments, and anti-phishing impersonation detection in one move.

Key Settings Within Anti-Phishing Policies

If you want finer control, configure these under Anti-phishing policies:

• Enable mailbox intelligence: Uses machine learning on each user’s email patterns to detect impersonation
• Add impersonation protection for specific users: Add your CEO, CFO, and finance team
• Add impersonation protection for your domains: Protect your primary and any custom domains
• Enable first contact safety tips: Shows a warning when someone receives email from a sender for the first time
• Honor DMARC policy: Set action to quarantine when the sender fails DMARC

Safe Links and Safe Attachments

Under the Standard or Strict preset, these are already on. Verify:

• Safe Links: Rewrites URLs at time of click, not just time of delivery. This catches delayed-activation attacks.
• Safe Attachments: Opens attachments in a sandbox before delivering them. Set unknown malware response to Block.

Pro tip: Safe Links in Standard mode only scans links in email. Under Strict, it also scans links in Microsoft Teams messages, which is increasingly where phishing attempts land.

How Do You Set Up Email Authentication (SPF, DKIM, DMARC)?

About 70% of organizations with DMARC records still run in monitor-only mode, which means spoofed emails are reported but never blocked (BrightDefense, 2025). Email authentication is the single most effective defense against domain spoofing. Without it, anyone can send emails that appear to come from your domain. All three protocols work together, and missing any one of them leaves a gap.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. Set up is a DNS TXT record.

• Google Workspace: Add v=spf1 include:_spf.google.com ~all to your domain’s DNS
• Microsoft 365: Add v=spf1 include:spf.protection.outlook.com ~all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails, proving they haven’t been tampered with.

• Google Workspace: Admin Console > Apps > Gmail > Authenticate email > Generate DKIM key > Add the DNS record
• Microsoft 365: Defender portal > Email & collaboration > Policies > DKIM > Select domain > Enable

DMARC (Domain-based Message Authentication)

DMARC tells receiving servers what to do when SPF or DKIM fails. Start with monitoring, then tighten.

Use a graduated approach:

1. Week 1-2: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com (monitor only)
2. Week 3-4: Review DMARC reports. Fix legitimate senders that fail.
3. Month 2: p=quarantine (suspicious emails go to spam)
4. Month 3+: p=reject (spoofed emails are blocked entirely)

If your organization also sends marketing emails or cold outreach, this ties directly to domain warmup and email deliverability.

What Free and Paid Tools Fill the Gaps?

The average click rate on simulated phishing emails is 34% before training (Keepnet Labs, 2025). Even with admin settings locked down and email authentication configured, sophisticated attacks still get through. Third-party tools add behavioral AI, time-of-click URL scanning, and QR code analysis that built-in filters don’t offer.

Free Tools

Netcraft Browser Extension (netcraft.com): Blocks known phishing sites in real time across Chrome, Firefox, Edge, and Opera. It draws on Netcraft’s phishing site database, one of the largest in the industry. Free for individual use.

KnowBe4 Free Phishing Security Test (knowbe4.com): Sends a simulated phishing campaign to up to 100 users in your organization. Shows you exactly who clicked, giving you a baseline for training. Completely free, no purchase required.

GoPhish (github.com/gophish/gophish): Open-source phishing simulation framework. You host it yourself, design your own phishing templates, and track who clicks. More technical to set up but fully customizable and free.

Microsoft Standard Preset Policy: If you’re on Microsoft 365 Business Premium or E3/E5, the Standard preset security policy is included at no extra cost and covers Safe Links, Safe Attachments, and anti-impersonation. Many organizations just haven’t turned it on.

Paid Tools for SMBs

Tool	Starting Price	Key Differentiator
IRONSCALES	$3.49/mailbox/month	AI-powered detection + built-in phishing simulation and training
Proofpoint Essentials	~$3.03/user/month	Targeted attack protection with URL defense and impostor detection
Barracuda Email Protection	Custom quote	AI detection + incident response + security awareness training
Mimecast	$5-15/user/month	URL rewriting, attachment sandboxing, and impersonation protection
Cloudflare Email Security	Custom quote	Preemptive threat detection, integrates with existing Cloudflare setup

These tools catch what Gmail and Microsoft 365 miss because they add a second layer of analysis. They use behavioral AI that learns your organization’s communication patterns. They re-scan URLs at the moment of click, not just delivery. And they extract and analyze QR code links that built-in filters skip entirely.

Common Mistakes That Leave You Exposed

The most common mistake is enabling DMARC in monitoring mode and never progressing to enforcement. Organizations set up p=none, see reports coming in, and assume they’re protected. They’re not. Until you move to p=quarantine or p=reject, spoofed emails still reach inboxes.

Trusting the defaults. Both Google Workspace and Microsoft 365 ship with conservative default settings. The advanced protections exist, but they’re turned off because they can occasionally delay legitimate email. The tradeoff is worth it.

Ignoring mobile devices. QR code phishing specifically targets the gap between desktop security tools and mobile browsers. If your security strategy only covers desktop email, you’re missing 12% of current attacks.

Skipping phishing simulation. Most organizations invest in email security tools but never test whether employees actually recognize phishing. Free tools like KnowBe4’s phish test take 15 minutes to set up and give you a real baseline.

Setting up SPF without DKIM and DMARC. SPF alone doesn’t prevent spoofing. All three protocols are required for proper email authentication. Missing any one of them leaves a gap attackers can exploit.

Frequently Asked Questions

Are Gmail and Microsoft 365 filters good enough on their own?

Gmail and Microsoft 365 catch the vast majority of commodity phishing, bulk spam, and known malicious domains. They are not enough for targeted attacks, BEC, QR code phishing, or attacks that use compromised legitimate accounts. Adding a third-party tool and enabling the advanced admin settings described above closes most of the gap.

What is the single most impactful thing I can do today?

Enable DMARC with at least p=quarantine on your domain, and turn on the advanced phishing protections in your Google or Microsoft admin console. These two changes take under 30 minutes and block the majority of spoofed emails. They cost nothing.

Do I need a paid email security tool if I’m a small team?

Not necessarily. For teams under 25 people, enabling the built-in advanced settings and configuring SPF, DKIM, and DMARC gives you strong coverage. Add a free phishing simulation to test your team. Paid tools become more valuable as headcount grows and targeted attacks increase.

How do I know if my team is actually clicking on phishing emails?

Run a phishing simulation. KnowBe4 offers a free test for up to 100 users that sends a realistic phishing email and reports who clicked. GoPhish is a free open-source alternative if you prefer to host it yourself. The industry average click rate on simulated phishing is around 34% before training (Keepnet Labs, 2025).

What should I do if someone on my team clicks a phishing link?

Have them change their password immediately using a password manager. Enable MFA on the affected account if it isn’t already. Check the account’s recent activity log for unauthorized access. If credentials were entered, treat the account as compromised, check for breach exposure, and report it to your IT team.

---

Want a full picture of where your organization stands? Our Security Assessment covers email security, credential exposure, MFA status, and more, all in 10 business days. Let’s talk.