Phishing succeeds because it exploits normal business behavior: receiving messages, trusting recognizable brands, and acting quickly. Modern attackers combine social engineering with technical tricks—spoofed domains, look‑alike senders, credential-harvest pages, and “safe-looking” attachments—to slip past users and traditional filters. If you administer Microsoft 365, Google Workspace, on-prem Exchange, or a hybrid mail environment, protecting against phishing requires a layered approach where each layer covers the gaps of the others.
This article explains how to build that layered approach using email security solutions: domain authentication (SPF, DKIM, DMARC), transport security (TLS, MTA-STS), inbound filtering and detonation, impersonation and BEC controls, configuration hardening in the mail platform, user-facing signals, and monitoring/response. The emphasis is practical implementation—what to configure, why it matters, and how to validate that it’s working.
The guiding idea throughout is containment: reduce the chance a phish reaches a mailbox, reduce the chance a user trusts it if it does, and reduce the blast radius if credentials are entered anyway.
Phishing threat models IT teams must plan for
Before choosing controls, it helps to categorize phishing into patterns you can measure and mitigate. Many email security products claim broad protection, but their effectiveness varies depending on which pattern dominates in your environment.
Credential phishing is the most common pattern: an email links to a page that captures usernames, passwords, and sometimes MFA (multi-factor authentication) prompts. Attackers frequently host pages on reputable infrastructure (cloud storage, compromised WordPress sites, or free site builders) and use URL redirectors to obscure the final destination.
Business Email Compromise (BEC) is a different problem. It often uses minimal malware and focuses on conversation hijacking or executive/vendor impersonation to redirect payments. Filters that excel at attachment malware may not flag a plain-text “urgent wire transfer” message. BEC defenses therefore require identity signals, anomaly detection, and workflow controls outside email.
Malware delivery via attachments or links still matters, especially when phishing is used as initial access for ransomware. Here, sandboxing/detonation, file-type controls, and disabling risky attachment workflows become high-value.
Finally, internal phishing—where a compromised mailbox sends phishing to coworkers—requires internal mail scanning and strong account takeover detection. Many organizations mistakenly treat internal mail as inherently trustworthy and apply looser filtering.
These categories map directly to layers you’ll build. Authentication controls reduce spoofing; secure email gateway and cloud filtering reduce malicious content; platform hardening and user signals reduce trust; and monitoring plus response reduce dwell time.
Build a layered architecture for email security solutions
An effective design uses overlapping controls at different points in mail flow and user interaction. The layers typically include: domain authentication, inbound filtering/detonation, impersonation/BEC protection, platform configuration hardening, user experience controls (banners, reporting), and telemetry/response.
This layered architecture matters because every control has failure modes. SPF can pass for a spoof if an attacker uses a permitted sender infrastructure; DKIM can pass if an attacker compromises a legitimate sender; DMARC can be absent for a partner domain; link scanning can miss newly registered domains or “clean” first-stage pages; and users can still approve MFA prompts in fatigue attacks. By stacking controls, you make attackers work harder and increase the chance of detection.
From an implementation perspective, map your environment first: mail ingress/egress points, third-party senders (marketing platforms, ticketing systems), forwarding paths, and the authoritative DNS for your domains. You’ll reference this inventory repeatedly when configuring SPF/DKIM/DMARC and when tuning gateways.
Establish domain identity with SPF, DKIM, and DMARC
Email authentication is foundational because it gives receiving systems a way to verify whether a sender is allowed to use a domain. It doesn’t stop all phishing (attackers can use other domains), but it dramatically reduces direct spoofing of your domain and improves filtering accuracy for inbound mail claiming to be from domains with DMARC enforcement.
SPF: control who may send on behalf of your domain
SPF (Sender Policy Framework) is a DNS TXT record that lists the IPs or sending services authorized to send mail for your domain. Receivers evaluate SPF against the SMTP envelope sender (the return-path/MAIL FROM), not the visible “From:” header.
SPF is often misunderstood as a complete solution. Two key limitations matter operationally. First, SPF can fail because of forwarding: when a message is forwarded, the forwarder’s IP becomes the apparent sender to the final receiver, and unless the forwarder rewrites the envelope sender (SRS), SPF fails. Second, SPF does not directly protect the human-visible From domain. That’s why DMARC alignment (discussed below) is critical.
