The vast majority of modern cyberattacks do not start with sophisticated technical hacking — they start with a single email. The reason is simple: the mailbox is a direct door, open to the outside world, that every employee uses every day. For an attacker, convincing one person to trust a fake message is far easier than getting past a firewall. In this article we explain the main threats to business email security and the layered defence ONYX applies when it builds corporate mail systems.
Why email is the first target
Email combines both technical and human weaknesses in one place. It is open to anyone on the internet, it does not verify the origin of messages by default, and on the other end there is always a busy, distracted human. That is why a single layer of security is never enough.
The main threats
Phishing
Messages that lure an employee to a fake page and trick them into entering a password or other details. They usually imitate the look of a familiar service — a bank, a Microsoft 365 sign-in, a courier.
Business email compromise (BEC) and CEO fraud
The attacker writes in the name of an executive or partner and demands an urgent payment or a change of account details. There is no malicious file here — only convincing text, which is exactly why traditional antivirus does not catch it.
Spoofing
Faking the sender address so the message appears to come from your own domain. Without proper protection, an attacker can write to your customers or staff as if they were "you".
Malicious attachments and links
Files disguised as invoices or documents that download malware when opened. Links, in turn, launch that download or a fake sign-in page in the browser.
Layered defence: there is no single fix
Reliable protection is built from several complementary layers. None of them is perfect on its own, but together they make the attacker's job significantly harder.
Spam and malware filtering
The first layer works before messages ever reach the mailbox. The filter screens out suspicious senders, known malicious links and attachments, and bulk spam waves. In a Microsoft 365 environment this is built in and, with correct configuration, strengthened further.
SPF, DKIM and DMARC — anti-spoofing for your domain
These three records can be explained in plain language: they tell the internet "only these servers are allowed to send email from my domain", and give the receiving side a way to check it. SPF lists which servers may send on your behalf. DKIM adds a digital signature to each message so it can be confirmed it was not altered in transit. DMARC then defines what should happen to fake messages that fail these checks — reject or quarantine. Together they stop others from using your domain for spoofing.
Multi-factor authentication (MFA) on mailboxes
Even if a password is stolen, MFA stops the attacker at a second confirmation step. It is a relatively easy yet highly effective measure that sharply reduces the value of a captured password. For corporate mail, making it the standard is essential.
Staff awareness
Technology does not catch everything — especially file-less attacks like BEC. Employees who verify urgent payment requests, treat unexpected links with suspicion, and read the sender address carefully are the cheapest yet most important layer of defence.
How ONYX builds this
We build corporate mail systems end-to-end, on a project basis. This covers domain setup, Microsoft 365 or your own mail server, anti-spam filtering, correct configuration of SPF/DKIM/DMARC records, and MFA where available.
- For MobilGroup we built a central mail system covering 5 branches and 120 users, together with the domain.
- For Aselsan Azerbaijan we implemented Active Directory and a mail server.
- Deploying Microsoft 365 and corporate mail with the protections above is part of our general capability.
A mail system built this way becomes not just functional, but managed and protected infrastructure. For more, see our services and business solutions.
Want your mail system built securely?
ONYX builds and protects your corporate email end-to-end — including domain, Microsoft 365, anti-spam, SPF/DKIM/DMARC and MFA. Contact us and let's discuss your needs.