Email Is Still the Frontline — And the Attackers Know It

In 2025, despite every innovation in cybersecurity, email remains the dominant attack vector for threat actors targeting organizations of every size. Industry research consistently shows that more than 91 percent of successful cyberattacks begin with an email. Ransomware, credential theft, corporate espionage, financial fraud — almost all of it lands first in someone's inbox. The channel is universal, trusted, and impossible to turn off. That makes it uniquely valuable to attackers and uniquely challenging to defend.

What has changed in 2025 is not that email became more dangerous — it has always been dangerous — but that the sophistication of email-based attacks has increased dramatically, outpacing the traditional defensive tools that most organizations rely on. AI-generated spear phishing. Business Email Compromise that is indistinguishable from legitimate executive communication. QR code attacks that bypass URL scanning. Adversary-in-the-middle proxies that defeat multi-factor authentication. The threat landscape has evolved, and organizations still relying on gateway filtering and user awareness training as their primary defenses are increasingly exposed.

This guide surveys the email threat landscape as it stands in 2025, examines the technical controls that constitute a modern email security posture, and addresses the specific considerations facing Norwegian and Nordic organizations operating in an environment shaped by GDPR, NSM security frameworks, and a threat actor community that specifically targets Scandinavian organizations for financial and geopolitical reasons.

The 2025 Threat Landscape: What Has Changed

AI-generated phishing at scale is the most significant shift in the threat landscape over the past two years. Large language models have made it trivially easy to produce grammatically correct, contextually appropriate, personalized phishing emails at volume. The era of catching phishing by its poor grammar and generic salutations is over. Modern AI-generated phishing emails incorporate accurate sender context, reference real organizational relationships, and adopt communication styles that match the person they are impersonating. Campaigns that previously required skilled social engineers to produce a handful of targeted messages can now generate thousands of contextually appropriate variants automatically.

Business Email Compromise (BEC) has matured from a relatively simple fraud technique into a sophisticated operational practice. Modern BEC attacks involve extended reconnaissance phases — monitoring email chains for weeks or months to understand organizational relationships, financial processes, and communication patterns — followed by precisely timed interventions at moments of genuine financial activity. The typical BEC attack today involves an actor who has been reading organizational email for an extended period, who knows the names of real finance team members, real vendors, and real transaction amounts, and who times their impersonation to align with an expected payment or transfer.

Adversary-in-the-middle (AiTM) phishing has emerged as the dominant technique for defeating multi-factor authentication. AiTM attacks use a reverse proxy positioned between the user and the legitimate authentication service. When a user falls for the phishing link, they authenticate to the real service through the attacker's proxy — completing MFA successfully — while the attacker captures the resulting session token. The attacker can then use the session token directly, bypassing MFA entirely, because authentication has already completed. This technique has been used in large-scale campaigns targeting Microsoft 365 and Google Workspace, making MFA a necessary but no longer sufficient defense.

QR code phishing (quishing) exploits a specific gap in email security tooling. Most email security gateways scan URLs embedded in messages. QR codes in email images contain URLs that most gateway scanners do not analyze — the QR code is an image, not a link, and image analysis for QR content is not standard in most products. Attackers use QR codes to deliver phishing URLs that bypass gateway scanning, directing victims to credential harvesting pages or AiTM proxies.

Callback phishing directs victims to phone rather than click. A phishing email claims there is a problem requiring urgent resolution and provides a phone number to call. The victim calls and is socially engineered into installing remote access software, providing credentials, or authorizing financial transfers. Because the malicious action happens over the phone, email security tools that analyze URLs and attachments have limited visibility into the attack.

Supply chain compromise via email — targeting organizations through their suppliers and partners rather than directly — has become increasingly prevalent. An attacker who compromises a supplier email infrastructure can send emails that arrive from legitimate domains with valid DMARC authentication. These attacks are extremely difficult to detect with technical controls alone because the authentication signals are genuine.