Keep SPF records under the 10-DNS-lookup limit. Excess “include:” statements and nested includes can cause “permerror,” which some receivers treat harshly. As you add vendors (CRM, marketing automation, ticketing, printers), revisit SPF to consolidate.
A typical SPF record looks like:
example.com. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com include:_spf.vendor1.com ip4:203.0.113.10 -all"
Operationally, treat SPF as an allowlist of senders. If you’re not sure a system sends as your domain, don’t include it until you validate.
DKIM: protect message integrity and the signing domain
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to messages. The signature covers selected headers and parts of the body. Receivers validate that the content wasn’t altered and that the signing domain controls the private key.
DKIM is a strong signal for phishing defense because it survives most forwarding (signatures can break if intermediaries modify the body/headers, but it’s often more resilient than SPF). It also enables DMARC alignment using the DKIM “d=” domain.
In Microsoft 365, DKIM is enabled per domain. If you have multiple accepted domains, enable DKIM for each one. Validate that outbound services that send as your domain (marketing platforms, invoicing systems) support DKIM signing with your domain, ideally using dedicated selectors.
Although exact steps vary by tenant and tooling, the core pattern is consistent: publish CNAME or TXT records for DKIM selectors in DNS, then enable DKIM signing in the sending platform.
DMARC: enforce alignment and tell receivers what to do
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM to the visible From domain using alignment rules. It also provides a policy (none/quarantine/reject) that tells receivers how to handle unauthenticated mail that claims to be from your domain.
A DMARC record in DNS might look like:
txt
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-aggregate@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=s; aspf=s; fo=1; pct=100"
Key fields to understand:
p=is the policy. Start withnonefor monitoring, then move toquarantine, thenrejectas you gain confidence.rua=specifies where aggregate reports (XML summaries) are sent. These are essential for understanding who is sending on behalf of your domain.- Alignment:
adkimandaspfset DKIM and SPF alignment (relaxed vs strict). Strict alignment (s) is more protective but can break legitimate third-party senders using subdomains or differing envelope domains. pct=allows gradual rollout. If you’re nervous, you can apply the policy to a portion of mail, but note that partial enforcement can be confusing to interpret.
DMARC is not a one-and-done change. Treat it as a project. Your goal is to reach p=reject for your primary organizational domains and to ensure that all legitimate senders are aligned via SPF and/or DKIM.
Real-world example: DMARC reveals shadow IT senders
A mid-sized manufacturer enabled DMARC with p=none and started receiving aggregate reports. They discovered that a legacy ERP system and a small regional office’s SMTP relay were sending invoices using the corporate domain without centralized oversight. Those systems weren’t in SPF and didn’t DKIM-sign, so they would have been rejected once enforcement began.
Instead of abandoning DMARC, the IT team used the reports to inventory senders, migrate the ERP to a supported relay that could DKIM-sign, and lock down the regional relay to authenticated submission only. After two months of cleanup, they moved to p=quarantine, then p=reject. The measurable outcome wasn’t just spoofing prevention—it was improved control over outbound mail infrastructure.
Add transport-layer protections: TLS, MTA-STS, and TLS-RPT
Authentication protects identity; transport security protects confidentiality and reduces opportunistic interception. For phishing defense, TLS (Transport Layer Security) also reduces attacker opportunities to tamper with messages in transit and supports regulatory requirements.
Most email between major providers already uses opportunistic TLS, but opportunistic TLS can downgrade to plaintext if the receiver doesn’t offer TLS. MTA-STS (Mail Transfer Agent Strict Transport Security) allows a domain to publish a policy that tells senders to require TLS and validate the receiving MX hostnames.
MTA-STS is implemented with:
- A DNS TXT record
_mta-sts.example.compointing to policy mode and an ID. - A hosted policy file at
https://mta-sts.example.com/.well-known/mta-sts.txt.
TLS-RPT provides reporting about TLS failures to help you detect misconfigurations or downgrade attempts.
While MTA-STS and TLS-RPT won’t stop phishing on their own, they contribute to a hardened email posture and reduce the chance that security headers or body content are altered en route.
