Article
Generative AI has made phishing emails near-perfect. For North and South Carolina businesses running Microsoft 365, the configuration decisions in Microsoft Defender are now the difference between a contained incident and a serious breach.
Two years ago, you could still teach staff to spot a phishing email by looking for awkward grammar, strange formatting, or a sender address that looked slightly off. Those signals still matter for the low-effort attacks, but they no longer describe the threat landscape that most Carolinas businesses actually face in 2026.
Generative AI has removed the friction from crafting a convincing impersonation email. An attacker who previously needed time and writing skill to produce a credible message from “your CEO” asking for a wire transfer can now produce twenty variations of that message in minutes, each personalized with publicly available information from LinkedIn, company websites, and social media. The grammar is perfect. The context is plausible. The urgency is calibrated. And the email lands in an inbox that a human trained on 2020-era phishing awareness is not equipped to evaluate the same way.
This is AI transforming a business risk that already existed, faster and further than most organizations expected.
The most damaging email impersonation attacks against Carolinas businesses fall into three categories, all of which have become harder to detect because of AI.
Business email compromise targeting finance. An attacker impersonates the CFO, CEO, or a trusted vendor and instructs accounts payable staff to transfer funds, change banking details on an existing vendor record, or process an invoice quickly. The emails are grammatically correct, reference real projects, and use enough organizational context that the recipient assumes the sender has access to internal information. AI tools can ingest a company’s public materials and generate messages that feel like they came from inside the organization.
Executive impersonation targeting IT. Attackers impersonate senior staff to request credential resets, MFA bypass, new device provisioning, or urgent access grants. The combination of authority and urgency makes these effective against IT helpdesk staff trained to be responsive. AI makes it cheap to personalize each attempt with the executive’s real writing style scraped from public communications.
Vendor impersonation targeting procurement. A message that appears to come from an existing supplier’s legitimate email domain, asking for banking information updates or confirmation of a pending order, is increasingly AI-assisted and difficult to distinguish from a real supplier communication without deliberate verification habits.
Charlotte financial services firms are the most heavily targeted in the Carolinas, but manufacturing companies in the Greenville corridor and professional services firms in Raleigh-Durham report this pattern consistently. The volume has increased and the quality of individual attacks has improved.
Microsoft 365 Defender for Office 365 includes anti-impersonation and anti-phishing capabilities across Plan 1, included in Business Premium and E3, and Plan 2, included in E5. The capabilities in Plan 1 are sufficient for most mid-market businesses. The gap to Plan 2 matters mainly for organizations with active threat hunting and security operations requirements.
The capabilities that matter for impersonation protection specifically:
Anti-phishing policies with impersonation protection. Defender lets you designate specific users, such as your CFO, CEO, general counsel, and any other executives regularly impersonated in financial or IT requests, as protected users. When an inbound email uses a display name that matches a protected user but comes from a domain that is not that user’s real domain, Defender flags or quarantines it based on your configured action. You can also protect entire domains, your own domain and trusted partner domains, from display name spoofing.
Mailbox intelligence. Defender builds a behavioral model of each mailbox based on who that user normally communicates with and how. When an email arrives from someone the mailbox has never interacted with but is claiming to be a regular contact or internal user, mailbox intelligence raises the risk score. This works because impersonation attacks frequently come from net-new sender domains that have no communication history with your organization.
Spoof intelligence. Defender identifies messages where the From header domain does not pass SPF, DKIM, or DMARC validation and lets you review and act on them. This addresses the category of attacks where the attacker controls a domain that looks similar to yours, such as devsoft-billing.com instead of devsoft.com.
Safe links and safe attachments. These scan URLs and attachments at click time and open time, not just at delivery. AI-generated phishing emails increasingly include links to legitimate-looking intermediary pages before the credential harvest page. Safe Links rewrites outbound URLs and re-evaluates them when the user clicks, which catches redirect-based attacks that would otherwise slip through a delivery-time scan.
Defender ships with default anti-phishing policies that provide baseline protection. Most organizations that have not actively tuned those policies are relying on defaults that are adequate for commodity spam but not optimized for targeted impersonation.
The configuration work worth doing, in order of impact:
Set up user impersonation protection for high-value targets. Go into the anti-phishing policy in the Microsoft 365 Defender portal and add your CEO, CFO, and any other executives or roles that attackers would plausibly impersonate to trigger financial or IT actions. The default is no protected users. Adding the right five to ten names is a one-time configuration that covers the most common attack path.
