Most Australian SMBs we onboard arrive with a Microsoft 365 Business Premium licence and a quiet assumption that their email is protected. It is not, at least not in the way they think. Defender for Office 365 catches the obvious stuff, but the attacks landing in Australian inboxes in 2026 are not obvious. They are paid-up SaaS tools, AI-written, and aimed straight at finance teams.
Email is still the front door. In FY 2024-25 the Australian Cyber Security Centre logged a cybercrime report every six minutes, and the OAIC’s most recent Notifiable Data Breaches data shows phishing and compromised credentials as the leading initial-access methods for breaches affecting Australian organisations. The technology controls inside a default Microsoft 365 tenant do not close that gap on their own. This is what does.
The case for spending real money on email security got harder to argue against in 2025. Three reports landed in quick succession, and they all say the same thing.
The ASD Annual Cyber Threat Report 2024-25 recorded 84,700 cybercrime reports in the financial year and 1,200 incidents the ACSC responded to directly, up 11% year on year. The average loss per cybercrime hit $80,850 for businesses and $202,691 for larger organisations. Social engineering, almost all of it email-borne, accounted for 38% of reported incidents as the initial access technique.
The OAIC Notifiable Data Breaches dashboard for January to June 2025 logged 532 breach notifications, with malicious or criminal attacks driving 59% of them. Compromised credentials were the root cause in roughly a quarter of all breaches. The average cyber incident exposed the personal data of more than 10,000 people.
And the Australian Federal Police reported that business email compromise alone stole $152.6 million from Australians in 2024, a 66% jump on 2023. BEC is now in the top three self-reported cybercrimes for Australian businesses.
That last number is the one that should keep you up at night. BEC is the attack a Microsoft 365 default tenant is worst at stopping, because the email itself often does not contain malware. There is nothing for a virus scanner to find.
The phishing email of 2019 is dead. The threats hitting Perth businesses now fall into four buckets, and only one of them is what most people picture when they hear the word “phishing”.
Adversary-in-the-middle phishing (AiTM). The attacker sends a link to a fake Microsoft 365 login page that proxies your real session to Microsoft in the background. You type your password, you approve the MFA prompt on your phone, and you authenticate the attacker at the same time. They walk away with a valid session token and can read your mailbox without ever needing your password again. SMS and app-push MFA do not stop this. Only phishing-resistant MFA does.
Supplier compromise and invoice fraud. Your bookkeeper gets a real email from your real supplier, sent from their real mailbox, because the supplier has been compromised. The only thing the attacker has changed is the bank account on the invoice. There is no malicious link, no malware, no spelling errors. The construction sector has been hit hardest in 2024 and 2025, but we have seen the same playbook against legal, finance, and not-for-profit clients in WA.
AI-generated spear phishing. Generative AI has wiped out the bad grammar tell. The ACSC notes that attackers are using AI to scale personalised phishing, deepfaked voice messages, and fraudulent KYC documents at a rate that was not possible two years ago. The cost-per-attack has collapsed, which is why volume keeps climbing.
QR-code and image-based phishing (quishing). The malicious link is embedded in a QR code inside a PDF, or rendered as text inside an image. Traditional content scanners see a picture, not a URL, and let it through.
These attacks share one feature: they slip past signature-based filtering because there is no signature to match.
Microsoft 365 Business Premium includes Defender for Office 365 Plan 1. It does real work, and we are not here to talk anyone out of running it. But it is worth being honest about what it covers.
| Capability | Defender P1 (Business Premium) | Defender P2 (E5 / add-on) | Third-party gateway |
|---|---|---|---|
| Safe Links (URL rewriting) | Yes | Yes | Yes |
| Safe Attachments (sandboxing) | Yes | Yes | Yes |
| Anti-phishing impersonation protection | Basic | Advanced | Advanced |
| AiTM session-token detection | Limited | Yes, with linked Identity signals | Varies |
| Post-delivery clawback (ZAP) | Yes | Yes | Some |
| Threat Explorer and hunting | No | Yes | Vendor-dependent |
| Automated investigation and response (AIR) | No | Yes | Vendor-dependent |
| Attack simulation training | No | Yes | Separate platform (KnowBe4, etc.) |
If you are on Business Premium, you are running Plan 1. That is enough to catch the bulk noise. It is not enough to see an AiTM session being hijacked in real time, hunt back through 30 days of mail flow when you suspect a compromise, or simulate realistic attacks against your team. To get those capabilities from Microsoft, you need Defender for Office 365 Plan 2 (around $4.10 AUD per user per month as an add-on, or included in E5).
This is the conversation we have with every new managed security client. Stay on P1 and accept the visibility gap, upgrade to P2, or layer a specialist email security platform on top. Each path has trade-offs. None of them is “do nothing”.
Our default stack for managed clients is built around the assumption that the email gateway is one control in a chain, not the chain itself. Five layers, each doing a specific job.
First, the gateway. Defender for Office 365 (P1 or P2) handles the bulk filtering, plus a third-party layer (we use specialist platforms that integrate via API rather than MX-record changes) for impersonation, supplier-thread analysis, and QR-code inspection.
Second, identity. Phishing-resistant MFA on every administrative account, conditional access policies that block legacy authentication outright, and continuous access evaluation so a hijacked session can be revoked in minutes. This is the work covered by our access management service.
Third, the endpoint. Endpoint detection and response catches the things that get past mail filtering, because some always will. If a user opens a malicious attachment, EDR sees the process behaviour and isolates the device before anything spreads.