Choose where filtering happens: cloud-native vs secure email gateway
Email security solutions generally fall into two deployment models: cloud-native filtering built into your mail platform (for example, Microsoft Defender for Office 365 alongside Exchange Online Protection) and third-party secure email gateways (SEGs) that sit in front of the platform via MX routing or API integration.
Cloud-native filtering has the advantage of tight integration with mailbox telemetry, user identity, and post-delivery actions (like retroactive removal). SEGs often provide strong attachment detonation, detailed policy controls, and additional vendor-specific detection engines, sometimes with more mature support for hybrid and multi-tenant complex routing.
In practice, many enterprises run both: a gateway at the perimeter and platform-native controls inside, especially to cover internal mail and post-delivery remediation. If you stack tools, be careful about mail loops, duplicated scanning that introduces latency, and conflicting actions (gateway rewrites URLs, then platform rewrites again, confusing users and breaking allowlisting).
Your decision should be driven by requirements: regulatory needs, existing investments, mail flow complexity, and how much you rely on post-delivery response.
Configure inbound anti-phishing and impersonation controls
Once identity signals are in place, your next layer is detection of impersonation and BEC patterns. These controls look at display name spoofing, domain similarity, reply-to mismatches, and unusual sending behavior.
Even without a specific vendor, the policy design principles are consistent:
- Protect high-value targets: executives, finance, HR, payroll, and IT help desk.
- Protect high-risk brands and partners: banks, key suppliers, and your own organization’s brands.
- Flag suspicious combinations: new sender + urgent language + payment instructions + external origin.
Impersonation controls work best when your directory is accurate. If your CEO’s name appears in the directory with a known primary SMTP address, the system can detect “CEO Name random@gmail.com” display-name attacks more reliably.
Guard against display name and look-alike domain attacks
Display name spoofing is common because it avoids the need to spoof domains. Attackers set the display name to “Jane Smith, CFO” while sending from a free email account.
Look-alike domains are the next escalation. Attackers register domains like exampIe.com (capital “I” vs lowercase “l”) or example-payments.com and craft From addresses that look plausible.
Controls to address this include:
- Similar-domain detection and domain-age heuristics.
- Banner warnings for external senders.
- Blocking or quarantining messages that use protected display names from external domains.
- Blocking newly registered domains for high-risk recipients, where supported.
Be cautious with broad look-alike blocking; it can create false positives for legitimate small vendors. A more sustainable approach is targeted protection for key names and domains, combined with strong user reporting and rapid response.
Protect the help desk and IT workflows
Phishing frequently targets the help desk to reset passwords or enroll new MFA devices. If attackers compromise a help desk workflow, email filtering alone won’t save you.
In addition to mail controls, enforce verification steps: call-back to a known number, ticketing system validation, and conditional access requirements for enrollment changes. Still, email security can reduce initial contact by flagging external messages that request credential changes or include “MFA reset” language.
Real-world example: BEC attempt against accounts payable
An attacker registered a look-alike domain for a construction company’s concrete supplier and emailed accounts payable with updated bank details. The message had no malicious link and no attachment—just a request to “use the new account starting today.”
Because the organization had implemented impersonation protection for key vendors and configured a rule to flag messages where the reply-to domain differed from the From domain, the email was quarantined. More importantly, the team had an out-of-band payment change procedure: AP verified bank changes via a known phone number from the master vendor record. The attacker failed even if the email had been delivered.
This scenario illustrates a key point: BEC defenses require both email security solutions and business process controls.
Control links and attachments without breaking business workflows
Most phishing still relies on links; many campaigns still deliver malware via attachments. Your control strategy should be explicit about what you allow and what you detonate or block.
Safe link rewriting and time-of-click protection
Modern email security solutions often rewrite URLs and check destinations at click time. This addresses a common attacker technique: send a “clean” link that later redirects to a malicious site after initial scanning.
When implementing URL rewriting, validate the user experience and app compatibility. Some systems break links to internal apps or signed URLs that are time-sensitive. You’ll need allowlists for well-known internal domains, and you should test critical business systems (expense tools, HR portals, ticketing, CRM) with rewritten links.
Also decide how you want to handle warning pages. For high-risk categories (newly registered domains, credential harvesting), block outright for most users and allow override only for a small security group, if at all.
Attachment filtering and detonation
Attachment defenses typically include:
- File-type blocking (for example, executable formats).
