Email Security Beyond the Spam Filter: What Irish SMEs Actually Need.

The built-in Microsoft 365 spam filter is not enough for Irish SMEs. Here is what dedicated email security, DMARC, and staff training actually prevent.

Email Security Beyond the Spam Filter: What Irish SMEs Actually Need

For Irish SMEs across Donegal, Sligo, Dublin, and the wider island of Ireland.

Email is the most dangerous door into your business. Not because email itself is insecure, but because attackers have spent 20 years perfecting the art of social engineering through it. A phishing email that looks like it came from your bank. A business email compromise (BEC) that looks like it came from your CEO. A ransomware attachment disguised as an invoice.

The built-in Microsoft 365 spam filter catches some of this. But "some" is not enough. For Irish SMEs, email is the primary attack vector — and the primary vector for financial loss.

Why the Built-In Filter Is Not Enough

Microsoft 365 includes a spam filter. It is decent. It blocks obvious threats. But it is designed to be permissive — to avoid blocking legitimate emails — which means it lets through a lot of things it should not.

Here is what the built-in filter does well:

  • Blocks emails from known malicious domains
  • Detects obvious phishing attempts (emails claiming to be from your bank asking for passwords)
  • Filters out mass spam

Here is what it does not do:

  • Detect sophisticated phishing. Modern phishing emails are AI-generated and nearly indistinguishable from legitimate communications. They do not come from obviously malicious domains. They come from compromised legitimate accounts or spoofed addresses that look almost identical to real ones.
  • Block business email compromise (BEC). A BEC attack is an email that appears to come from your CEO asking the finance team to transfer €50,000 to a supplier account. The email address is spoofed or the CEO's account is compromised. The built-in filter has no way to know this is not legitimate.
  • Scan URLs in real-time. An attacker sends an email with a legitimate-looking link. The link is safe when the email is sent. 30 minutes later, the attacker updates the URL to point to a malicious site. The built-in filter does not re-scan it.
  • Detect ransomware delivered as an attachment. Some ransomware is polymorphic — it changes its signature constantly to evade antivirus detection. The built-in filter does not have the capability to detonate suspicious attachments in a sandbox and observe their behaviour.

The Irish SME Email Threat Landscape

Email attacks against Irish businesses have become increasingly sophisticated. The NCSC Ireland and An Garda Síochána have both highlighted email-based attacks as the primary vector for ransomware, data theft, and financial fraud targeting Irish SMEs.

Business Email Compromise (BEC) is the most costly. An attacker compromises an executive's email account or spoofs their address, then sends an email to the finance team requesting an urgent wire transfer. The email looks legitimate. It comes from the right person. It is urgent. Finance processes it. By the time anyone realises it is fraudulent, the money is gone.

A 2023 Garda cybercrime report documented cases where Irish SMEs lost between €10,000 and €500,000 to single BEC attacks. The average was €65,000 — enough to hurt a small business.

Phishing is the second vector. An employee receives an email that looks like it came from Microsoft, their bank, or a trusted vendor. The email asks them to click a link and enter their password. The employee does. The attacker now has their credentials and can access email, cloud storage, and any system that uses those credentials.

Ransomware delivery via email is the third. An attachment that looks like an invoice or a document is actually ransomware. The employee opens it. The ransomware encrypts the business's files. The attacker demands payment.

All three attacks start with email. All three can be significantly mitigated with the right email security controls.

What Dedicated Email Security Actually Does

A dedicated email security solution sits in front of your mailbox and does things the built-in filter cannot:

Control What It Does Why It Matters
Advanced phishing detection Uses AI and behaviour analysis to detect sophisticated phishing even if the sender looks legitimate Catches attacks that bypass signature-based filters
URL rewriting and sandboxing Rewrites URLs to point through a security gateway; detonates suspicious attachments in a sandbox to detect ransomware Blocks zero-day attacks and polymorphic malware
DMARC, DKIM, SPF enforcement Prevents attackers from spoofing your domain or your trusted partners' domains Stops BEC attacks that rely on domain spoofing
User behaviour analytics Learns what normal email behaviour looks like for each user; flags anomalies (sudden mass forwarding, unusual recipients) Detects compromised accounts before they cause damage
Attachment sandboxing Detonates suspicious files in an isolated environment to see if they execute malicious code Catches ransomware variants that antivirus misses

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

The Human Layer: Security Awareness Training

Here is the uncomfortable truth: no email filter is 100% effective. Some sophisticated attacks will get through. When they do, the last line of defence is your employees.

A well-trained employee who recognises a phishing email is more valuable than any technical control. They will not click the link. They will report it. And you will have early warning of an attack before it causes damage.

But training only works if it is practical and repeated. Generic "click here to take a security quiz" training does not work. Employees need to understand:

  • Why they are a target (attackers see SMEs as easier targets than large enterprises)
  • How attacks actually work (with real examples, not hypothetical scenarios)
  • What to do when they suspect something is wrong (report it without fear of blame)

At Pragmatic Security, we combine technical email security controls with practical security awareness training. The training is not a compliance checkbox — it is woven into the business context so employees understand why it matters.

DMARC, DKIM, and SPF: The Technical Foundation

If you have heard these acronyms and tuned out, here is what you need to know:

  • SPF (Sender Policy Framework) tells email servers: "Emails claiming to come from my domain should only come from these specific servers." It prevents basic domain spoofing.
  • DKIM (DomainKeys Identified Mail) digitally signs emails from your domain so recipients can verify they actually came from you, not from someone spoofing your address.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells email servers what to do if an email fails authentication (quarantine it, reject it, or report it).

Together, these three prevent attackers from spoofing your domain or your trusted partners' domains. DMARC is the single most important control for preventing BEC attacks. If your domain is not protected by DMARC, attackers can send emails that appear to come from you — and your employees will believe them.

The NCSC Ireland recommends DMARC enforcement as a foundational control for all organisations. For Irish SMEs, it is non-negotiable.

What This Means for NIS2 and Cyber Insurance

NIS2 compliance requires "appropriate technical and organisational measures" to protect against email-borne attacks. Dedicated email security and DMARC enforcement are now baseline expectations.

Cyber insurers are asking specific questions: "Do you have email filtering beyond the built-in filter? Is DMARC enforced on your domain? Do you provide security awareness training?" If the answer to any of these is "no," insurers will either decline coverage or impose exclusions that render the policy worthless if you suffer an email-based attack.

Book a free 20-minute strategy call with our vCISO team. We will assess your email security, explain what is missing, and tell you exactly what to do — no jargon, no obligation.

Related Reading

[^1]: NCSC Ireland — Advice for Organisations [^2]: An Garda Síochána — Cyber Crime [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.