Fourth, the people. Every successful email attack ends with a human clicking, replying, or paying. Ongoing security awareness training with realistic simulations is not a tick-box exercise, it is the cheapest mitigation in the entire stack.
Fifth, the process. Out-of-band verification for any payment change, supplier bank-detail updates confirmed by phone to a known number, and a written incident response plan that finance staff have actually read. This is where most BEC losses get prevented or recovered.
None of these layers is exotic. The reason businesses still get caught is that they implement two of the five and call it done.
If you are working towards a recognised security standard, email controls show up in both Australian frameworks we deploy most. Knowing where they land helps you justify the spend and sequence the work.
Under the SMB1001 cybersecurity framework, multi-factor authentication and patching sit at the Bronze tier, with email filtering and awareness training added at Silver and Gold. Most of our SMB clients targeting compliance with the Cyber Wardens or Cyber Security Strategy expectations are working to at least Silver, which forces a real email security conversation.
Under the Essential Eight, the relevant controls are application control (blocks payloads that slip through), configure Microsoft Office macro settings (blocks one of the oldest delivery methods that is somehow still alive), user application hardening (blocks Flash, ads, and Java content that phishing pages still abuse), and multi-factor authentication (now required to be phishing-resistant at Maturity Level 2). Maturity Level 1 is the floor. We push most clients towards ML2, because ML1 still allows the AiTM attacks we described above.
For clients past the Essential Eight, our Further Five controls (data classification, third-party risk, vulnerability management, incident response, and security culture) cover the supplier-compromise and BEC scenarios that the Essential Eight does not explicitly address. This is where the work actually gets interesting for businesses that have already done the basics.
One change that has shifted board-level conversations in the last twelve months: the federal mandatory ransomware payment reporting regime commenced in May 2025 for businesses with annual turnover above $3 million. If you pay a ransom (or a related extortion demand), you have 72 hours to report it to the Department of Home Affairs.
Most ransomware in Australia still arrives via email, either as a direct attachment or as a credential-harvesting precursor that gives the attacker the foothold to deploy ransomware later. The reporting obligation does not change your security posture, but it does change the cost of a successful email-driven breach. You are now reporting to the government, the OAIC (if personal data is involved), and your insurer. That is three sets of paperwork and a lot of legal hours that better email security would have avoided.
Audit what you actually have. Most businesses do not know whether they are on Defender Plan 1 or Plan 2, whether Safe Links is turned on, or whether their MFA is phishing-resistant. Pull the Microsoft 365 secure score, check the email security policies in the Defender portal, and write down what is missing. If that takes more than an hour, you have your answer.
Pressure-test your finance process. Run a tabletop exercise this month: a supplier emails your AP team with a new bank account. What is your verification process? Who approves it? Is the change logged? If the answer is “we just email the supplier back to confirm”, that is the exact same channel the attacker controls. Phone verification to a number you already had is the only safe option.
Book a free assessment. Our Perth-based team will review your Microsoft 365 tenant, your email security policies, and your alignment to SMB1001 or the Essential Eight, then give you a written gap list and a prioritised remediation plan. No obligation, no upsell pressure. Contact us on 1300 EPIC IT or use the form on our contact page.
Business Premium includes Defender for Office 365 Plan 1, which covers Safe Links, Safe Attachments, and basic impersonation protection. That is enough to stop most bulk phishing, but it does not include the advanced hunting, automated investigation, and attack simulation features in Plan 2, and it will not reliably detect adversary-in-the-middle attacks on its own. For most Australian SMBs, layering a specialist email security platform or upgrading to Plan 2 is the practical path.
There is no single product answer. The best email security for an Australian small business is a layered setup: Defender for Office 365 on the gateway, phishing-resistant multi-factor authentication on identities, endpoint detection and response on devices, security awareness training for staff, and verified out-of-band processes for any payment change. We tune this stack to the client’s industry, size, and compliance requirements (SMB1001, Essential Eight, or sector-specific obligations).
The Microsoft component depends on your licence. Business Premium already includes Defender Plan 1, and Plan 2 is roughly $4.10 AUD per user per month as an add-on. A specialist third-party platform typically adds $4 to $10 per user per month depending on features. Awareness training platforms are around $2 to $5 per user per month. A fully layered email security setup for an Australian SMB usually lands between $10 and $20 per user per month all-in. Compare that to the $55,000 average loss per BEC incident reported by the ACSC.
Standard MFA (SMS code or app push) stops password-only phishing. It does not stop adversary-in-the-middle phishing, which proxies your live session to Microsoft and captures the post-MFA session token. Only phishing-resistant MFA, meaning FIDO2 hardware keys, Windows Hello for Business, or certificate-based authentication, blocks AiTM. The Essential Eight Maturity Level 2 now requires phishing-resistant MFA for privileged users.
Stop the payment if it has not cleared, contact your bank’s fraud team immediately, change passwords and revoke active sessions on the affected mailbox, and preserve the original email and headers for investigation. Report the incident to ReportCyber and, if personal data is involved, assess your obligations under the Notifiable Data Breaches scheme within 30 days. If you are an Epic IT managed client, call us first on 1300 EPIC IT and we will run the response in parallel.
Email is the delivery mechanism for most attacks the Essential Eight is designed to stop. Four of the eight controls relate directly to email-borne threats: application control, configure Microsoft Office macro settings, user application hardening, and multi-factor authentication. Getting to Essential Eight Maturity Level 1 forces a hard look at your email security posture, and Maturity Level 2 raises the bar further by requiring phishing-resistant MFA for privileged users.