Business Email Under Attack: Securing M365 & Workspace from BEC
One hyphen nearly cost a firm ₹28 lakh. Learn how BEC targets Indian SMBs and the exact steps to harden email security for Microsoft 365 and Google Workspace.

Last month a manufacturing firm in Ludhiana almost wired ₹28 lakh to a supplier's "new" bank account. The email looked perfect. Right signature, right logo, right conversational tone, even referenced an ongoing purchase order the accounts team knew about. The only reason the transfer didn't go through was that the accountant called the supplier to confirm the IFSC code and learned the real vendor had never changed banks. The email had come from a domain that read @suppliername-invoices.com instead of @suppliername.com. One hyphen. Twenty-eight lakh rupees.
This is Business Email Compromise, or BEC, and it is now the most expensive cybercrime category on the planet. The FBI's Internet Crime Complaint Center has tracked BEC losses running into billions of dollars globally, and India consistently ranks among the top countries reporting these attacks. What makes BEC dangerous isn't malware. It's psychology. There's often no attachment to scan, no malicious link to block. Just a well-worded email asking someone in accounts to change a payment detail, or someone in HR to share salary data.
If your business runs on Microsoft 365 or Google Workspace, you already have decent baseline defenses. But baseline is not the same as adequate. In this piece I'll walk through how BEC actually plays out against Indian SMBs, what the built-in tools do and don't cover, and the specific layers of email security for Microsoft 365 and Google Workspace that separate a hardened setup from a sitting duck. This is drawn from real deployments, not vendor brochures.
Key Takeaways
- BEC is a social engineering attack, not malware — your antivirus won't catch it, and most attacks come from lookalike domains or compromised legitimate accounts.
- Turn on MFA for every user, without exception. This single step blocks the majority of account takeover attempts and costs nothing extra on your existing licence.
- Correctly configured SPF, DKIM and DMARC records stop attackers from spoofing your own domain — most Indian SMBs have these half-configured or missing entirely.
- The default M365 Business Basic and Workspace Business Starter plans lack advanced anti-phishing; upgrading tiers or adding Defender for Office 365 is often worth the ₹150–400 per user per month.
- Technology alone won't save you — a written payment-verification policy (call-back on any bank detail change) prevents the losses that filters miss.
- Enable audit logging and mailbox forwarding alerts so you can detect a compromise in hours, not weeks.
What is Business Email Compromise and why are Indian SMBs prime targets?
BEC is a category of fraud where an attacker uses email to trick an employee into transferring money or handing over sensitive data. Unlike a phishing spray that goes to thousands of random inboxes, BEC is targeted. The attacker researches your business, understands who pays vendors, who signs off on transfers, and how your invoices look. Then they strike at the right moment with the right words.
There are a few common flavors:
- CEO fraud: An email that appears to come from the founder or director, asking finance to make an urgent payment "before the board call" and to keep it confidential.
- Vendor invoice fraud: The Ludhiana example above. A real or fake supplier "updates" their bank details.
- Account takeover: The attacker actually breaks into a real mailbox (often via a stolen password and no MFA) and sends fraud from inside your own organisation. These are the hardest to catch.
- Payroll diversion: An email pretending to be an employee asking HR to redirect their salary to a new account.
Indian SMBs are attractive targets for specific reasons. Many run lean finance teams where one person handles vendor payments with limited oversight. A lot of business happens over informal WhatsApp and email exchanges, so a slightly-off request doesn't raise alarms. And a large share of GST-registered MSMEs deal with recurring vendor payments, exactly the pattern attackers exploit. When you're processing dozens of invoices a week, one carefully forged request slips through easily.
Why won't the default M365 or Google Workspace settings protect me?
Here's the uncomfortable truth many businesses discover after an incident. Both Microsoft 365 and Google Workspace ship with genuinely good spam and malware filtering out of the box. Exchange Online Protection and Google's threat filters block millions of junk and malicious emails daily. But BEC frequently contains neither spam signatures nor malware. A plain-text email from [email protected] saying "are you at your desk? need a quick favour" sails right through.
The gaps in default configurations usually look like this:
- MFA is off or optional. I still walk into businesses in 2024 where directors have no second factor because "it's annoying." That one account is a jackpot for attackers.
- DMARC is not enforced. Anyone can spoof your
@yourcompany.comfrom address because you never told the world's mail servers to reject unauthenticated mail. - No lookalike-domain detection. The base plans don't warn users when an external email tries to impersonate your CFO's name.
