Pre-delivery AI · DMARC enforcement · 24/7 SOC

Email security for M365 and Google Workspace — phishing, BEC, and DMARC, closed out to "reject"

Layered protection that sits in front of (or alongside) Microsoft 365 Defender and Google Workspace. AI behavioral analysis, impersonation protection, attachment detonation, DMARC enforcement, and a user-training loop that actually moves the phish-prone needle.

96.4% BEC block rate 24 hrs onboarding, no MX swap 4.1M messages scanned daily <4% client phish-prone rate at 9 mo
Run my free email threat assessment Talk to an email security engineer →

Read-only audit of your tenant. 24-hour turnaround. 1-page executive report back.

0
Messages scanned daily
across client mailboxes
0
Phishing & BEC attempts
blocked pre-delivery last quarter
0
Tailored BEC detection rate
behavioral AI, post-tuning
24/7
US-based analyst coverage
Tampa · Orlando · Chicago
Service tiers

Three email protection lanes. Per-mailbox pricing. No MX swap required.

All tiers deploy via Microsoft Graph or Gmail API — 24-hour setup, zero mail flow disruption. Upgrades happen in-place. No licenses wasted if your inbox count changes mid-term.

Email Essentials
The minimum baseline on top of Defender or Gmail native filtering.
$4/mailbox/mo
Annual agreement · 25-mailbox minimum
  • Signature-based spam/malware + known-bad URL rewriting
  • Attachment sandboxing for Office docs, PDFs, archives
  • SPF + DKIM configuration & monitoring (reporting only)
  • Monthly threat summary + top-targeted-users report
  • KnowBe4 starter phishing simulations (4/year)
  • 24-hour onboarding, deployed via API
Start Essentials →
Most chosen
Advanced Threat Protection
Behavioral AI for BEC. DMARC to reject. Training loop with remediation.
$9/mailbox/mo
Annual agreement · 25-mailbox minimum
  • Everything in Essentials
  • Abnormal + Vade behavioral AI for BEC & impersonation
  • DMARC enforcement rollout (monitor → quarantine → reject)
  • Vendor Email Compromise (VEC) detection on external senders
  • KnowBe4 PhishER: 12 simulations/year + 90-sec remediation module
  • 24/7 SOC triage on user-reported phish, 15-min P1 SLA
Start ATP →
Enterprise Email + DLP
For regulated industries, public companies, or 1,000+ mailbox estates.
Custom
Scoped by mailbox count & compliance framework
  • Everything in Advanced Threat Protection
  • Outbound DLP: PHI, PCI, PII, source code pattern policies
  • Journaling + legal hold to Proofpoint or archive of choice
  • Custom brand-impersonation monitoring for look-alike domains
  • Dedicated email security engineer + named IR lead
  • Quarterly tabletop BEC exercise with your finance team
Scope Enterprise →
The email stack we actually run · no white-label mystery boxes
Microsoft Defender O365 P2 Abnormal Security Behavioral AI Vade Secure BEC & spear-phish Proofpoint Enterprise gateway Mimecast Archive & continuity KnowBe4 PhishER Training loop Valimail DMARC enforcement Area 1 Pre-delivery detection Duo MFA
Threat → layer mapping

Which layer stops which threat. Because "we block phishing" doesn't mean anything.

Email attacks aren't one thing. They're seven different things, and they need seven different detection approaches. Here is what each layer in our stack catches, and where a single-vendor approach falls down.

