Is Your Built In Email Security Enough?
Almost every organisation now runs email on Microsoft 365 or Google Workspace, and the security built into both is genuinely good and quietly improving. So the honest question is not whether they work, it is where they stop. Here is what the built in tier really protects you against, where the gaps are, and how to tell whether you need a dedicated layer or whether you are already well covered.
If your email runs on Microsoft 365 or Google Workspace, you already have a serious amount of security working for you. Both platforms filter spam, block known malware, sandbox attachments, rewrite and check links, and flag messages that look like impersonation. They process a vast amount of global mail, so they see new attack patterns early. For a lot of organisations that is a strong baseline, and the first honest thing to say is that the built in tier is not a token effort. It stops the overwhelming majority of what arrives.
So the real question is not whether the built in controls work. It is where they stop, and whether the things they miss are the things that would actually hurt you. That depends on who you are, what an attacker stands to gain, and how your estate is set up. This guide is about telling those situations apart, so you neither overspend on a layer you do not need nor leave a gap that a single convincing message can walk through. For how the layers of email defence and human awareness fit together more broadly, see our guide on email security and human risk. This piece is narrower: the built in baseline, versus adding a dedicated layer.
What the built in tier actually gives you
It helps to be precise about what is already there, because most teams underestimate it. In Microsoft 365, the baseline is Exchange Online Protection, which every mailbox gets. Defender for Office 365 then adds more in two plans: Safe Links and Safe Attachments, anti phishing and impersonation protection, automated investigation and response, and attack simulation. Google Workspace has its own equivalents: advanced phishing and malware protection, attachment sandboxing, and suspicious link warnings, with more in the higher editions.
The important and often missed point is that stepping up the included tier closes more than people expect. An organisation on the entry level mailbox that has never enabled the higher protection plan is not really testing whether built in security is enough, it is running it with the strongest features switched off. Before anyone reaches for a third party product, the first question is whether the platform you already pay for is fully turned on and tuned.
A surprising number of estates we look at are running the basic mail filter with the advanced protection plan unlicensed or unconfigured. Closing that gap is often the highest value, lowest cost move available, and it has to happen before any conversation about a dedicated layer is honest.
Where the gaps still are
Once the built in tier is fully enabled, there is still a category of threat that baseline filtering struggles with by its nature, not because the platform is weak. These are the ones worth understanding.
Business email compromise with no payload. The most expensive email attacks often contain no link and no attachment at all. A message that simply impersonates a director and asks finance to change bank details has nothing for a malware engine to detonate. It is pure social engineering, and it relies on context and tone. Built in impersonation protection catches some of this, but the carefully targeted version, written to your people about a real supplier or a real invoice, is the hardest class to stop with filtering alone.
The post delivery problem. A message can be clean at the moment it is delivered and dangerous later. A link that scans as harmless can be switched to a malicious page after delivery, and an account that looks legitimate today can be compromised tomorrow and used to send internal mail your filters trust. Defending against this needs the ability to reach back into mailboxes and remove a message after the fact, across everyone who received it, which is an operational capability as much as a filtering one.
Lookalike domains and supply chain. Attacks that come through a compromised supplier, or from a domain one character different from a trusted one, exploit your trust in a relationship rather than a technical flaw. These need consistent policy and good visibility across inbound mail, and they are where a lot of real incidents originate.
The operational gap. Tooling is only half of it. A control that is never tuned, whose alerts no one has time to triage, and where no one can quickly answer "who else got this", will underperform regardless of the logo on it. For many organisations the real gap is not a missing feature, it is the time and skill to run what they have.
When the built in tier is genuinely enough
Here is where we will point away from spending more, because it is often the right call. If you are a smaller organisation, not a high value target, heavily Microsoft native, and willing to license and properly run Defender for Office 365 at its higher plan, the built in tier can be entirely sufficient. The marginal threats a dedicated layer adds protection against may simply not be threats you realistically face, and a second product you do not have the time to tune can add cost and complexity without adding real protection. We have told plenty of clients exactly this. A well configured platform you actually operate beats an extra layer you bolt on and ignore.
Ask two questions. Is the protection I already pay for fully enabled and tuned. And do the threats I realistically face fall into the gaps that remain. If the answer to the first is no, fix that before buying anything. If the answer to the second is also no, you may already be well covered.
