TL;DR: A U.S. mental health provider saw QR-code phishing, lookalike domains, and social engineering evade Microsoft 365 native defenses for 12 months, forcing manual investigation and remediation until a layered email security approach reduced inbox exposure, according to Proofpoint. The core lesson is that human-targeted threats now require automated detection and operational visibility, not just baseline productivity controls.
NHIMG editorial — based on content published by Proofpoint: healthcare phishing, QR-code lures, and layered email defence with Microsoft 365
By the numbers:
- 12-month period, period, they saw a sharp increase in email-borne threats.
Questions worth separating out
Q: What breaks when email phishing bypasses native Microsoft 365 controls?
A: When phishing evades native controls, the security team loses early containment and is forced into manual investigation after the user has already seen the lure.
Q: Why do lookalike domains still work against trained users?
A: Lookalike domains succeed because users often rely on visual familiarity and operational context, not perfect domain inspection.
Q: How can teams tell whether phishing controls are actually working?
A: Look for fewer successful credential submissions on lookalike domains, lower password reuse, and faster reporting of suspicious messages.
Practitioner guidance
- Harden defences against QR-code phishing Inspect image-based lures, block credential-harvesting destinations, and add policy controls that detect QR workflows before they reach users.
- Detect lookalike-domain abuse earlier Monitor newly registered and visually similar domains that impersonate partners, agencies, or internal services, then quarantine messages that route users toward those destinations.
- Reduce manual mail triage Measure analyst hours spent on malicious message review, then automate classification, quarantine, and prioritisation so routine phishing does not consume the SOC.
What's in the full article
Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:
- How the provider evaluated detection efficacy, deployment flexibility, and healthcare support before rollout
- What the phased 20% mailbox deployment looked like and why it mattered to budget and staffing constraints
- How the reporting and automation workflows reduced manual investigation time during the proof of concept
- What changed after deployment in terms of inbox containment, response workflow, and user risk visibility
👉 Read Proofpoint's analysis of healthcare phishing, QR-code lures, and Microsoft 365 gaps →
Healthcare phishing gaps: what native Microsoft 365 controls miss?
Explore further
Native productivity controls are not a sufficient trust boundary for credential theft. The article shows that Microsoft 365 baseline defenses were not stopping QR-code phishing and lookalike-domain lures. That is a governance failure as much as a filtering gap, because organisations often assume the collaboration suite also provides enough protection against human-targeted identity attacks. The practitioner takeaway is to treat email security as an identity defence layer, not a mailbox add-on.
A question worth separating out:
Q: Who is accountable when phishing leads to credential theft in healthcare?
A: Accountability usually spans security, IT, and business owners because phishing is both a technical and operational risk. Security teams own detection and containment, IT owns account recovery and access changes, and healthcare leaders own the protection of sensitive records and work processes. Frameworks such as NIST-CSF and NIST-800-53 push that shared responsibility toward continuous monitoring and access control.
👉 Read our full editorial: Email-borne phishing still outpaces native controls in healthcare