Threat type What it looks like Primary layer What gets blocked
Commodity phishing Fake login links, bulk-sent, malicious domains in URL Defender / Gmail + Area 1 ~99%+ pre-delivery, signature + URL reputation
Tailored BEC "Your CEO" asking for a wire, no links, clean sender domain Abnormal + Vade (behavioral AI) Sender-graph anomaly, language pattern deviation, timing
Vendor Email Compromise Real vendor contact whose mailbox was hijacked, sends fake invoice Abnormal VEC + Defender Banking-detail change detection, anomalous thread behavior
Malicious attachments Office docs with macros, archives, HTML smuggling, PDFs Sandboxing (Defender, Area 1) Pre-delivery detonation in VM, behavior-based verdict
Domain spoofing Mail from forged-sender @yourcompany.com to customers Valimail DMARC enforcement DMARC policy reject — receiving servers drop forgeries
Look-alike domains yourc0mpany.com, yourcompany-payments.com typo-squat sends Brand protection monitoring Daily domain-registration sweep, takedown workflow (Enterprise)
Account takeover Attacker logs in with valid creds and sends internal phish Defender + SOC triage + MFA (Duo) Anomalous login + internal send pattern → auto-disable + SOC page

A full threat-coverage matrix with per-vendor control mapping is in every proposal. Ask for the sample packet.

Case file · anonymized

One Friday afternoon. One forged CEO email. $184,000 stopped before the wire cleared.

A 140-person manufacturing client almost wired $184k to an attacker on a Friday at 4:51pm. This is how the layered email stack caught it. Names changed, timing and tools real.

P1 · BEC / wire fraud · Prevented

"Northridge Castings" · M365, 140 mailboxes · Cleveland, OH

Friday, 16:47 EDT · initial vector: spoofed CEO display name + look-alike reply-to domain · target: $184,200 wire to "new vendor banking details"
  1. 16:47:03 Email arrives at controller@northridge... from "Tom Ritter, CEO" (display name spoofed). Reply-to tom.ritter@northr1dge-castings.com — numeric "1" for "i" in look-alike domain.
  2. 16:47:04 Defender for Office 365 anti-phishing scores it medium: spoof intelligence flags display-name mismatch but lets it through to inbox. First layer alone: not blocked.
  3. 16:47:06 Abnormal Security catches it. Behavioral analysis flags: "CEO has never used the phrase 'kindly process', never sent payment requests on a Friday after 4pm, never used a different reply-to domain." Auto-quarantined pre-delivery.
  4. 16:47:11 Slack alert fires to dedicated client channel. Priya Venkatesh (Tampa SOC) picks up. Confirms not-the-CEO via reverse-direction Teams DM to actual Tom.
  5. 16:48:39 Headers analyzed: SPF pass (look-alike domain owns its SPF), DKIM signed by attacker domain, DMARC not enforced on northr1dge-castings.com (it's the attacker's, of course). Look-alike domain registered 11 days ago.
  6. 16:51:20 Tenant-wide rule deployed: any mail from *northr1dge* or registered-within-30-days look-alikes → auto-quarantine + SOC review. Two more attempts caught over the weekend.
  7. 16:54:08 Contained. 7 minutes from delivery to tenant-wide rule. Phishing report submitted to APWG and Microsoft. Look-alike domain takedown request filed with registrar.
  8. Monday Post-incident: Northridge's CFO formalized a verbal-callback rule for any wire over $25k. DMARC enforcement project scoped for own domain. Finance team enrolled in BEC-focused training module. Wire would have been unrecoverable — FBI IC3 stats put recovery rate on BEC at under 18%.
Outcome: $184,200 not wired. No mailbox compromise (the attacker never actually accessed the CEO's account). No customer data exposed. Total client-side time on the incident: one Teams reply at 16:48 confirming "not me."
Compliance evidence, done for you

We don't sell "compliance." We deliver the packet your auditor actually wants.

Every quarter we drop a ready-made evidence package into your portal: control mapping, log samples, policy attestations, tested backups, and user-access reviews. Your staff stops fighting spreadsheets. Your assessor finishes in days, not weeks.