- Macro controls (Office macros in documents from the internet).
- Detonation/sandboxing to execute content in an isolated environment.
- Content disarm and reconstruction (CDR), which removes active content.
Your policy should reflect how your organization actually works. Blocking all Office documents from external senders may be feasible in some sectors but disruptive in others. A pragmatic baseline is to block known high-risk types (like .exe, .js, .vbs, .scr, and password-protected archives where inspection isn’t possible) and detonate Office/PDF files that originate externally.
If you have developers or IT teams that legitimately exchange scripts, avoid making email the channel. Use controlled repositories or file transfer systems, and enforce that through policy.
Prevent credential harvesting by reducing HTML trust
Attackers often embed convincing login forms, buttons, and branding. While you can’t disable HTML email in most modern environments without significant impact, you can reduce trust signals.
External sender banners are one example. Another is disabling automatic loading of external images in mail clients where possible; tracking pixels and image-based lures are common. The trade-off is user experience and marketing email rendering, so scope changes carefully.
Harden Microsoft 365 (or your mail platform) to support the email security stack
Even the best gateway can be undermined by weak platform defaults or misconfiguration. The mail platform is where identities live, where internal mail flows, and where post-delivery actions occur.
This section focuses on Microsoft 365 patterns because of its prevalence, but the underlying principles apply to other platforms.
Lock down mailbox authentication and legacy protocols
Many account takeovers happen because legacy authentication is still enabled somewhere. Protocols like IMAP/POP and older Office clients can bypass modern authentication controls if not managed.
If you’re in Microsoft 365, prioritize disabling basic authentication and restricting legacy protocols. Also control SMTP AUTH (authenticated SMTP submission) because it’s frequently abused after credential theft to send spam and internal phishing.
Use conditional access to require MFA for all users and to limit risky sign-ins (impossible travel, unfamiliar locations, and risky devices). MFA reduces the impact of credential phishing, but it isn’t a silver bullet—attackers can still use token theft, adversary-in-the-middle kits, or MFA fatigue.
Configure anti-phishing and anti-spam policies coherently
The most common operational failure is policy sprawl: multiple overlapping rules with unclear precedence. Your baseline should define what happens for high-confidence phish, bulk spam, and suspected impersonation, and it should be consistent.
Make quarantine behavior predictable. If end users can release high-confidence phish from quarantine, you’ve undone the filtering. Reserve self-release for low-confidence spam at most, and require admin review for phishing categories.
Also ensure policies apply to internal mail. Internal phishing becomes common once attackers compromise a mailbox and send to coworkers, often bypassing perimeter tools if they only scan inbound from the internet.
Use mail flow rules sparingly and document exceptions
Mail flow rules (transport rules) are powerful but risky. Overuse leads to bypasses, especially when admins add “allow” rules to fix false positives. Every allow rule is a potential attacker path.
If you must create exceptions, scope them narrowly: specific sender, specific recipient, and ideally a condition that cannot be spoofed easily. Avoid whitelisting based on display name, subject, or From domain alone. Prefer allowlisting by authenticated connector, DKIM signing domain with alignment, or specific sending IP ranges validated with the vendor.
For example, if you receive a legitimate system email from a vendor with stable sending IPs and DKIM, allowlisting should be tied to those signals rather than just “from vendor.com.”
Integrate user reporting into detection and response
Even with strong filtering, some phishing will land in mailboxes. Users are a detection sensor if you make reporting easy and if reports flow into your security operations process.
Deploy a “report phishing” button in the mail client where possible, route reports into a monitored queue, and automate enrichment: extract URLs, check whether similar messages exist in other mailboxes, and correlate with sign-in logs.
The goal is speed. If a user reports a phish within minutes, you can remove it from other mailboxes and block the URLs/domains before additional clicks.
Real-world example: user report triggers tenant-wide purge
A regional healthcare provider had strong inbound filtering but still saw occasional credential phish from newly compromised domains. A nurse reported a suspicious “shared document” email via the reporting add-in.
Because reporting was integrated with the SOC workflow, the security team quickly identified identical messages delivered to 86 mailboxes. They performed a tenant-wide search and purge, blocked the sender domain, and added the landing domain to their URL block list. They also checked Azure AD sign-in logs for users who clicked and initiated password resets for the handful who did.