Authentication Protocols: The Foundation

Email authentication is the technical foundation of any modern email security posture. Three protocols — SPF, DKIM, and DMARC — work together to verify that email messages claiming to come from your domain actually originate from infrastructure you authorize, and to specify what should happen to messages that fail this verification.

SPF (Sender Policy Framework) specifies which IP addresses and mail servers are authorized to send email on behalf of your domain. A DNS TXT record lists authorized sending sources; receiving mail servers check this record when they receive mail claiming to be from your domain. SPF alone has significant limitations: it only checks the envelope sender (not the From header that users see), it breaks with legitimate email forwarding, and it does not prevent spoofing of the display name. Despite these limitations, SPF is a necessary baseline that must be correctly configured.

DKIM (DomainKeys Identified Mail) uses asymmetric cryptography to add a digital signature to email messages. The signing key is published in DNS; receiving servers verify that the message content matches the signature. DKIM survives forwarding (because it signs content rather than checking sending IP), provides non-repudiation, and is required by DMARC. DKIM failures are a common source of email deliverability problems when organizations migrate mail infrastructure and neglect to update signing key configuration.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and adds policy enforcement. A DMARC record specifies what to do with messages that fail SPF and DKIM alignment: nothing (p=none, monitor mode), quarantine them, or reject them. DMARC reporting — aggregate and forensic reports sent to addresses you specify — provides visibility into who is sending email on behalf of your domain, including attackers attempting to send phishing email from your domain name.

The critical point about DMARC is the policy enforcement level. Many organizations have configured DMARC at p=none — monitor mode — and left it there indefinitely. Monitor mode collects reports but does not prevent spoofed messages from reaching recipients. For DMARC to actually protect against domain spoofing, the policy must be at p=quarantine or p=reject. Moving to reject is a non-trivial project for organizations with complex email sending infrastructure, but it is the only configuration that provides real protection.

Secure Email Gateways: What They Do and Do Not Do

Secure email gateways (SEGs) — products like Proofpoint, Mimecast, Cisco Secure Email, and others — sit in the email flow path and apply filtering to inbound and outbound messages. They provide meaningful protection against commodity threats: known-bad IP reputation, signature-based malware detection, URL reputation filtering, and attachment sandboxing.

The limitation of gateway-based filtering is its reliance on known-bad indicators. Malware signatures catch known malware; zero-day malware bypasses them. URL reputation databases catch known phishing URLs; newly registered domains used in fresh campaigns are not in the database yet. Attachment sandboxing catches known evasion techniques; sophisticated sandbox-aware malware avoids triggering sandbox analysis.

For targeted attacks — spear phishing campaigns specifically constructed to target your organization — gateway filtering provides limited protection precisely because the attacks are designed to avoid the signatures, reputation lists, and behavioral rules that gateways rely on. A spear phishing email with no malicious attachments, containing only a link to a newly registered phishing domain, with content indistinguishable from legitimate business email, will often pass gateway filtering without issue.

This does not mean gateways are not worthwhile — they are essential for the volume of commodity threats that would otherwise reach inboxes. But organizations that rely on gateway filtering as their primary defense against sophisticated threats are accepting a gap that attackers are actively exploiting.

Post-Delivery Controls and Detection

Given that sophisticated attacks increasingly bypass pre-delivery filtering, post-delivery controls have become an important layer of email security architecture. Microsoft 365 Defender and Google Workspace Security Center both offer retroactive message remediation: when a URL or attachment is identified as malicious after delivery, messages containing that indicator can be automatically quarantined from user mailboxes — even if they were delivered hours or days earlier.

Automated attack disruption has become a differentiating capability of enterprise email security platforms. When a compromised account begins sending internal phishing email, or when a credential phishing attack is detected in progress, automated response can revoke sessions, disable the account, and remove delivered messages within seconds of detection rather than the minutes or hours of a manual response.

Email threat intelligence integration gives security operations teams the context needed to triage and respond to email-based threats efficiently. Knowing that a phishing campaign targeting your industry is using a specific set of domains, or that a specific threat actor group is conducting BEC campaigns against Norwegian financial organizations, provides the context needed to prioritize investigation and hunt proactively.