When a dedicated layer earns its place
For other organisations the gaps above map directly onto the threats that would do real damage, and a dedicated email security layer is a sound investment. That is most clearly the case when you are a high value or regulated target, when you carry heavy financial exposure to business email compromise, such as finance and payments heavy operations, when you have a complex supplier base and lots of lookalike risk, when you run a mixed estate and need consistent policy across it, or when your in house team does not have the time to tune and respond to email threats at the depth required. In those situations the question is which layer, and why.
Where Mimecast Email fits, and where it does not
We should be straight about our position. C4C is a Mimecast partner, among other relationships, and Mimecast is a solution we know well and often recommend. We also tell clients when the built in tier is the right answer, which is part of why the recommendation means something when we do make it. With that disclosed, here is the honest case.
Where we do recommend Mimecast Email, it is for specific reasons rather than as a default. It sits independently of the mailbox platform, so a compromised Microsoft or Google tenant does not also compromise the security layer in front of it, which matters when resilience and separation of control are part of the requirement. It is strong on the impersonation and business email compromise classes that baseline filtering finds hardest. It can remove a delivered message from every affected mailbox after the fact, which addresses the post delivery problem directly. And it applies one consistent policy and one view across inbound mail, which is valuable in a mixed or complex estate. Those are the reasons. Where they match your problem, it is a strong fit.
Where they do not, we say so. If you are all in on Microsoft, willing to license Defender for Office 365 at its higher plan, and able to run it well, the incremental case for a third party gateway is weaker, and we will tell you that rather than sell past it. A layer is only worth adding where it closes a gap you actually have.
How C4C helps
We start with the problem, not the product. We look at what you already have, whether it is fully enabled and tuned, the threats you realistically face given who you are, and where the genuine gaps sit. From there we give you a straight recommendation: enable and tune what you own, or add a dedicated layer, and if the latter, which one and why. We are a Mimecast partner and recommend it where it fits, and we are equally willing to tell you that your built in security, properly run, is already enough. The free human risk assessment is a no signup way to get an initial read on where your exposure sits.
Not sure if your email security has a gap?
Send us your setup and we will give you an honest read: whether what you already have is fully switched on, where the real gaps are for an organisation like yours, and whether a dedicated layer is worth it. We will tell you if it is not.
Prefer email? Reach us directly at hello@c4cgroup.co.uk.
Frequently asked questions
Is Microsoft 365 email security good enough on its own?
Often yes, especially once the higher Defender for Office 365 plan is licensed and properly tuned. For smaller, lower risk, heavily Microsoft native organisations it can be entirely sufficient. The case for adding a dedicated layer gets stronger when you are a high value or regulated target, carry heavy business email compromise exposure, or lack the time to run the platform controls well.
What is the difference between Exchange Online Protection and Defender for Office 365?
Exchange Online Protection is the baseline that every Microsoft 365 mailbox gets: spam, known malware and basic filtering. Defender for Office 365 adds the stronger features in two plans, including Safe Links, Safe Attachments, anti phishing and impersonation protection, and automated investigation and response. A lot of estates run the baseline without the advanced plan enabled, which understates how much built in protection is available.
What stops business email compromise when there is no malicious link or attachment?
That is the hardest class, because there is no payload to detonate. It relies on impersonation and social engineering, so defence comes from strong impersonation detection, domain authentication such as DMARC, process controls on things like bank detail changes, and aware people. Filtering alone will not catch the most targeted versions, which is exactly why this category drives a lot of real loss.
Does a third party email gateway replace Microsoft or Google security?
It usually layers on top rather than replacing it. The value is independence from the mailbox platform, strength on the threats baseline filtering finds hardest, and the ability to remove a delivered message after the fact. If your built in tier is fully enabled and fits your risk, a third party layer may add little. Where it closes a gap you genuinely have, it earns its place.
Do I need Mimecast if I already have Microsoft 365?
Not automatically. We are a Mimecast partner and recommend it where it fits, for specific reasons: independence from the mailbox tenant, strength on impersonation and business email compromise, and after delivery removal across affected mailboxes. If you are all in on Microsoft and willing to run Defender for Office 365 at its higher plan well, the incremental case is weaker, and we will tell you so. It depends on your risk and your estate, not on a default answer.
Can you give independent advice if you partner with Mimecast?
Yes, and the test is whether we will point you away from it. We will. For plenty of organisations the right answer is to enable and tune the security they already own, and we say that plainly. Mimecast is a frequent recommendation because it fits a common set of problems well, not because it is the answer to every question. The partnership is disclosed precisely so the recommendation can be judged on its reasons.