- Audit logging disabled or unwatched. When a breach happens, you can't see what the attacker did, or you find out weeks later.
- Auto-forwarding to external addresses allowed. A classic attacker trick: set a hidden rule that forwards all invoice emails to an external inbox.
Choosing and configuring the right plan matters here. If you're still deciding between platforms, our breakdown of Google Workspace vs Microsoft 365 for Indian small businesses is a good starting point, and the Zoho vs Google Workspace vs M365 comparison covers the Swadeshi angle if data residency matters to you.
How do I set up SPF, DKIM and DMARC correctly?
These three DNS records are the foundation of email authentication, and getting them right is the highest-leverage thing you can do. Together they tell the internet: "only these servers are allowed to send email as my domain, here's how to verify it, and here's what to do with anything that fails."
The three records explained plainly
- SPF (Sender Policy Framework): A list of servers permitted to send email for your domain. Published as a TXT record.
- DKIM (DomainKeys Identified Mail): A cryptographic signature added to your outgoing mail so receivers can confirm it wasn't tampered with and genuinely came from you.
- DMARC: The policy that ties SPF and DKIM together and tells receiving servers what to do when mail fails: do nothing, quarantine it, or reject it outright. It also sends you reports.
Step-by-step for a typical M365 or Workspace domain
- Log into your DNS provider (GoDaddy, BigRock, Cloudflare, or wherever your domain is registered).
- Publish your SPF record. For M365 it's typically
v=spf1 include:spf.protection.outlook.com -all. For Google Workspace it'sv=spf1 include:_spf.google.com ~all. Use-all(hard fail) once you're confident all legitimate senders are listed. - Enable and publish DKIM. In the Microsoft 365 Defender portal or Google Admin console, turn on DKIM signing, then add the two CNAME records (M365) or one TXT record (Workspace) it generates.
- Start DMARC in monitoring mode. Add a TXT record for
_dmarc.yourcompany.comwithv=DMARC1; p=none; rua=mailto:[email protected]. This collects reports without blocking anything. - Read the DMARC reports for two to four weeks. You'll discover legitimate services sending as your domain that you forgot about — your CRM, your bulk mailer, your accounting tool. Add them to SPF.
- Move to enforcement. Once reports are clean, change the policy to
p=quarantineand eventuallyp=reject. Now nobody can spoof your domain.
Common Mistake: Jumping straight to p=reject without a monitoring period. I've seen a Pune trading company go straight to reject and silently kill their own GST invoice emails sent through a third-party portal for three days before anyone noticed customers weren't receiving documents. Always monitor first. DMARC done wrong breaks legitimate mail; DMARC done right is invisible to everyone except attackers.
Which M365 and Workspace plans give the best BEC protection for the money?
Plan choice is where budget meets security. Here's how the common tiers stack up on BEC-relevant features and realistic per-user monthly pricing in rupees (list prices vary; always confirm current rates).
| Plan | Approx ₹/user/month | MFA | Advanced anti-phishing | Safe Links / Attachments | Impersonation protection |
|---|---|---|---|---|---|
| M365 Business Basic | ₹145 | Yes | No | No | No |
| M365 Business Standard | ₹770 | Yes | Basic | No | No |
| M365 Business Premium | ₹1,320 | Yes | Yes (Defender P1) | Yes | Yes |
| Workspace Business Starter | ₹136 | Yes | Basic | Limited | No |
| Workspace Business Standard | ₹736 | Yes | Yes | Yes | Partial |
The practical takeaway: if your business handles significant vendor payments, M365 Business Premium is often the sweet spot because it bundles Defender for Office 365 Plan 1 (which adds Safe Links, Safe Attachments, and mailbox impersonation protection) with device management and identity protection. On the Google side, Business Standard is a solid baseline, though you'd typically add third-party tooling for the strongest impersonation defense.
You don't have to figure out the licensing maze alone. eDarpan handles Microsoft 365 licensing and Google Workspace licensing for Indian businesses and can right-size your tier so you're not overpaying for features you won't use, or underpaying and leaving finance exposed.
How a 40-person exporter in Coimbatore hardened their setup: a worked example
Let me make this concrete. A textile exporter in Coimbatore, roughly 40 staff, came to us after a near-miss. An email impersonating their MD had asked the accounts head to release ₹6.2 lakh to a "new logistics partner." The accountant got suspicious only because the MD never uses the word "kindly." Pure luck.
