Email Security Assessment

It is easy to think of email as simply messages arriving in an inbox. In security terms it is something stranger and more dangerous: simultaneously a target, a weapon, and a control. It remains a core method by which attackers can target your organisation. Your email infrastructure determines whether your own domain can be turned against you, and hence affects the viability of many other attacker strategies, including the social engineering strategies our Social Engineering Assessment tests. The Email Security Assessment examines all three dimensions - whether your domain can be abused to impersonate you, whether malicious mail reaches your people, and whether your mail platform itself resists compromise.

Can An Attacker Send Mail As You?

It may seem obvious that only you can send emails from your address, but in fact, email is shockingly insecure by default. Just as nothing stops you from mailing a letter with a false return address, without appropriate configuration it may be entirely possible for an attacker to impersonate your email. We check for SPF, DKIM, and DMARC records that determine whether an attacker can convincingly spoof your domain to your own staff, your customers, and your suppliers. Misconfiguration here is endemic. Where your authentication is incomplete, we set out a practical path to enforcement rather than simply flagging the gap - such as addressing overly permissive SPF records, or moving DMARC from monitoring to quarantine to reject without breaking legitimate mail, and using aggregate reporting to find the sending services you had forgotten along the way.

Does Malicious Mail Reach A Human?

Inbound, we assess the gateway and filtering that should stop malicious mail before it reaches anyone - how your platform handles dangerous attachments, malicious and lookalike links, and the spoofing of trusted internal and external senders. This requires testing more than just configuration - it also intersects with your processes and policies about what mail clients members of your organisation use, and what instructions you give them about content in emails. Where it is in scope, we test these defences with controlled, benign payloads so you see the result rather than infer it. We also look outward, for the lookalike and cousin domains an attacker can register to impersonate you convincingly even when your own domain is locked down.

The Platform Itself

For many organisations the mail platform now means Microsoft 365 or Google Workspace, and we examine the post-compromise risks that follow a single stolen mailbox: malicious inbox and forwarding rules used to maintain covert access, OAuth application consents that let an attacker retain access even after a password change, and the auditing and alerting that determine whether any of it would be noticed. Business email compromise - the patient hijacking of a real conversation to redirect a payment - depends on exactly these weaknesses, and remains one of the most financially damaging attacks an organisation can suffer. Furthermore, we can investigate the extent to which a compromised email account could be used as a stepping stone to access to your other services - for example, if email is your sole form of multi-factor authentication, or if access to your email is sufficient for an attacker to reset passwords. This naturally overlaps with, and complements, our Cloud and Identity Assessment.

What You Receive

You receive your full email risk picture: spoofing exposure, inbound filtering effectiveness, and platform configuration. For each of these topics, we provide prioritised, specific remediation. Because the most damaging email attacks end in a fraudulent payment rather than a malware infection, our recommendations extend beyond the technical into the procedural, such as processes for external verification of payment changes and approval control policies that stop a perfectly authentic-looking instruction from costing you real money. This makes our Email Security Assessment relevant to your finance team as well as your IT team. If appropriate to your organisation, we also can recommend safer email workflows that while simple may simply not have occurred to many organisations, such as the use of local email clients like Thunderbird that enable tighter control policies and even encryption integration.