Email security: from filtering to real-time response

For years, email filtering has been right at the centre of enterprise security. It is automated, scalable and can be extremely effective at blocking known threats. But email filtering alone is not enough. Phishing campaigns, business email compromise (BEC) and zero-day exploits are all able to bypass traditional defences.

 

According to the UK government’s Cyber Security Breaches Survey 2025, of the organisations that experienced a cyber-attack in the past year, 85% of businesses and 86% of charities were hit by phishing attempts. Email is the most exploited attack vector in cyber-security because it is a gateway to credentials, financial data, intellectual property and even operational control.

 

Attackers have evolved from carrying out scattergun campaigns to highly targeted, social engineering attacks that more accurately mimic trusted senders and exploit behavioural psychology.

 

These threats can slip past filters and land directly in users’ inboxes.

 

Email filtering solutions are rule-based and scan incoming messages for known indicators of compromise such as malicious attachments, flagged domains and suspicious links, then block anything that matches. However, they struggle with nuance, for example, a well-crafted phishing email using a legitimate-looking domain, or a link that only redirects after delivery. The email may impersonate a colleague, reference a recent meeting, or exploit urgency to trigger a click because you have less time to think.

 

These tactics are designed to evade static email filtering defences and will often succeed. Once an email has made it past the filtering, it is left up to the user to spot something that is malicious, and this is getting harder and harder to do.

 

Cyber-criminals are getting smarter, so their tricks are harder to spot. A recent phishing campaign targeting Microsoft users showed how subtle these attacks can be. The threat actor registered a domain that looked almost identical to the real thing. Instead of “microsoft.com”, they used “@rnicrosoft.com,” replacing the letter m with r and n. At a glance, most people wouldn’t notice the difference, making this a highly effective tactic for stealing credentials.

 

Phishing remains one of the top causes of breaches globally, with BEC alone costing organisations billions each year. The issue isn’t that email filters don’t work; it is that they weren’t built to adapt in real time, so they cannot keep up with new and emerging threats.

 

The rise of MDR

Managed Detection and Response (MDR) has emerged to provide more dynamic, real-time defence. It isn’t that it replaces email filtering; it provides an evolution of your email defence. Instead of relying only on static rules, MDR uses real-time monitoring and behavioural analytics, combined with expert threat hunting to spot anything that could be an attack.

 

MDR also looks further than the inbox to spot any suspicious activity across endpoints, networks and user behaviour, which creates a broader and more dynamic view of potential compromise. This enables organisations to detect threats earlier, contain them faster and learn from incidents.

 

When it comes to email-driven attacks, speed is essential. A compromised account can be used to launch internal phishing campaigns, exfiltrate sensitive data, or move across systems. The longer the detection and response take, the greater the risk of escalation.

 

MDR services, such as Obrela’s, deliver the 24/7 monitoring and incident response capabilities needed to act quickly and more decisively. Whether isolating a compromised account, blocking a malicious domain, or ensuring a coordinated response across the enterprise, the goal is to respond before any damage is done.

 

Of course, technology alone isn’t the whole answer. The most effective defences will seamlessly combine automation with human expertise. Skilled analysts have a vital role to play in validating alerts, understanding context and tailoring the organisation’s responses to fit its unique environment. Having expert human insight remains one of an organisation’s strongest safeguards.

 

Integration is another crucial element. Email does not exist in isolation; it sits in a wider security ecosystem of identity platforms, endpoint detection, SIEMs and cloud applications. MDR needs to connect all of this, gathering information across multiple layers to build a more accurate and complete picture of what’s happening.

 

Threat intelligence also has an essential role. By using data from global attack patterns, MDR platforms can identify and anticipate emerging tactics before they strike locally. This intelligence-led approach makes defence more proactive.

 

Evolve your email security

Email filtering is, and will remain, an essential cyber-security tool, but it is important that you understand its limits. Email gateways cannot be used as your final line of defence. The organisations that rely solely on email filtering will be at risk from the email-based attacks that have been designed to slip through the cracks.

 

To stay ahead, organisations have to evolve their email security posture. Adopting MDR monitoring of their environment, brand and domains will provide more adaptive resilience, where detection, response and human insight are combined to reduce the risk of attack.

 

Email will be at the frontline of cyber-attacks for the foreseeable future, but with the right combination of visibility, speed and expertise it needn’t be the weakest link. 

 

---

 

Andy Winters is EVP of MDR at Obrela - real-time, risk-aligned cyber-security

 

Main image courtesy of iStockPhoto.com and Just_Super