There's a peculiar irony at the heart of modern email security: the most damaging attacks no longer look like attacks at all. No malware. No suspicious link. No exploit kit prying open a forgotten vulnerability. Just a well-timed message, written in a tone your CFO might actually use, asking for something that sounds completely reasonable. By the time anyone questions it, the money is gone.
That’s Business Email Compromise (BEC), and it has quietly become one of the most expensive categories of cybercrime in the world. According to the FBI’s Internet Crime Complaint Center (IC3), BEC accounted for roughly $3 billion in reported losses in 2025, with an average loss per incident exceeding $120,000 — and 86% of that money moved out the door via wire transfer or ACH, often before anyone realized something was wrong. The number is striking not because it’s an outlier, but because it isn’t. BEC has hovered near the top of IC3’s loss categories for years, a stubborn reminder that the weakest point in any security architecture is rarely the firewall. It’s the moment a person decides to trust something.
Microsoft 365 has done a remarkable job hardening that moment. Defender for Office 365, Entra ID Conditional Access, and built-in anti-phishing heuristics represent some of the most sophisticated native protections available in any productivity platform. And yet BEC losses keep climbing. That’s not a contradiction — it’s a clue. It suggests that the problem was never really about which vendor builds better filters. It’s about the nature of trust itself, and whether any single platform, however capable, can fully police the space where trust gets exploited.
BEC is less a single attack technique than a philosophy of deception. It doesn’t try to break through your defenses; it tries to become indistinguishable from the things your defenses are designed to let through. CEO fraud convinces an employee that an urgent request from leadership is exactly what it appears to be. Vendor payment scams hijack the quiet routine of accounts payable, redirecting a wire transfer that looks identical to dozens that came before it. Account takeover doesn’t knock down the door — it walks in wearing the legitimate user’s credentials. MFA fatigue attacks exploit the very control designed to stop them, flooding a user with approval requests until habit overrides judgment. OAuth application abuse goes a step further, tricking a user into granting a malicious app the same standing as a trusted one, sidestepping the login screen entirely.
What unites these techniques is that they target judgment, not infrastructure. And judgment, unlike a network port, can’t simply be closed. This is why BEC is generating ongoing search interest around questions like “Is Microsoft 365 secure?” and “Do I need additional security beyond Microsoft 365?” — these aren’t expressions of distrust in Microsoft so much as a recognition that no single layer of defense, including a very good one, was ever designed to be the last line standing.
This isn’t a knock against Microsoft’s investment in security — it’s an acknowledgment of how attacks have evolved past the boundaries any single platform was built to defend. Consider where the gaps tend to appear:
Credential theft is where Entra ID Conditional Access does meaningful work, evaluating risk signals and enforcing policy at the point of login. But policy enforcement and identity assurance are different problems. Conditional Access can tell you a login matches a policy; it has a harder time telling you whether the human behind that login is who they claim to be when the credentials themselves are valid but stolen. That’s the space where Cisco Duo’s MFA — particularly phishing-resistant methods — adds a second, independent judgment that doesn’t depend on the same signals already compromised.
Account takeover detection inside Defender for Office 365 is strong within the boundaries of the Microsoft ecosystem. But attackers rarely confine themselves to one ecosystem, and correlation across platforms — tying a suspicious login to unusual activity in a SaaS app three steps removed from email — is where Cisco XDR’s cross-platform visibility becomes less of a convenience and more of a necessity.
Lateral movement is perhaps the clearest illustration of the problem. Defender XDR is excellent at watching what happens within Microsoft’s walls. But once an attacker pivots toward infrastructure Microsoft doesn’t natively see — a third-party SaaS application, an unmanaged device, a cloud service outside the tenant — visibility thins out. Cisco Secure Access exists precisely in that blind spot, applying Zero Trust principles to the parts of the environment that were never going to be visible from inside Microsoft 365 alone.
Phishing is the area where the arms race is most visible in real time. Defender for Office 365 catches an enormous volume of malicious email. But sophisticated, AI-generated phishing — campaigns crafted to mimic an executive’s actual writing style, free of the grammatical tells that once gave phishing away — increasingly slips past detection built on historical patterns. Cisco Email Threat Defense is built to catch what doesn’t look like an attack at all, evaluating relationship and behavioral context rather than known-bad signatures.
And third-party SaaS risk is the quiet gap nobody budgets for. Most organizations’ security stacks were architected around the assumption that the perimeter was the inbox. It isn’t anymore. Cisco XDR’s integrations extend visibility into the dozens of SaaS tools that have crept into daily work, many of which were never evaluated as security surface area at all.
None of this is a criticism of Microsoft 365 — it’s a description of what happens when a productivity platform, however well-defended, exists inside a threat landscape that was never going to respect any one company’s boundaries.
