A good defense-in-depth strategy includes a security service for email threat scanning and filtering. Many email protection services will detect these phishing email messages and keep them from arriving in employees’ inboxes. Another important part of defense-in-depth is to use 2-factor authentication for employees to log in to Office 365, VPNs, and other critical entry points into the company’s information systems. It is also possible to detect web requests for phishing pages by using a web proxy that checks domain names for reputation scores, or web page content for anything that looks like an Office 365 login page from the wrong domain. The last line of defense against attackers who gain access to the password of one or more accounts is Managed Detection and Response (MDR), which can detect unusual behaviors, including lateral movement or use of backdoor malware that attackers might place on systems to establish persistent access. Phishing will continue to be a frequently used attacker technique, but good defenses can make it much more difficult for the attackers to succeed.