The Human Layer: Awareness, Simulation, and Culture

Technical controls are necessary but not sufficient. The endpoint of every email security control is a human who decides what to do with a message. User awareness training has been a staple of security programs for years, but its limitations are increasingly well-documented: point-in-time training produces modest and temporary improvements in phishing simulation click rates, and there is limited evidence that it prevents real-world phishing compromise in sophisticated targeted attacks.

This does not mean abandoning user education — it means being realistic about what it accomplishes and using it in combination with technical controls rather than as a substitute for them. The most valuable function of user education in the current threat landscape is not teaching users to spot phishing (they will miss sophisticated attacks) but training them to report suspicious email quickly through a frictionless process. Every reported suspicious email is an opportunity for security operations to investigate a potential attack.

Phishing simulations are most valuable when used to identify users who repeatedly fail to report or who repeatedly click, enabling targeted training or process changes for high-risk individuals. Used as a metric to demonstrate program effectiveness, they are of limited value. Used as a diagnostic to improve controls and identify behavioral patterns, they have meaningful application.

Norwegian and Nordic Threat Context

Norwegian organizations face a threat environment that reflects both their position in a high-income economy and their proximity to geopolitical tensions. NSM (Nasjonal sikkerhetsmyndighet) annual threat assessments have consistently documented significant threat actor interest in Norwegian targets across critical sectors: energy (particularly the petroleum sector), maritime, financial services, public administration, and defense-related industries.

State-sponsored threat actors targeting Norwegian organizations use email as a primary initial access vector. Spear phishing campaigns attributed to Russian and Chinese state actors have targeted Norwegian government ministries, energy sector organizations, and defense industry entities with significant frequency. These campaigns are characterized by extended reconnaissance, highly personalized social engineering, and the use of infrastructure specifically designed to evade Norwegian email security products.

The financial fraud vector is also significant. Norwegian businesses are targeted by BEC campaigns that leverage the country's high per-capita transaction values — the average BEC fraud in high-income European markets is substantially higher than global averages, making Norwegian organizations particularly attractive targets. Attackers conducting Norwegian-language BEC use accurate business terminology, reference real organizational details sourced from public records and LinkedIn, and time interventions to align with Norwegian business patterns including specific public holidays and fiscal periods.

GDPR compliance adds a regulatory dimension to email security in Norway that shapes both technical requirements and incident response obligations. A successful phishing attack resulting in unauthorized access to personal data is a potential GDPR breach requiring assessment and, if criteria are met, notification to Datatilsynet within 72 hours. Organizations must be able to assess rapidly what data was accessible to a compromised account, which requires both technical access controls limiting what individual accounts can access and audit logging that makes access reconstruction possible.

Email security decisions in Norway must also account for data processing location. Email security services that route message content through US-based infrastructure — attachment sandboxing, URL detonation, AI-based content analysis — create potential GDPR compliance questions. Providers offering EU-based data processing for Norwegian customers should be prioritized where compliance requirements are stringent.

Microsoft 365 and Google Workspace: Platform-Native Security

The consolidation of enterprise email onto Microsoft 365 and Google Workspace has created a new architecture context for email security. Both platforms include substantial native security capabilities that are often underutilized: Microsoft Defender for Office 365 Plan 2, when fully configured, provides anti-phishing policies, safe links, safe attachments, attack simulation training, automated investigation and response, and threat explorer.

The case for native platform security versus third-party SEG overlays is more nuanced than vendors on either side acknowledge. Native security offers deep integration with the platform identity and access controls, zero-delay access to platform threat intelligence, and tighter coupling with automated response capabilities. Third-party SEGs offer vendor diversity, often more granular policy controls, and in some cases superior sandbox or URL analysis capabilities.

For most organizations, the most effective approach combines platform-native advanced security with additional controls at specific high-risk points: enhanced protection for executive accounts, additional authentication requirements for finance team email workflows, and specific technical controls around high-value data that email provides access to.

