If you’ve noticed phishing emails getting harder to spot, you’re not imagining it. A growing share of real-world attacks are disguising themselves as the everyday platforms your team relies on – think Microsoft 365, DocuSign, Google services, and calendar invites.
Recent research from StrongestLayer analysed 2,042 advanced email attacks that bypassed Microsoft Defender E3/E5 and market-leading secure email gateways before being detected elsewhere. The headline is uncomfortable reading: 77% of the successful attacks impersonated business-critical brands (including DocuSign, Microsoft, and Google) – the exact services most organisations can’t just block without breaking the way they work.
But the more important takeaway isn’t “email security is doomed”. It’s this: Attacks are winning by exploiting trust and workflow dependency, not just poor passwords or “obvious” malicious links.
Let’s break down what’s changing – and how SMEs in Greater Manchester can harden email without making day-to-day work difficult.
Traditionally, phishing often looks like… well, phishing: weird domains, poor grammar, generic “urgent invoice” bait, and obvious malware attachments.
Now, the most effective attacks blend in by piggybacking on tools we expect to see:
StrongestLayer’s dataset found DocuSign alone accounted for more than one-fifth of the attacks analysed, particularly impacting industried where signing workflows are routine (legal, finance, healthcare).
Even more concerning: Google Calendar-style attacks can bypass secure email gateways entirely because invites may be delivered via calendar APIs rather than standard email processing.
So if your security approach assumes “we’ll just block suspicious attachments and links”, you’re fighting yesterday’s war.
Email authentication (SPF, DKIM, DMARC) is still essential. But it’s not a mind-reader.
In StrongestLayer’s research:
Why does this happen in real businesses?
It’s common to set DMARC to ‘p=none’ (monitoring), because moving to ‘quarantine’ or ‘reject’ can feel risky – especially if you have third-party systems sending on your behalf (CRMs, marketing platforms, ticketing systems).
Attackers bank on this. They knows lots of organisations won’t enforce blocking because it might interrupt legitimate mail.
If an attacker gets into a real mailbox (yours or a supplier’s), they email can look 100% legitimate – because, technically, it is.
KnowBe4 reported that in one six-month window, 57.9% of phishing emails were sent from compromised accounts, and 11.4% of those compromised-account attacks came from within the organisation’s supply chain.
That matches what we see in the real world: supplier compromise + “please review this document” is a painfully effective combo.
This isn’t just a big-enterprise issue.
The UK Government’s Cyber Security Breaches Survey 2025 found:
In other words: even if you’re “only” a 30-150 person organisation, phishing isn’t a rare event. It’s background noise – until the one message that slips through becomes a breach.
Even when attacks aren’t using your exact b rand, they’re borrowing brands your staff already trust.
Check Point’s Brand Phishing Report for Q3 2025 found:
That’s not surprising: most UK SMEs run Microsoft 365, use SharePoint/OneDrive, and regularly receive DocuSign/Adobe/Dropbox links. These brands are perfect camouflage.
One reason these emails are so convincing now: they’re no longer written like obvious scams.
StrongestLayer reported that approx.. 45% of the attacks showed indicators of AI assistance, and projected this could rise to 75-95% within the next 18 months.
This lines up with what many security teams are seeing: better wording, better context, and fewer “tells” for employees to catch.
KnowBe4 also noted that polymorphic/phishing variation is now common at scale, with polymorphic features present in a large proportion of phishing they observed – making patter-based blocking harder.
Phishing isn’t only about someone clicking a link. Many of the costliest incidents start with email:
The FBI’s IC3 has tracked 305,033 BEC (Business Email Compromise) incidents between October 2013 and December 2023, with $55.5bn in exposed losses. And the FBI’s latest Internet Crime Report (for 2024 reporting) noted total reported losses exceeding $16bn (a 33% increase from 2023).
Even if you never spend a penny, BEC attempts consume time, trigger downtime, and create real operational risk – especially for finance teams.
If you’re an SME in Greater Manchester and you’re thinking, “Right… but are we vulnerable to this?”, we can help you answer that quickly.
A typical Apex email security health check looks at:
Because the real goal isn’t perfect security. It’s reducing the chance that one believable ‘trusted platform’ email becomes a costly incident—while keeping your business running smoothly.
If you’d like, paste your current DMARC record (or tell me your domain) and I’ll draft a plain-English “what it means / what to change” section you can drop straight into the blog (or use internally).