The "Just Looks Real Enough" Email: Why Your Inbox Filter Isn't Catching Modern Threats

Your accountant opens an invoice that looks exactly like one she's paid 40 times before. Same vendor name, same logo, same payment portal. She forwards it for approval. Three days later the real vendor calls asking why the wire never landed. The email cleared every spam filter on the way in — because today's attackers don't bother with bad grammar and weird links. They send email that looks completely normal.

Why the built-in filter is no longer enough

Microsoft 365 and Google Workspace include spam filters, and they're good at the easy stuff: bulk junk, obvious scams, malware attachments. The problem is everything between "obvious scam" and "legitimate email" — the gray zone where modern attacks live.

What advanced email filtering actually catches

• Look-alike domains that swap one letter (microsft.com, yourvend0r.com)

• Display-name spoofing where the sender's name says "Your CEO" but the address is a Gmail account

• Conversation-thread hijacking where attackers reply inside a real email chain they stole

• Brand-new domains registered hours ago specifically to send one phishing wave

• Payment-redirect requests and vendor-banking-change emails that ride on social engineering, not malware

• Malicious links that look clean at delivery but flip to a phishing page minutes later

Signs your current filter is leaving gaps

• Staff regularly get emails "from" leadership asking for gift cards or wire transfers

• You've seen at least one near-miss invoice fraud in the last year

• You can't tell who in your company has reported a suspicious email this month

• There's no quarantine review — anything not blocked just lands in inboxes

What you can do this week

• Run a search of the last 30 days for messages from look-alike versions of your top 5 vendor domains

• Turn on external-sender warning banners in Microsoft 365 or Google Workspace if they aren't on

• Pick one finance process — like banking changes — and require a phone callback to a known number, not a reply

The goal isn't to block every email. It's to make sure the one designed to fool your team never reaches them in the first place. A good filter does the hard work before anyone has to make a judgment call at 4:55 on a Friday.