The Inbox Is a Battlefield: What Every SMB Should Know About the New Wave of Phishing

Last year, I wrote about a client who got hit by a Business Email Compromise. A real inbox, taken over. Real emails, sent to real contacts — with a fake login page waiting at the other end.

I wrote that article because it was fresh. A lesson I'd just lived through. The takeaway was simple: Always Verify.

But here's the thing I didn't say then — and it's become impossible to ignore now.

It's getting worse.

Over the past month, I've seen more phishing and spam tickets come through Marcoby's support queue than I can remember in any comparable stretch. Not one-offs. Not "hey, is this suspicious?" — actual attempts that landed in inboxes, sometimes opened, sometimes clicked. The volume is up. The tactics are sharper. And the attackers aren't just casting wide nets anymore. They're studying how your business works and dressing their attacks to look like a Tuesday.

If your defense strategy is "don't click suspicious links," you're already behind.

The Attack That Looks Like Work

A few weeks ago, one of our clients forwarded us an email that stopped me mid-scroll.

It looked like a Microsoft Teams meeting invite. Clean formatting. Familiar layout. The display text in the email body read:

https://teams.microsoft.com/l/meeting/...

Completely normal. Exactly what you'd expect when someone sends you a meeting link.

Except the actual URL — the one hidden behind the display text — pointed to a credential-harvesting page hosted on a domain that had nothing to do with Microsoft.

Let that sink in. The words on the screen said "teams.microsoft.com." The link underneath said something entirely different. And the only way to spot it was to hover over the link before clicking — a habit that almost nobody in a busy workday actually practices.

Here's why this particular attack is so effective: context hijacking. The email lands in an inbox that expects meeting invites. Teams, Zoom, Google Meet — these are daily tools. Nobody second-guesses a calendar link. The visual trust is baked in before you even open the message.

And that's the pattern I'm seeing across the board. Attackers are embedding themselves in legitimate business workflows:

• Fake Zoom links disguised as last-minute meeting adds
• DocuSign requests that lead to credential theft pages
• Invoice reminders with "view your bill" buttons
• Shared OneDrive files prompting you to "log in to view"

None of this feel like an attack in the moment. They feel like a normal Tuesday. That's the point.

The Display Text Lie (And What Safe Links Actually Do)

There's a fundamental gap in how most people understand email links — and attackers have learned to exploit it ruthlessly.

Every hyperlink has two parts: the display text (what your eyes see) and the target URL (where the click actually takes you). They do not have to match. You can make blue, underlined text say anything — https://login.microsoftonline.com — while the link quietly routes to steal-your-password.net.

The Teams invite attack worked exactly this way. Trustworthy text. Treacherous destination.

This is where Safe Links comes in. If you're on Microsoft 365, Safe Links is part of Microsoft Defender for Office 365, and it's likely already included in your plan. Here's how it works:

1. When an email arrives, Safe Links rewrites every URL to route through Microsoft's verification service.
2. When someone clicks, Microsoft checks the destination at the moment of click — not just when the email arrived.
3. If the site is malicious, the user sees a warning page instead of the attacker's site.
4. Time-of-click verification means even links that were clean when the email was delivered but later weaponized get caught.

This matters more than most SMBs realize. Attackers will often send emails with legitimate links, wait a few days, and then redirect the destination to a phishing page — specifically to slip past scanning tools that only check at delivery time. Safe Links neutralizes that gap.

Beyond email, Safe Links extends to Teams messages, SharePoint files, and Office documents. The attack surface in a typical SMB is wider than most owners think — and every single channel deserves the same protection.

The practical habit, though, doesn't require any tool at all: hover before you click, every single time. Make it muscle memory. If the destination doesn't match the display text, stop. If it's a shortened link you can't inspect, stop. If the domain looks off by even one character — micr0soft.com instead of microsoft.com — stop.

Why SMBs Are the Soft Target

Enterprises have layers. Dedicated security teams. Phishing simulations. SIEM dashboards. Incident response plans that get tested quarterly.

Most SMBs have… hope.

And attackers know this. They understand that a 25-person insurance agency in Fontana doesn't have a CISO. That the owner is also the IT person, the HR person, and the person who approves invoices — all while running the actual business. One click from the right person, and the entire operation is compromised.

Here's the uncomfortable math: small businesses are targeted because they're small. Less security. Fewer controls. Higher success rate per attack. And the downstream damage — financial loss, data exposure, reputation hit — hits disproportionately harder when there's no cushion to absorb it.

The worst part? Most SMBs don't realize they're a target until they've already been hit.

The Defense Stack: What Actually Works

You don't need a six-figure security budget. You need a few layers of defense that work together and don't require a dedicated IT team to manage. Here's the practical stack I recommend to every Marcoby client:

1. Hover-to-inspect reflex. Before any click, hover. If the destination doesn't match the display text, or if anything looks off, don't click. Call the sender. Verify through a different channel. This single habit stops the vast majority of phishing attacks.

2. Enable Safe Links (Microsoft 365). If you're on a Microsoft 365 Business Premium or E3/E5 plan, Safe Links is included. Turn it on. If you're on a lower tier, upgrade. The cost difference is negligible compared to the cost of a breach.

3. DMARC, SPF, and DKIM. These three protocols stop attackers from spoofing your domain in the first place. If your emails can be impersonated, your clients are at risk too — and you might not know it's happening until someone calls to ask about the "weird invoice" they received from you.

4. "Call before you click" policy. Any unexpected link, attachment, or login prompt — especially if it involves money, data, or credentials — gets verified by phone, text, or a separate messaging channel before anyone clicks. Make this an actual written policy, not a suggestion.

5. Phishing simulations. You can't fix what you don't measure. Run simulated phishing tests against your own team. See who clicks. Train those people. Repeat quarterly. Tools like KnowBe4 or Microsoft Attack Simulation Training make this straightforward.

6. Password manager + MFA everywhere. Credential harvesting fails if every account has a unique password and a second factor. A password manager removes the friction that makes people reuse passwords. MFA makes stolen credentials useless.

Six things. Most of them are free or already included in tools you're paying for. The gap isn't cost — it's awareness and implementation.

From Victim to Hardened

When I wrote "Always Verify" last year, I was processing a single incident. A compromise that happened, got caught, got cleaned up, and became a lesson.

That lesson hasn't changed. But the threat landscape has.

The Teams invite scam, the fake DocuSign links, the display-text deception — these aren't edge cases anymore. They're the new normal. And the businesses that survive them aren't the ones with the biggest budgets. They're the ones that built the right habits, turned on the right tools, and stopped treating security as someone else's problem.

The goal isn't to make your team paranoid. It's to make them harder to fool than the next business down the street.

Because right now, there's always a next business. Don't let it be yours.

👉 At Marcoby, we help SMBs build practical, layered security that doesn't require a dedicated IT team. If phishing is hitting your inbox harder than it used to, let's talk.

At Marcoby, You're Technically Family.