There is a common belief among organisations using Microsoft 365 or Google Workspace that email security is largely taken care of. The platform is enterprise-grade. The filters are enabled. Compliance boxes are ticked. What more is needed?
The answer is: far more than most teams realise.
The phishing attacks that cause the greatest damage today, from business email compromise and credential theft to fraudulent payment redirection, are designed to look exactly like the emails that are supposed to get through.
The Threat has Evolved. The Defences Have Not
Email remains the most exploited entry point for cyber attacks.
According to Cloudflare, 91% of cyber attacks begin with a phishing email. That figure has remained consistently high for years. What has changed dramatically is the sophistication of the attack itself.
The phishing emails that do the most damage are no longer the obvious ones: poorly written password reset messages, suspicious attachments, or emails from clearly untrustworthy senders. Those are often caught.
What gets through now are highly convincing attacks that use AI to:
- replicate writing patterns
- mimic supplier or partner communication styles
- impersonate executives
- deploy links that appear safe at the time of delivery, but become malicious later
This final category, often called deferred or post-delivery phishing, is especially dangerous. The email arrives looking legitimate. The link resolves cleanly. The filter marks it as safe. Then, hours or days later, the destination changes. The user clicks, and the damage is done.
Native Controls Were Not Built For This
Microsoft 365 and Google Workspace both include native email security features such as authentication controls, spam filtering, and basic malware detection. For large volumes of unwanted email, spam campaigns, known malware, and generic phishing attempts, these controls can be effective.
But they were not built to stop the attacks that matter most.
Targeted, low-volume business email compromise campaigns do not trigger volume-based heuristics. Supplier impersonation attacks can pass authentication checks because they come from legitimate domains. AI-generated phishing content can evade signature-based detection because it does not match known patterns.
Cloudflare positions its email security platform as an added layer for Microsoft 365 and Google Workspace, combining native email controls with AI-driven phishing and BEC protection to improve coverage against advanced attacks.
What Would The Last 14 Days Reveal?
This is the question the Cloudflare Phishing Retro Scan is designed to answer.
The Retro Scan reviews Microsoft 365 inboxes in minutes, identifying malicious and unwanted emails that have already been delivered in the past 14 days. This includes active phishing attacks that have bypassed existing controls and may still be sitting in users’ inboxes right now.
The scan identifies five categories of threat:
- malicious emails containing harmful links or payloads
- suspicious emails with indicators of malicious intent
- spoofed emails impersonating trusted senders
- bulk marketing noise
- spam
It also generates a detailed report showing:
- the most targeted users
- the attack types detected
- the threat actors involved
For many organisations, the results are revealing. The assumption that native controls are catching everything is replaced by evidence showing what is actually reaching users, and what action should be taken next.
Start With Evidence, Not Assumptions
One of the most valuable things about the Cloudflare Phishing Retro Scan is what it does not require.
There is:
- no hardware
- no software installation
- no disruption to mail flow
- no long deployment cycle
It runs in minutes and gives security and IT teams a factual basis for evaluating their email security posture.
If the scan finds nothing, that is useful reassurance. If it finds active threats, which Cloudflare’s data suggests is likely, that insight is even more valuable.
Either way, assumptions are replaced with evidence.
And that is where every serious conversation about AI phishing protection should begin.
See The Phishing Threats Already in Your Inbox
Run a free Cloudflare Phishing Retro Scan.
Scan your Microsoft 365 inboxes in minutes, with no hardware, no software, and no impact to mail flow.