Their setup at the time: everyone on M365 Business Basic at ₹145/user, MFA optional (most had ignored it), no DMARC, and no impersonation protection. Total spend around ₹5,800/month for email.
Here's what we did over three weeks:
- Week 1 — Identity lockdown. Enforced MFA for all 40 users via Conditional Access, using the Microsoft Authenticator app. Disabled legacy authentication protocols that bypass MFA. Blocked auto-forwarding to external domains org-wide.
- Week 1 — Email authentication. Published proper SPF, enabled DKIM, set DMARC to
p=nonefor monitoring. - Week 2 — Plan upgrade for high-risk users. Moved the 8 people in finance, procurement, and leadership to Business Premium (₹1,320 each) for Defender impersonation protection and Safe Links. Kept the other 32 on Basic. This targeted approach kept costs sane.
- Week 2 — Anti-phishing policies. Configured Defender to flag any external email impersonating the MD, CFO, or the company domain, adding a visible warning banner.
- Week 3 — DMARC enforcement + policy. Moved DMARC to
p=quarantine. Rolled out a written rule: any change to vendor bank details requires a phone call-back to a known number, never a number from the email itself. - Week 3 — Monitoring. Enabled unified audit logging and set alerts for suspicious inbox rules and impossible-travel sign-ins.
New monthly cost: 32 users at ₹145 plus 8 at ₹1,320 = roughly ₹15,200/month. An increase of about ₹9,400 over their old bill. Against a single averted ₹6.2 lakh fraud, that's a rounding error. Three months in, their Defender reports show it has flagged and quarantined 14 impersonation attempts. This kind of pragmatic, tiered rollout is exactly what our IT consulting and managed services teams design for SMBs.
What internal policies stop the frauds that filters can't?
The most important lesson from every BEC case I've handled: the final defence is human, not technical. The Ludhiana firm at the start of this article was saved by a phone call, not a spam filter. Build these policies and enforce them in writing.
- Payment call-back rule. Any change to a vendor's bank account, or any first-time payment above a threshold (say ₹1 lakh), requires verbal confirmation on a previously-known phone number. Not a number in the email.
- Dual authorisation for large transfers. Payments above a defined limit need two approvers. Attackers count on one panicked person acting alone.
- Slow down "urgent and confidential" requests. Genuine urgency plus secrecy is the exact signature of CEO fraud. Train staff that this combination should raise suspicion, not compliance.
- External sender banners. Configure your platform to tag every email from outside the organisation. It's a constant visual reminder that a "colleague's" mail is actually external.
- Report-and-reward culture. Make it easy and blameless to report a suspicious email. The employee who forwards a fake invoice to IT is a hero, not a nuisance.
Pro Tip: Run a controlled internal phishing simulation once a quarter. Send your own staff a harmless fake "MD urgent payment" email and measure who clicks or replies. The first round is always sobering — 20-30% response rates are common. By the third round, with feedback and short training, that usually drops below 5%. This measurable improvement is far more convincing to management than any awareness poster.
How do I detect and respond if an account is already compromised?
Assume it will happen eventually and build for detection. Speed matters: the difference between catching a compromise in an hour and a week is often the difference between an inconvenience and a wire transfer gone.
- Enable unified audit logging (M365) or the equivalent Workspace security investigation logs. Without this, forensics after an incident is guesswork.
- Alert on suspicious inbox rules. Attackers create rules that auto-delete or forward emails to hide their tracks. Set an alert for new forwarding rules.
- Watch for impossible-travel sign-ins. A login from Chennai at 10am and Nigeria at 10:20am is physically impossible. Both platforms can flag this.
- Have an incident playbook. When compromise is suspected: reset the password immediately, revoke all active sessions, force re-authentication with MFA, remove malicious inbox rules, and check sent items for fraudulent emails to notify recipients.
- Notify affected parties fast. If the attacker emailed your customers or vendors from the compromised account, warn them before they act on it.
For businesses without a dedicated security person, this is precisely where a managed partner earns its keep. Our services team can monitor these signals and respond, so you're not discovering a breach from an angry vendor.
Frequently Asked Questions
Does Microsoft 365 Business Premium include anti-phishing protection?
