Back to ResourcesCase Study

    Why Good Email Security Still Lets Some Phishing Emails Through

    A real-world phishing investigation and what small business owners should know about how modern phishing slips past Microsoft 365, Proofpoint, Mimecast, and other filters.

    Most business owners assume that if they're paying for Microsoft 365, AppRiver, Proofpoint, Mimecast, or another email security service, phishing emails should never make it into their inbox.

    Unfortunately, modern phishing attacks don't work the way they used to.

    Recently, while investigating a suspicious email campaign, we analyzed a domain that had only been registered the day before the emails were sent. At first glance, this raised immediate concerns. New domains are frequently used by cybercriminals because they have little or no reputation history.

    What we found highlights a growing challenge for every email security provider.

    The Old Days of Phishing

    Years ago, phishing emails often came from obviously suspicious sources:

    • Domains with random names
    • Compromised servers already known for spam
    • Missing email authentication records
    • Poorly configured infrastructure

    Security systems could easily identify and block many of these threats because they had already developed a bad reputation.

    The New Reality

    Today's attackers are much more sophisticated.

    Instead of using old infrastructure, they can:

    • Register a brand-new domain
    • Configure SPF records
    • Configure DKIM signatures
    • Configure DMARC policies
    • Set up a mail server
    • Launch a phishing campaign within hours

    To an email filtering system, the messages may appear technically legitimate because they are being sent from infrastructure controlled by the domain owner.

    In other words, the emails are not spoofed.

    They are actually coming from the domain that registered them.

    What We Found

    During our investigation, we discovered several warning signs:

    • The domain had been registered within the previous 24 hours
    • The mail server was self-hosted rather than using Microsoft 365 or Google Workspace
    • The server used a generic virtual private server (VPS) hostname
    • The infrastructure was hosted overseas
    • The domain had little to no reputation history

    Individually, none of these indicators prove malicious intent.

    Taken together, however, they create a pattern commonly associated with phishing infrastructure.

    Why Email Security Doesn't Always Block These Messages

    Many business owners assume email security products simply maintain a list of "good" and "bad" domains.

    In reality, modern filtering systems rely heavily on reputation, behavior, authentication, and threat intelligence.

    The challenge is that a domain that is only one day old has very little history.

    If an attacker configures everything correctly, there may not yet be enough evidence for automated systems to confidently classify the domain as malicious.

    This creates a window of opportunity that cybercriminals actively exploit.

    What Businesses Can Do

    Technology is only one layer of protection.

    Organizations should also:

    • Enable multifactor authentication (MFA)
    • Use advanced email security tools
    • Conduct regular phishing awareness training
    • Report suspicious emails immediately
    • Review newly observed sender domains carefully
    • Maintain strong incident response procedures

    Most successful phishing attacks are stopped when employees recognize something unusual and ask questions before clicking.

    The Importance of Investigation

    When suspicious emails appear, it is important to investigate the infrastructure behind them rather than focusing only on the message itself.

    Questions we ask include:

    • How old is the domain?
    • Where is it hosted?
    • Who is providing email services?
    • Does the infrastructure look legitimate?
    • Is the sender impersonating a trusted organization?

    These details often reveal patterns that aren't immediately visible from the email alone.

    Final Thoughts

    No email security platform is perfect.

    Microsoft, Google, AppRiver, Proofpoint, Mimecast, and other providers all face the same challenge: attackers can build convincing infrastructure faster than reputation systems can react.

    The goal is not to rely on a single layer of protection.

    The goal is to combine technology, user awareness, and ongoing monitoring to reduce risk and quickly identify suspicious activity when it occurs.

    At Realm Defense, we routinely investigate suspicious domains, phishing attempts, and email threats to help businesses understand what they're facing and respond appropriately before damage occurs.

    Because in cybersecurity, asking questions before clicking is often the difference between a minor inconvenience and a major incident.