Email Filtering and Security for Schools: Blocking Phishing, Malware and BEC Before They Reach Staff
Email is the primary attack vector for cyberattacks on UK schools. JISC identifies phishing emails — carrying malicious links, credential-harvesting pages, or malware attachments — as the most common initial access method in education sector attacks. A single staff member clicking a malicious link can begin a chain of events that ends with the school's systems encrypted by ransomware. Yet many schools rely on basic email filtering that was not designed to detect the sophisticated, targeted phishing attacks that modern threat actors deploy against education institutions.
JISC threat reports: phishing email is the most common initial access vector for cyberattacks on UK schools and universities — one click can be the start of a ransomware incident.
What Effective Email Security for Schools Covers
A complete email security solution for schools should include:
- Anti-phishing detection: identify and quarantine emails designed to steal credentials
- Malware and attachment scanning: scan all attachments for malware before delivery
- URL rewriting and Safe Links: scan links at time of click, not just at delivery
- Sender authentication checks: verify DMARC, DKIM, and SPF records to detect spoofed senders
- Impersonation protection: detect emails attempting to impersonate the headteacher or trusted staff
- External email banners: warn staff when an email originates from outside the school
- Quarantine management: hold suspected phishing for review rather than deleting silently
Email Authentication: DMARC, DKIM, and SPF
DMARC, DKIM, and SPF are email authentication standards that prevent attackers from spoofing your school's email domain. If your school does not have DMARC configured at enforcement (p=reject or p=quarantine), attackers can send emails that appear to come from headteacher@yourschool.sch.uk — and many email clients will display this as a legitimate sender. Configuring DMARC is free and does not require additional software — it is a DNS record change. Yet a significant proportion of UK school domains have not implemented DMARC enforcement, leaving them exposed to domain spoofing. The DfE standards implicitly require email authentication as part of secure configuration.
Microsoft 365 and Google Workspace Email Security
Most UK schools use either Microsoft 365 Education or Google Workspace for Education. Both platforms include email security features — Microsoft Defender for Office 365 (Safe Links, Safe Attachments) and Google's spam and phishing filters. However, the default configuration of these platforms is not sufficient for an effective security posture. Microsoft Defender for Office 365 Plan 1 (included in some M365 Education licences) should be configured with appropriate anti-phishing, Safe Links, and Safe Attachments policies. Google Workspace's advanced phishing and malware settings should be enabled and configured.
Staff Training as a Complement to Technical Controls
Even the best email filtering will not catch every phishing email — sophisticated, targeted attacks are designed to bypass automated detection. Staff training to recognise phishing attempts, verify unexpected requests, and report suspicious emails is an essential complement to technical controls. The NCSC's free eLearning resources and simulated phishing tools provide accessible training for school staff. Simulated phishing exercises measure training effectiveness and identify staff who need additional support.
Frequently Asked Questions
Is Microsoft 365 email security sufficient for schools?
Microsoft 365 Education includes basic email security, but the default configuration provides a minimal level of protection against sophisticated phishing. Schools should enable and configure Microsoft Defender for Office 365 — specifically Safe Links, Safe Attachments, anti-phishing policies, and impersonation protection. The level of M365 licence held affects what features are available. Coro integrates with M365 to provide enhanced email security beyond what the native M365 configuration offers.
How should schools handle suspected phishing emails that reach staff?
Staff should be trained to report suspicious emails using the "Report Phishing" button (available in Outlook and Gmail) rather than deleting them. This sends the email to Microsoft or Google for analysis and helps improve future filtering. The IT team should investigate reported phishing to determine whether other staff received the same email and whether any accounts may have been compromised. A consistent reporting culture requires regular reminders and acknowledgement from IT when reports are received.
What is DMARC and does my school need it?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving email servers how to handle emails that fail sender authentication checks. Without DMARC enforcement, attackers can spoof your school's domain — sending emails that appear to come from your school to staff, parents, or suppliers. Every UK school should configure DMARC at minimum at the reporting level (p=none) and work towards enforcement (p=quarantine or p=reject). This is a free configuration change that significantly reduces domain spoofing risk.
Protect your school's email from phishing and malware
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.