Hardening the Microsoft 365 Email Environment

Microsoft 365 is the dominant email platform in Norwegian enterprise, and its default configuration is materially less secure than it should be. A prioritized hardening checklist:

DMARC at reject: The absolute baseline. Ensure your domain has a DMARC record at p=reject with aggregate reporting configured. Review DMARC aggregate reports regularly to identify unauthorized sending sources and legitimate senders needing SPF/DKIM remediation.

Anti-phishing policies: Enable impersonation protection for executive and high-value accounts. Configure mailbox intelligence-based impersonation detection. Enable spoof intelligence and review the spoof intelligence report.

Safe Links and Safe Attachments: Enable Safe Links with URL detonation for all email and Office documents. Enable Safe Attachments with dynamic delivery to avoid message delivery delays while attachments are analyzed. Ensure these policies apply to all users.

Attack Surface Reduction: Disable SMTP AUTH for mailboxes that do not require it. Disable basic authentication. Review external email forwarding rules — automatic external forwarding is a common exfiltration path that should be disabled or limited to specific authorized domains.

Conditional Access for email access: Require compliant device enrollment for email access from mobile. Enforce phishing-resistant MFA (FIDO2 or certificate-based) for administrative accounts. Configure sign-in risk policies that trigger step-up authentication when unusual behavior is detected.

ZeroSubnet Email Security Support

ZeroSubnet's security operations team supports Norwegian and Nordic organizations through email security assessments, DMARC implementation projects, and incident response for email compromise events — drawing on current threat intelligence specific to the Nordic region and experience with the compliance requirements that shape how email security must be implemented in Norwegian regulatory contexts.

For organizations working through DMARC enforcement, M365 hardening, or post-incident remediation, ZeroSubnet brings both the technical implementation capability and the regional context needed to build defenses that are appropriate for the actual threat actors targeting Norwegian and Nordic organizations.

Incident Response for Email Compromise

When email compromise occurs — through credential phishing, AiTM attack, or direct account compromise — the response sequence matters enormously for limiting damage. Documented runbooks for email compromise incidents ensure that the right actions happen in the right order, even under the pressure of a live incident.

The immediate containment steps: revoke all active sessions for the compromised account, reset the account password, temporarily disable the account if business impact allows. In Microsoft 365, this is accomplished through the Revoke-AzureADUserAllRefreshToken cmdlet and admin center account controls.

The investigation steps: review sign-in logs for the compromised account to identify the attack timeline and any access from unusual locations or devices. Review mailbox audit logs for email reads, forwards, and rule changes during the compromise period. Check for auto-forward rules or inbox rules created by the attacker. Review OAuth application consents — phishing attacks often request OAuth permission grants that persist after password reset.

The scope assessment: determine what data the compromised account had access to. Review emails sent from the account during the compromise period for evidence of BEC attempts. Check whether the account was used to phish internal colleagues. Assess GDPR notification obligations based on what personal data was accessible.

Building a Defensible Email Security Program

Email security is not a product purchase — it is a program that requires sustained attention as the threat landscape evolves and as organizational email infrastructure changes. The organizations most effective at defending against email-based threats share several characteristics.

They treat email security as a risk management discipline, not a compliance checkbox. They maintain current awareness of the specific threats targeting their industry and geography. They regularly test their defenses — through attack simulations, red team exercises, and external assessments — rather than assuming that configured controls remain effective. They have documented, practiced incident response procedures for email compromise events. And they review and update their controls when the threat landscape changes or when new attack techniques emerge that bypass existing defenses.

The threat landscape in 2025 is sophisticated, targeted, and evolving rapidly. Organizations that approach email security with the same rigor they apply to other critical infrastructure risks — with continuous investment, regular testing, and adaptation to emerging threats — are significantly better positioned than those treating email security as a solved problem. Given that email is the initial access vector for the overwhelming majority of significant cyber incidents, this distinction in security posture is likely to be the deciding factor in whether the next attack succeeds or is contained before damage is done.