Enable mailbox intelligence-based impersonation protection. This setting is separate from user impersonation protection and uses the behavioral model Defender builds for each mailbox. It is off by default in some tenants and worth explicitly enabling. Combined with user impersonation protection, it catches the case where an attacker uses a display name that was not on your protected user list.
Review your action settings. The default action for flagged messages in many tenants is “move to junk.” For confirmed impersonation attempts targeting named protected users, moving to junk means the message still reaches the user and still gets clicked. Quarantine with a notification is the right action for high-confidence impersonation hits. This requires someone with authority to release legitimate false positives, which means setting up the quarantine review workflow before you flip the setting.
Audit your SPF, DKIM, and DMARC records. These are prerequisites for Defender’s spoof intelligence to work correctly. A surprisingly large number of Carolinas businesses running Microsoft 365 have SPF records that include broad ranges from legacy mail configurations and DMARC policies set to “none” rather than “quarantine” or “reject.” DMARC at “none” reports but does not act. The goal is DMARC at “quarantine” or “reject” with SPF and DKIM properly scoped.
Configure honeytoken domain protection. If you own multiple domains, including variants and typo domains, add them to your tenant and protect them from external spoofing. Attackers registering near-miss domains and using them to impersonate your organization are easier to catch when Defender knows which domains legitimately send on your behalf.
Not every Carolinas business faces the same exposure. Three sectors stand out for concentrated risk.
Charlotte financial services and fintech. Wire fraud and business email compromise are the highest-dollar attack vectors in this category. A compromised accounts payable workflow or a successful CFO impersonation directing a wire transfer is a direct financial loss. The concentration of financial services firms in Charlotte makes it a higher-value target for organized attack groups that research their targets before deploying AI-generated messages.
Healthcare practices and health systems across NC and SC. Credential theft is the primary goal here. A successful impersonation attack that captures an employee’s Microsoft 365 credentials gives an attacker access to protected health information and the ability to expand laterally. HIPAA breach notification costs and reputational exposure make this a disproportionate risk relative to the effort the attack requires.
Professional services and law firms in the Research Triangle. Attorneys, accountants, and consulting firms hold client funds, confidential information, and the trust that makes business email compromise attacks effective. These organizations typically have sophisticated individual employees who are still not immune to a well-researched, AI-generated impersonation that references a real client matter.
For a Carolinas business running Microsoft 365 Business Premium or higher that has not actively tuned Defender:
These six items do not require E5 or a security operations team. They require about two hours of configuration and a review process. The organizations that do this work before an incident are in a materially different position than those that do it after one.
The phishing and impersonation problem does not get easier as AI tools become more accessible. The same generative AI capabilities that are helping Carolinas businesses draft faster, summarize meetings, and work through backlogs are available to the same threat actors who have been running business email compromise operations for the past decade. The sophistication floor for targeted attacks has dropped. The volume ceiling has risen.
Microsoft is applying AI to the defensive side of this equation as well. Defender’s behavioral models, threat intelligence integration, and automated investigation capabilities are all machine learning-based, and they improve as they process more signals across Microsoft’s global customer base. The businesses that get value from this are the ones that have configured the policies correctly, reviewed the incidents, and maintained the operational discipline to act on what Defender surfaces.
The configuration described above is not a one-time task. Impersonation protection should be reviewed quarterly, protected user lists should be updated when leadership changes, and DMARC reports should be reviewed for anomalies. AI has raised the stakes on email security. The response is not panic. It is the right configuration, maintained with the same discipline you apply to the rest of your operations.
Devsoft Solutions works with businesses across North and South Carolina on Microsoft 365 security configuration and Defender for Office 365 deployment. If you want a review of your current impersonation protection setup, get in touch.
— Continue reading
AI-powered attacks now target privileged accounts first. Here is how North and South Carolina mid-market businesses are using Microsoft Entra Privileged Identity Management to shrink the blast radius before the breach happens.
AI is reshaping the threat landscape faster than most mid-market companies can track. For Carolina businesses choosing between Microsoft Defender for Office 365 Plan 1 and Plan 2, here is what the decision actually comes down to.
AI is reshaping endpoint threats faster than legacy antivirus can respond. Here is how Microsoft Defender for Endpoint and CrowdStrike compare for North and South Carolina mid-market businesses in 2026, and how to pick the right one.
— Related services
Tailored Microsoft 365 plans, deployment, and ongoing support — designed for businesses that need reliable productivity infrastructure without the in-house overhead.
Greenville-area IT support from a Microsoft Partner. Support agreements, project work, and the team you call when something breaks.
Outsourced IT operations for businesses too small for a full team and too established for ad-hoc support. Microsoft-stack focused, SLA-backed.