The key improvement wasn’t just detection—it was the operational ability to act across all mailboxes quickly.
Instrument monitoring: what to log and what to alert on
Email security is only as effective as your ability to validate it. Monitoring also helps you identify configuration drift, new vendors, and changes in attacker techniques.
At minimum, ensure you have:
- DMARC aggregate reporting visibility.
- Message trace/search capabilities for inbound and outbound.
- Quarantine metrics (volume, categories, top senders, top recipients).
- Click telemetry (where supported) for unsafe links.
- Authentication logs (sign-ins, risky sign-ins, MFA changes).
- Admin activity logs for mail flow and policy changes.
Parse DMARC reports to drive enforcement
DMARC aggregate reports are XML and can be difficult to interpret manually. Many organizations use a DMARC analytics service, but you can also parse reports internally if you prefer.
A lightweight approach is to ingest DMARC XML attachments into a mailbox, extract them, and parse key fields (source IP, SPF/DKIM pass/fail, aligned identifiers) into a log store.
Here is an illustrative PowerShell snippet showing how you might parse a DMARC aggregate XML file once you’ve saved it locally (the exact ingestion method varies):
powershell
[xml]$dmarc = Get-Content .\dmarc-report.xml
$org = $dmarc.feedback.report_metadata.org_name
$rangeBegin = $dmarc.feedback.report_metadata.date_range.begin
$rangeEnd = $dmarc.feedback.report_metadata.date_range.end
$dmarc.feedback.record | ForEach-Object {
[pscustomobject]@{
OrgName = $org
Begin = [DateTimeOffset]::FromUnixTimeSeconds([int64]$rangeBegin).UtcDateTime
End = [DateTimeOffset]::FromUnixTimeSeconds([int64]$rangeEnd).UtcDateTime
SourceIP = $_.row.source_ip
Count = $_.row.count
SPFResult = $_.row.policy_evaluated.spf
DKIMResult = $_.row.policy_evaluated.dkim
Disposition = $_.row.policy_evaluated.disposition
HeaderFrom = $_.identifiers.header_from
}
} | Export-Csv .\dmarc-flat.csv -NoTypeInformation
Use this data to answer operational questions: Which legitimate sources still fail alignment? Are there unexpected sources attempting to spoof you? Is your p= policy being honored by major receivers?
Alert on outbound anomalies that suggest compromise
Outbound mail is part of phishing defense because compromised accounts are used to phish others. Alerting on outbound anomalies can catch account takeover early.
Useful detection patterns include:
- Sudden spikes in outbound volume.
- Outbound mail to many unique recipients, especially external.
- Creation of suspicious inbox rules (auto-forward, delete, move to RSS feeds).
- Newly created OAuth app consents or suspicious token activity (where you have visibility).
If your email security solution or SIEM can correlate message trace with identity events, you can detect “sign-in from unusual country + mass outbound mail” as a high-confidence incident.
Reduce attack surface: external forwarding, auto-replies, and mailbox rules
A common post-compromise step is setting up external forwarding to exfiltrate messages and maintain access. Attackers also create rules to hide security alerts or replies from victims.
Disable or strictly control external forwarding at the tenant level. If you must allow it for business reasons, require an approved list of forward destinations and monitor for changes.
Monitor mailbox rules creation and modification. In Microsoft 365 environments, you can audit mailbox rule changes and alert when rules include suspicious actions like deleting messages with keywords such as “invoice,” “wire,” “payment,” or “MFA.”
Also consider restricting automatic external replies (out-of-office) that disclose internal details. While not the core of phishing defense, information disclosure can help attackers craft convincing lures.
Improve user-facing trust signals without blaming users
Security awareness is necessary, but it works best when paired with technical signals that are easy for users to interpret. Your goal is to reduce ambiguous situations.
External sender banners are effective when they are consistent and not overly noisy. If everything is labeled “external,” users ignore it. Tune banner scope so it highlights truly relevant external messages—especially those that look internal (same display name as an employee, similar domain, or executive name).
Consider adding warnings when a message fails DMARC or has a From/Reply-To mismatch. Some platforms can insert headers or banners when authentication fails or when a message is detected as impersonation.
