Cloud Email Security for Microsoft 365 and Google Workspace: What Built-In Protection Misses

Microsoft 365 has over 400 million paid seats. Google Workspace serves more than 9 million paying organizations. Together, they host the majority of business email worldwide. Both platforms include built-in email security - Microsoft Defender for Office 365 and Google’s threat protection suite - and both have invested heavily in improving those capabilities.

Here is the problem: attackers know this. Every phishing campaign, BEC attack, and malware payload is tested against Microsoft and Google defenses before it is launched. When you rely solely on built-in platform security, you are depending on the same detection logic that protects hundreds of millions of other accounts - and that every attacker in the world is actively working to bypass.

This guide examines the specific gaps in Microsoft 365 and Google Workspace email security, explains why supplemental protection is necessary, and covers how to architect a cloud email security stack that actually defends against the 2026 threat landscape.

The State of Built-In Cloud Email Security

What Microsoft 365 Includes

Microsoft’s email security stack has several tiers:

Exchange Online Protection (EOP) - included with all Microsoft 365 plans:

Anti-spam filtering
Basic anti-malware scanning
Connection filtering
Outbound spam filtering
SPF, DKIM, and DMARC enforcement for inbound email

Microsoft Defender for Office 365 Plan 1 - available with E5 or as an add-on:

Safe Attachments (sandboxing for email attachments)
Safe Links (time-of-click URL protection)
Anti-phishing policies with impersonation detection
Real-time reports

Microsoft Defender for Office 365 Plan 2 - E5 only:

Threat Explorer
Automated Investigation and Response (AIR)
Attack simulation training
Campaign views

For a detailed look at Microsoft’s anti-phishing capabilities, see our pages on Anti-Phishing for Office 365, Office 365 Advanced Threat Protection, and Exchange Online Advanced Threat Protection.

What Google Workspace Includes

Google’s email security for Workspace includes:

Machine learning-based spam and phishing filtering
Attachment scanning for malware
Link protection with real-time URL checking
Spoofing and authentication enforcement
Admin-configurable compliance rules
Security sandbox for attachments (Enterprise tier)

The Fundamental Limitation

Both platforms are effective at blocking known threats and high-volume spam campaigns. The problem lies in their architectural position:

They are the target environment. Attackers design campaigns specifically to bypass Microsoft and Google defenses. When a phishing kit advertises “Office 365 bypass” or “Gmail inbox delivery,” they mean it - the kit has been tested and refined until it successfully delivers through these specific platforms.

This is not a criticism of Microsoft or Google engineering. It is a structural reality of defending the majority of global email with a shared detection platform.

The Five Critical Gaps

Gap 1: Single-Platform Detection

Microsoft 365 and Google Workspace each use their own proprietary detection systems. When an email passes through one detection engine, there is a single point of failure. If that engine does not flag a threat, the email reaches the inbox.

Multi-engine detection - where every email is analyzed by multiple independent detection engines in parallel - eliminates single points of failure. An email that evades one engine gets caught by another.

“No single threat intelligence database catches everything. That’s why Phish Protection cross-references every email against Vade Secure, Sophos, Halon Classify, Webroot BCTI, and proprietary weighting algorithms simultaneously.” - Adam Lundrigan, CTO, DuoCircle

The gap: Both Microsoft and Google rely primarily on their own detection engines and threat intelligence. Adding independent third-party detection provides defense in depth that the platforms cannot offer alone.

Gap 2: BEC Detection at the SMB Tier

Microsoft’s anti-phishing impersonation detection is available in Defender for Office 365 - but the most advanced features (mailbox intelligence, campaign views, automated investigation) are limited to E5 licenses, which most small and midsize businesses do not have.

Google Workspace includes phishing detection, but its impersonation protection capabilities are less configurable than what dedicated anti-phishing solutions offer, particularly for custom impersonation lists tailored to a specific organization’s executive team and key contacts.

For small businesses running Microsoft 365 Business Basic or Standard, or Google Workspace Business Starter, BEC protection is minimal. Yet these are precisely the organizations that are most vulnerable to business email compromise - they process fewer wire transfers, making each one a higher-value target, and they typically have fewer verification controls.

The gap: Enterprise-grade BEC detection - including custom impersonation lists, behavioral analysis, and display name spoofing protection - is either unavailable or prohibitively expensive through the platform alone.

