Phishing Protection for Australian Small Businesses: What Works in 2026

Phishing is still the way most Australian small businesses get compromised. Not zero-days. Not ransomware-as-a-service. A finance manager clicking a fake invoice. Here's the four-layer defence we run for every NOX Cloud managed client — every layer matters, and a gap in any one of them is where breaches happen.

Layer 1: Email authentication (SPF, DKIM, DMARC)

If your domain doesn't have all three records published correctly, attackers can spoof your domain to your own customers. Most Australian SMBs we audit have SPF, half have DKIM, and very few have DMARC enforced beyond p=none.

Target: SPF with -all, DKIM for every sending service (Microsoft 365, Mailchimp, Xero, etc.), DMARC at minimum p=quarantine; pct=100. Use a DMARC reporting service (Valimail, Dmarcian, EasyDMARC) for the first 90 days so you can see who's sending on your behalf before you crank to p=reject.

Layer 2: MFA and Conditional Access

Standard MFA via Microsoft Authenticator blocks 99% of password-based attacks. But attackers in 2026 are using adversary-in-the-middle phishing kits (Evilginx, Tycoon) that capture the MFA token too.

To beat AiTM phishing you need:

• Conditional Access policies requiring compliant devices, not just MFA
• Phishing-resistant MFA (Windows Hello for Business, FIDO2 security keys, or Microsoft Authenticator with passkey)
• Sign-in risk policies that block high-risk sign-ins automatically

Layer 3: Defender for Office 365

Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which gives you:

• Safe Links — every URL in email is rewritten and scanned at click time
• Safe Attachments — attachments detonated in a sandbox before delivery
• Anti-phishing policies — impersonation protection for your executives
• Quarantine with end-user release workflow

If you're on Business Standard (no Defender), the upgrade to Business Premium is $9/seat/month and it's the single highest-ROI security spend most SMBs can make in 2026.

Layer 4: Staff training and simulation

Technical controls catch most phishing. Trained staff catch the rest. Run a phishing simulation quarterly — KnowBe4, Hoxhunt, or Microsoft Attack Simulation Training. The first run will be ugly. After three rounds, click-through rates typically drop from 25–35% to under 5%.

What to do when someone clicks anyway

1. Disable the user account in Entra ID immediately and revoke all sessions
2. Reset the password and re-register MFA
3. Check Microsoft 365 audit log for mailbox forwarding rules and inbox rules created in the last 30 days — this is the #1 persistence trick
4. Search for any data exfiltration in the Defender portal
5. Notify the OAIC within 72 hours if personal information was accessed and harm is likely (Notifiable Data Breaches scheme)

The whole point of a four-layer defence is that even when one layer fails — and one will, eventually — the others catch the attack before it becomes an incident.