Be explicit in training about workflows that attackers target: payment changes, gift card requests, payroll updates, and MFA resets. Tie the training to the technical controls you’ve implemented so users understand what will happen when they report a phish (for example, “Security can remove the message from everyone’s mailbox”).
Handle third-party senders and partners without creating bypasses
A major reason organizations fail to enforce DMARC or tighten filtering is fear of breaking legitimate third-party mail. You can avoid this by treating third-party sender onboarding as an operational process.
For every third-party sender that uses your domain in the From header (marketing platform, HR system, ticketing tool), require one of:
- The vendor sends through your approved relay (so SPF aligns and you DKIM-sign), or
- The vendor supports DKIM signing with your domain (with alignment), plus stable SPF if needed.
Avoid blanket allowlisting for vendors. If a vendor is frequently quarantined, fix the root cause: alignment, sending reputation, content patterns, or incorrect authentication.
For inbound partner domains, encourage them to implement DMARC and enforce at least p=quarantine. While you can’t force external organizations, critical partners may cooperate when you frame it as anti-fraud.
Plan for phishing that bypasses email controls
Even with mature email security solutions, you must assume some phishing will succeed. This is where identity and endpoint security reduce the impact.
Phishing defenses should connect to:
- Conditional access policies that reduce risky sign-ins.
- Strong MFA (phishing-resistant methods where feasible, such as FIDO2 or certificate-based authentication).
- Endpoint protection that can block malicious downloads or command-and-control.
- Browser isolation or secure web gateway controls for high-risk browsing.
When an attacker captures credentials, the race is between them using those credentials and you detecting and revoking access. If you have good sign-in risk detection and tight session controls, you can shorten that window.
Validate effectiveness with repeatable tests and metrics
Email security improvements should be measurable. Without metrics, you’ll drift back into permissive allowlists and noisy quarantines.
Start with a baseline:
- Volume of phishing detections and user reports.
- Click rate on phishing simulations (if you run them) and on real phish where telemetry exists.
- Time from first report to tenant-wide purge.
- DMARC alignment rate for outbound mail.
- Percentage of inbound mail failing DMARC from high-risk domains.
Then validate with controlled tests. For example, send test messages from authorized and unauthorized sources to verify SPF/DKIM/DMARC behavior. Many mail platforms provide built-in message header analysis. The goal is not to “beat” your filters, but to confirm that policy changes do what you expect.
If you operate your own sending infrastructure, you can use command-line tools to check DNS and SMTP posture:
bash
dig +short TXT example.com
dig +short TXT _dmarc.example.com
dig +short TXT selector1._domainkey.example.com
For DMARC specifically, ensure that enforcement doesn’t inadvertently block legitimate subdomain mail. You may need separate DMARC records for subdomains or an explicit sp= subdomain policy.
Align incident response to email realities
Phishing response is distinct from generic malware response because email is both an initial vector and a communications channel. Your incident response plan should include email-specific actions: tracing messages, removing them from mailboxes, blocking senders/domains/URLs, and investigating account compromise.
Define who can perform tenant-wide message actions (search and purge), who can approve domain blocks, and how quickly. Also define what triggers password resets, token revocation, and MFA re-enrollment.
Because BEC incidents often revolve around financial transactions, coordinate with finance and legal on rapid containment steps: freezing payments, contacting banks, preserving evidence, and notifying impacted partners.
Bringing it together: an implementation roadmap that scales
If you’re building from a minimal baseline, the safest path is to start with visibility and then increase enforcement in phases.
Begin by getting your outbound domain identity under control: SPF that accurately reflects your senders, DKIM enabled for each domain, DMARC at p=none with reporting. In parallel, ensure inbound filtering is enabled with sane quarantine policies and that users have an easy way to report suspicious mail.
Next, reduce the most common compromise paths: disable or limit legacy authentication, control external forwarding, and tighten impersonation protections for executives and finance. This is where you typically see the largest reduction in successful phishing events.
Then mature into continuous validation: DMARC enforcement to quarantine then reject, monitored exceptions for third-party senders, transport hardening with MTA-STS/TLS-RPT where appropriate, and SIEM/SOAR integration for fast remediation.
As you iterate, keep returning to the same principle: phishing is an adversary adaptation game. The most resilient programs don’t rely on a single detection engine; they combine identity, content inspection, user experience, and response automation into a cohesive system.