For more on BEC defense, see our CEO Fraud Protection and Email Fraud Protection pages.

Gap 3: Time-of-Click URL Protection Limitations

Microsoft Safe Links and Google’s link protection both offer some degree of time-of-click URL scanning. However:

Microsoft Safe Links:

Only available with Defender for Office 365 (not included in basic plans)
Does not rewrite all URLs by default - requires policy configuration
Has known bypass techniques documented in security research
URL detonation is reactive rather than predictive for some URL categories

Google link protection:

Less transparent about implementation details
Protection levels vary by Workspace tier
Limited administrator control over URL rewriting behavior

The gap: Delayed weaponization - where attackers send clean URLs that are redirected to malicious destinations hours after delivery - requires comprehensive URL rewriting and real-time scanning at click time across all URLs, not just those flagged as suspicious. See How to Stop Phishing Emails in Outlook for Outlook-specific considerations.

“Time-of-click protection is the single most important advancement in email security in the last five years. Attackers weaponize links hours after delivery - and most defenses have already moved on.” - Brad Slavin, General Manager, DuoCircle

Gap 4: Shared Threat Intelligence

When 400 million Microsoft 365 seats share the same threat intelligence database, attackers have a clear target to test against. Criminal phishing-as-a-service platforms routinely advertise Microsoft 365 and Gmail delivery testing as a feature.

The detection logic that protects a Fortune 500 company’s Microsoft 365 tenant is substantially the same logic protecting a 15-person accounting firm. The Fortune 500 company has dedicated security teams monitoring and supplementing that baseline. The accounting firm typically does not.

The gap: Adding independent threat intelligence from sources that attackers are not specifically testing against improves detection rates for targeted and novel attacks.

Gap 5: Configuration Complexity

Both Microsoft and Google provide extensive security configuration options. The problem is that most small businesses never configure them properly.

Microsoft 365 configuration challenges:

Anti-phishing policies, Safe Links policies, and Safe Attachments policies must each be configured separately
Default policies are permissive - they must be tuned for meaningful protection
Preset security policies (Standard and Strict) help but require understanding of their limitations
Quarantine policies, user submission settings, and alert configurations add additional complexity

Google Workspace configuration challenges:

Advanced phishing and malware protection settings are not always enabled by default
Security sandbox requires Enterprise tier
Content compliance rules require careful configuration to avoid blocking legitimate email
Admin interface does not always surface the most security-critical settings prominently

For guidance on Office 365 configuration, see our pages on Office 365 Phishing Protection and Office 365 ATP Anti-Phishing.

The gap: A supplemental email security solution that works out of the box with sensible defaults reduces the configuration burden and eliminates the risk of misconfiguration.

Cloud Email Security Architecture

How Supplemental Protection Works

Supplemental email security for cloud platforms operates at the mail transport layer. For Microsoft 365 and Google Workspace, this typically means routing inbound email through the supplemental security gateway before it reaches the platform:

Your MX records point to the supplemental security provider
Every inbound email is scanned by the supplemental provider’s detection engines
Clean email is forwarded to Microsoft 365 or Google Workspace for normal delivery
Threats are quarantined and never reach the platform

This architecture provides several advantages:

Independent detection layers run before the platform’s own scanning
The supplemental provider’s threat intelligence is separate from the platform’s
Configuration is managed in a single administrative console
The platform’s built-in security still runs as a second layer, providing defense in depth

Deployment Considerations

MX record routing (gateway mode):

Most common deployment for supplemental email security
All inbound email routes through the security gateway first
Simple to set up - typically requires only MX record changes
Phish Protection operates in this mode with setup in under 5 minutes

API-based integration (inline mode):

Connects directly to Microsoft 365 or Google Workspace via API
Analyzes email within the platform rather than routing through a gateway
Does not require MX record changes
May have latency implications depending on implementation

Hybrid mode:

Combines MX routing for pre-delivery scanning with API integration for post-delivery remediation
Provides the broadest coverage but adds complexity

What to Look for in a Cloud Email Security Solution

When evaluating supplemental security for Microsoft 365 or Google Workspace:

Pre-delivery scanning - Threats must be blocked before reaching the inbox, not remediated afterward
Multi-engine detection - Multiple independent detection engines running in parallel
Time-of-click URL protection - Every URL rewritten and scanned at click time
BEC and impersonation detection - Custom to your organization, not generic
Sub-second latency - No noticeable delay in email delivery
Simple deployment - MX record change, not months of professional services
Self-service administration - Your team controls policies and reviews quarantine without vendor involvement
Platform-agnostic - Works with both Microsoft 365 and Google Workspace (and hybrid or migration scenarios)

For a broader evaluation framework, see our Anti-Phishing Software buyer’s guide and Anti-Phishing Solutions overview.