The more interesting question isn’t whether Microsoft 365 needs additional security. It’s what kind of additional security actually compounds the value of what’s already there, rather than duplicating it or creating friction. That’s where the relationship between Cisco and Microsoft becomes less about stacking tools and more about designing layers that reinforce each other.
Identity is the foundation everything else is built on, and it’s worth treating it that way philosophically, not just architecturally. Phishing-resistant MFA closes the gap that ordinary push notifications leave open — the gap MFA fatigue attacks exploit. Device trust adds context: not just who is logging in, but from what, and whether that device meets a baseline of health. Risk-based authentication ties it together, adjusting the bar for trust dynamically rather than treating every login as equally suspicious or equally safe. Entra ID provides the policy framework; Duo provides the assurance that the policy is being enforced against a real, verified human rather than a stolen credential wearing a human’s name.
Layering email defense isn’t about catching the same phishing email twice — it’s about widening the definition of what counts as suspicious. Defender excels at known-bad detection and broad-spectrum filtering. Cisco Email Threat Defense focuses on the attacks that look clean: executive impersonation that mimics tone and cadence, AI-generated phishing campaigns built specifically to defeat pattern-based detection. Together, they cover both ends of the spectrum — the obviously malicious and the deceptively ordinary.
This is where the relationship moves from prevention to comprehension. Alerts generated inside Microsoft’s ecosystem flow into Cisco XDR, where they’re correlated against signals from identity, network, and SaaS activity that Microsoft never had visibility into in the first place. A login anomaly that looks minor in isolation becomes significant when it’s paired with unusual file access in a third-party app an hour later. That correlation is the difference between a security team drowning in disconnected alerts and one investigating a coherent story — and it’s the difference between detecting an incident in minutes versus discovering it in an audit three months later.
The modern workforce doesn’t operate from inside a defined perimeter, and pretending otherwise is how gaps form. Cisco Secure Access extends Zero Trust principles to remote work, to the SaaS sprawl that’s grown around Microsoft 365, and to the access patterns that exist whether or not anyone explicitly approved them. It’s less a wall around Microsoft 365 than connective tissue between everything Microsoft 365 touches.
Architecture is easier to appreciate in motion. Picture a fairly ordinary attack. A finance team employee receives a phishing email — well-written, contextually plausible, timed to coincide with a real vendor relationship. It slips past initial filtering because nothing about it trips a known signature. The employee, acting in good faith, enters their credentials on a page that looks exactly like the real thing.
This is the moment most security postmortems treat as the failure point — and it is a failure, but not a fatal one if the next layers hold. Cisco Duo recognizes that the authentication attempt doesn’t carry the markers of a verified, trusted device, and blocks the unauthorized access even though the credentials themselves were technically valid. Meanwhile, Cisco XDR has been quietly correlating signals: the suspicious login attempt, an unusual access pattern, the timing relative to the original phishing email. None of these signals alone would justify an alert. Together, they tell a story specific enough to act on. The security team receives not a flood of disconnected warnings but a single, actionable narrative — and the account compromise that would have, in an earlier security generation, gone undetected for days, is stopped before it becomes a wire transfer.
The point of walking through this isn’t to suggest the attack would have failed at the email filter. It almost certainly wouldn’t have. The point is that the architecture doesn’t depend on any single control being perfect. It depends on each layer doing one thing well and passing the baton to the next.
It’s tempting to treat BEC defense as a shopping list — enable phishing-resistant MFA, monitor privileged accounts, implement Zero Trust access, train users regularly, integrate Microsoft and Cisco telemetry. All of that is true and worth doing. But underneath the checklist is a harder question: are you building a security program that assumes attackers will eventually get something right, or one that assumes your first line of defense is infallible?
BEC keeps growing not because organizations are careless, but because the attacks are specifically engineered to exploit the assumption of infallibility — the assumption that if an email passed the filter, it’s safe; if the credentials were correct, the user is legitimate; if the request came from inside the company, it’s trustworthy. Layered defense isn’t really about adding more tools. It’s about designing a system that doesn’t collapse the moment one assumption turns out to be wrong.
Microsoft 365 gives organizations a strong, well-engineered foundation — and the instinct to treat additional security as a verdict on that foundation’s adequacy misses the more useful framing. The question was never whether Microsoft 365 is secure enough. It’s whether any single platform, regardless of how it’s built, should be asked to carry the entire weight of defending against attacks specifically designed to exploit human trust. By combining Microsoft’s native protections with Cisco’s identity, email, access, and detection capabilities, organizations aren’t admitting a weakness in Microsoft 365. They’re acknowledging something more fundamental: that resilience against Business Email Compromise was never going to come from one company’s product roadmap, no matter how strong. It comes from architecture that assumes failure is possible, and plans for what happens next.
If you're ready to discuss your business technology strategy with Network Solutions, fill out the form below to book a conversation!