The 90% of attacks that arrive by inbox.
Email is still the front door for almost every breach. Our managed email security gateway sits in front of M365 and Google Workspace — blocking phishing, BEC and payloads before they land.
Microsoft 365 catches the obvious stuff. The interesting stuff is what gets through.
Verizon's 2024 DBIR puts email at the entry point of more than 70% of confirmed business breaches. Microsoft 365's built-in filters (EOP / Defender) are competent for known-bad attachments, but lag noticeably on social-engineering attacks: invoice fraud, vendor impersonation, OAuth consent phishing, AI-generated CEO requests with no payload at all.
An email security gateway sits between the public internet and your tenant. It applies a second layer of detection — sandboxing, URL rewriting, behavioural impersonation checks, sender reputation, time-of-click rescanning — before the message ever reaches a user's inbox.
What 4UIT deploys
For most Ottawa SMBs we deploy Sophos Email or Mimecast in front of Microsoft 365 or Google Workspace, depending on the size and compliance posture of the business. Both integrate cleanly, both rewrite URLs at click-time so a link that goes bad ten minutes after delivery is still caught.
Where email matters more (legal, healthcare, financial), we layer in DMARC enforcement (so attackers can't spoof your domain to your customers), inbound impersonation rules (so a "ceo@4uit.co" lookalike never reaches your accounts payable team), and outbound DLP (so a misdirected client list doesn't leave your tenant).
What gets caught
Phishing. Business Email Compromise (BEC) — the fake-CEO wire-transfer requests that don't carry malware. Vendor invoice fraud. Ransomware loaders disguised as resumes or shipping notices. OAuth consent phishing, where the attacker doesn't need a password, just your click. AI-generated spear phishing in fluent French, English, or your native language.
What it looks like day-to-day
For the user: nothing changes. Mail still arrives in Outlook. Quarantined messages appear in a daily digest the user can self-release for false positives. For you: a monthly report from 4UIT showing what was blocked, what was let through, what we tuned, and a recommendation queue for users who keep clicking what they shouldn't.
Common questions.
Doesn't Microsoft 365 already filter spam and phishing?
It does — and it does it well for the obvious cases. The gap shows up on social-engineering attacks that don't carry payloads, on lookalike domains, and on payloads that activate after delivery. A dedicated gateway closes those gaps; the two layers don't conflict.
Will it slow down email delivery?
Inbound mail typically adds 1–3 seconds to delivery, which is below the threshold any human notices. Outbound is unchanged.
What about false positives on legitimate marketing or vendor mail?
Users get a daily digest of quarantined messages and can self-release. We tune sender lists weekly during the first month, then monthly thereafter. Most customers see false-positive rates under 0.5% within 60 days.
Can it work with Google Workspace, not just Microsoft?
Yes — both Sophos and Mimecast support Google Workspace as front-of-tenant. Most of our deployments are M365 because that's most of Ottawa's business stack, but Google is fully supported.
How does DMARC fit in?
DMARC stops attackers from sending mail that looks like it came from your domain to your customers. We deploy DMARC in monitor mode first, watch for legitimate senders we don't know about, then move to enforcement. It's a 60–90 day project that meaningfully reduces brand-impersonation risk.
Ready to make your IT boring?
20-minute call. No deck, no pressure. We listen, then propose.
Book a brief →