Microsoft 365 Phishing: The Current Threat Landscape

Microsoft 365 is the single most-targeted email platform for phishing attacks. This is not surprising given its market share, but the volume and sophistication of M365-specific attacks in 2026 warrants specific attention.

Common Microsoft 365 Attack Vectors

Credential harvesting via fake login pages: The most common M365 phishing attack directs users to a convincing replica of the Microsoft login page. The attacker captures credentials in real time and uses them to access the victim’s account. Multi-factor authentication helps but is not foolproof - attackers use adversary-in-the-middle (AiTM) proxies to capture session tokens.

For real-world examples, see our page on Office 365 Phishing Email Examples.

OAuth consent phishing: Rather than stealing passwords, attackers trick users into granting OAuth permissions to a malicious application. This gives the attacker persistent access to the user’s mailbox and files without needing credentials.

Tenant compromise: Once an attacker gains access to one M365 account, they use it to send phishing emails internally - which are trusted by default because they come from within the organization’s own tenant.

Teams and SharePoint phishing: Phishing has expanded beyond email to Microsoft Teams messages and SharePoint sharing notifications, which many security tools do not scan.

For Microsoft-specific protection strategies, see:

Google Workspace Phishing Considerations

Google Workspace faces similar attack patterns:

Fake Google login pages for credential harvesting
Google Docs and Drive sharing notifications used as phishing lures
OAuth consent phishing for Gmail access
Calendar invitation phishing with malicious links

Google’s machine learning-based filtering is effective against high-volume campaigns but faces the same structural limitation as Microsoft - attackers test against it specifically because it is the target environment.

Migration Security: Protecting Email During Platform Transitions

Organizations migrating from on-premises Exchange to Microsoft 365, or switching between cloud platforms, face elevated phishing risk during the transition:

MX record changes create temporary gaps in email routing
Coexistence periods where email flows through multiple systems complicate security policy enforcement
User confusion during migration provides cover for social engineering attacks
Legacy security controls may be decommissioned before new controls are fully operational

A platform-agnostic supplemental security solution like Phish Protection eliminates this risk by providing consistent protection regardless of which email platform is receiving email at any given point in the migration.

Office 365 Ransomware Risk

Microsoft 365 is also a significant ransomware attack surface:

Email-delivered ransomware uses Office 365 as the initial delivery mechanism
OneDrive and SharePoint ransomware encrypts files synced to cloud storage
Account compromise leading to ransomware deployment - attackers use stolen M365 credentials as an entry point for broader network compromise

For ransomware-specific guidance, see:

How Phish Protection Supplements Microsoft 365 and Google Workspace

Phish Protection is designed specifically to close the gaps that built-in cloud email security leaves open:

5 concurrent detection engines provide independent threat detection that attackers cannot pre-test against
Pre-delivery gateway scanning blocks threats before they reach Microsoft 365 or Google Workspace
Time-of-click URL protection rewrites and scans every URL at the moment of click
Custom BEC and impersonation detection tuned to your organization’s executives and key contacts
Sub-second latency with no noticeable delivery delay
Simple deployment via MX record change - setup in under 5 minutes
Platform-agnostic - works with Microsoft 365, Google Workspace, and hybrid environments

The built-in security in your cloud email platform provides one layer of defense. Phish Protection adds five more.

Enterprise-Class Email Protection Without the Enterprise Price

Your cloud email platform provides a baseline. Phish Protection provides the defense in depth that baseline needs. 24x7 protection. Any device. Setup in under 5 minutes.

Pre-delivery scanning with 5 concurrent detection engines
Independent threat intelligence attackers cannot pre-test against
Time-of-click URL protection for delayed-weaponization defense
BEC and impersonation detection custom to your organization
Works with Microsoft 365, Google Workspace, and hybrid environments

Start your 60-day free trial - no credit card required.