SOC 2 Type II
Security, availability, and confidentiality trust criteria. Most-requested by your B2B customers during procurement.
HIPAA
Healthcare PHI safeguards, BAA-ready stack, annual risk analysis and workforce training records.
PCI-DSS v4.0
Cardholder data environment scoping, quarterly ASV scans, segmentation validation.
CMMC Level 2
110 NIST 800-171 controls for DoD subcontractors. We're a registered RPO.
CJIS
Criminal Justice Information Services for agencies handling FBI-sourced data.
NIST CSF 2.0
The framework your cyber-insurance carrier is actually scoring you against.
ISO 27001
ISMS controls for clients doing business in the EU or with multinationals.
GLBA / FTC Safeguards
For financial services, including the 2023 FTC Safeguards Rule for tax preparers and auto dealers.
The humans on call

When the phish lands at 4:51pm on a Friday, these are the people who pick up.

Our SOC is staffed in-house across Tampa, Orlando, and Chicago. No overseas tier-1 wall. Every analyst holds at least one current certification and has email IR experience before they take a shift.

MS
Miguel Santos
Lead SOC Analyst · Orlando
CISSP GCIH GCFA
PV
Priya Venkatesh
Incident Response Lead · Tampa
OSCP GCIH CRTO
DW
Deandre Williams
Compliance Engineer · Chicago
CISA CISM ISO 27001 LA
FAQ · the ones that actually block the sale

Five questions. Honest answers.

We already have Microsoft 365 Defender. Why do we need another email security layer?

Defender for Office 365 catches the bulk volume but misses the tailored BEC and impersonation attacks that use clean-origin domains and have no payload. Our layered stack adds AI behavioral analysis (looks at sender-recipient history, language, and timing anomalies) and catches the 2-8% of threats that slip past native signature-based filtering — which happens to be the 2-8% that costs money. Most clients keep Defender and add our layer on top. No MX swap required.

Do you enforce DMARC? Will it break our legitimate email?

Yes, DMARC enforcement is included in Advanced Threat Protection and Enterprise tiers. We roll it out in three phases: monitor (p=none) for 30 days to discover every legitimate sender, then quarantine for 30 days with daily exception review, then reject. By the time we flip to p=reject your SaaS-sent email, CRM blasts, and HR payroll notifications are all authenticated. We have a 100% track record of zero legitimate email loss on enforced rollouts.

How do you stop Business Email Compromise when there's no malicious link or attachment?

BEC attacks look clean to signature-based filters because there is no payload. Our behavioral AI (Abnormal + Vade) learns each user's normal communication graph: who your CFO talks to, how they phrase wire requests, when they usually reply. When a new email arrives from "your CEO" asking for a $184k wire to a first-time vendor at 5:47pm on a Friday, the system flags the anomaly and quarantines it pre-delivery. Detection rate on tailored BEC in our client base: 96.4% blocked, remainder caught in user-report workflow within minutes.

How long does onboarding take and do we have to switch MX records?

No MX swap. Our stack integrates via Microsoft Graph API (M365) or Gmail API (Google Workspace) — takes 24 hours to deploy, zero mail flow disruption. First 7 days run in observe-only mode to tune false positives against your real traffic. Day 8 we flip to active blocking on high-confidence threats. DMARC and user-training loop roll out over weeks 2-4. No downtime, no cutover weekend.

Do you cover the user training side, or just the inbox side?

Both. Advanced and Enterprise tiers include KnowBe4 PhishER-powered simulations (12 campaigns per year), a library of 500+ training modules mapped to role and risk, and monthly reporting tied to individual phish-prone scores. When a user clicks a simulated phish, they're enrolled in a 90-second remediation module before they can continue. Most clients see phish-prone rate drop from ~27% baseline to under 4% within 9 months.

See what's reaching your inbox today — and what you'd want stopped.

Our free email threat assessment runs read-only against your tenant. We look at the last 30 days of mail flow for evidence of phishing that bypassed your filters, BEC patterns targeting finance and HR, DMARC posture on your sending domains, and impersonation attempts using look-alike domains. 24-hour turnaround, 1-page executive report.

Run my free email threat assessment Or call (888) 574-5120