Yes. Business Premium bundles Microsoft Defender for Office 365 Plan 1, which adds Safe Links, Safe Attachments, and mailbox impersonation protection that the lower Business Basic and Standard tiers lack. For businesses handling regular vendor payments, this upgrade is usually worth the higher per-user cost.
Is MFA enough to stop Business Email Compromise?
MFA dramatically reduces account takeover, which is one major BEC vector, but it does not stop lookalike-domain fraud or CEO impersonation sent from external addresses. You need MFA plus email authentication (DMARC), impersonation filtering, and a payment verification policy for full coverage.
How much does it cost to secure email for a small Indian business?
For a 20-40 person firm, expect ₹150-350 per user per month depending on whether you put everyone or just high-risk staff on premium tiers. A common approach is keeping general staff on basic plans while moving finance and leadership to Business Premium, which balances security and budget.
What is the difference between spam filtering and BEC protection?
Spam filtering blocks bulk junk and known malicious content based on signatures. BEC protection targets the socially engineered emails that contain no malware or spam markers — like impersonation detection, domain spoofing checks, and behavioural anomaly alerts. Standard spam filters miss most BEC because there's nothing technically "bad" in the message.
Do I need DMARC if I use Google Workspace or Microsoft 365?
Yes. SPF, DKIM, and DMARC are DNS-level records you must configure yourself regardless of your email platform. Google and Microsoft handle DKIM signing, but publishing the records and setting an enforcement policy is your responsibility, and most SMBs leave DMARC unconfigured, allowing attackers to spoof their domain.
Can attackers spoof my company domain even if I have good passwords?
Absolutely. Domain spoofing has nothing to do with your passwords. Without an enforced DMARC policy, any server on the internet can send email claiming to be from your address. Publishing SPF, DKIM, and a p=reject DMARC policy is the only reliable way to prevent this.
How long does it take to fully secure a company's email?
A focused rollout for a 20-50 person business typically takes two to four weeks: identity and MFA lockdown in week one, email authentication and monitoring, plan upgrades for high-risk users, then moving DMARC to enforcement once monitoring reports are clean. Rushing DMARC enforcement is the main thing that causes delays and broken mail.
Bringing it together
BEC succeeds because it exploits trust and urgency, not software vulnerabilities. That's also why the defense has to be layered. No single toggle saves you. Strong email security for Microsoft 365 and Google Workspace comes from stacking identity protection (MFA everywhere), email authentication (SPF, DKIM, and an enforced DMARC policy), the right licence tier for your risk profile, active monitoring, and above all a hard-wired human policy that treats payment changes with suspicion. Each layer covers the gaps the others leave.
The Coimbatore exporter spent an extra ₹9,400 a month and blocked 14 attacks in the first quarter. The Ludhiana firm nearly lost ₹28 lakh and now runs a mandatory call-back rule. You don't need to learn these lessons the expensive way.
If you'd like help auditing your current setup, right-sizing your Microsoft 365 or Google Workspace licences, and putting proper protection in place, get in touch with the eDarpan team. We work with GST-registered MSMEs across India and can go from audit to hardened setup in a matter of weeks. And if you're rethinking your broader IT stack — cloud migration, custom software, or reaching customers via WhatsApp Business API — we can help there too. Security is a habit, not a purchase; the sooner you start building it, the cheaper it stays.
Image credit: Sad Cartoon versus Technology by Sean Loyless via flickr (BY 2.0), sourced through Openverse.
Written by
Amit Verma
Cloud architect specializing in AWS, Azure, and GCP infrastructure. Amit has designed multi-region deployments for Indian enterprises and writes about cloud migration, cost optimization, and DevOps best practices.
Looking for a technology partner?
From IT consulting to virtual office to custom software — eDarpan can help.
Continue reading

Egress Fees Explained: The Hidden Cost of Leaving Your Cloud
Cloud egress fees can quietly eat 10-20% of your bill and hit hard when you exit. Here's how AWS, Azure & GCP charge in India, plus how to cut costs 40-70%.

Zoho vs Google Workspace vs M365: The Swadeshi Math for SMBs
For a 25-person team, the wrong productivity suite can cost ₹1.6 lakh extra a year. Here's the real Zoho vs Google Workspace vs M365 math for Indian SMBs.

What Does It Really Cost to Build a Mobile App in India in 2026?
A real breakdown of mobile app development cost in India for 2026: line items, rupee figures, hidden post-launch costs, and how to read any dev contract.