Email Is the Front Door — and Most Practices Leave It Unlocked

Roughly nine out of ten healthcare data breaches start the same way: someone at the practice clicks something in an email they shouldn't have. That's not a guess — it's consistent across HHS breach reports year after year. Email is the single largest attack vector in healthcare, and dental practices are no exception.

The encouraging news is that email security has improved dramatically. The frustrating news is that most practices are relying on tools that haven't kept up with how attacks actually work in 2026.

This article walks through what modern email attacks look like, what Microsoft 365's built-in security misses, and what a dedicated tool like Proofpoint Essentials actually does for you — including what it means for HIPAA compliance.

What Modern Email Attacks Actually Look Like

The days of obvious spam — broken English, lottery winnings, Nigerian princes — are largely over. What replaced them is much harder to spot.

Phishing: Personalized and Convincing

Modern phishing emails are written specifically for your practice. An attacker will spend 10 minutes looking at your website, your Google reviews, and LinkedIn before crafting a message that mentions your office manager by name, references a real vendor you use, and reads like it was written by a professional.

AI writing tools have made this even easier. Attackers now generate hundreds of highly personalized, grammatically perfect phishing emails in minutes. There's no longer a "bad spelling" tell to look for.

The goal is always the same: get you to click a link, open an attachment, or hand over your login credentials.

Business Email Compromise (BEC)

Business Email Compromise is the most financially damaging type of email fraud in healthcare. Here's what it looks like in a dental practice:

  • A fake invoice arrives from what looks like your dental supply company, with updated banking information for wire transfers.
  • An email appearing to come from your practice owner asks the front desk to process an urgent payment or purchase gift cards.
  • A message arrives that looks like it's from the ADA or your state dental association, asking you to verify your account or update billing information.
  • A vendor emails to say they've changed their payment details — but the email is from an attacker who has been silently watching your inbox for weeks.

None of these require you to click a malicious link. The attack succeeds through deception alone. BEC losses in healthcare run into the hundreds of millions of dollars annually.

Credential Harvesting

You receive an email saying your Microsoft 365 account needs to be verified. You click the link. The page looks exactly like the Microsoft login page. You type your password. You've just handed your credentials to an attacker.

The fake login pages used today are pixel-perfect copies of real services — Microsoft, Dentrix, your bank, your payroll provider. Many are hosted on legitimate cloud services to avoid blocklists. Some even pass through to the real login page after stealing your credentials, so you never notice anything went wrong.

Malware Attachments

A patient sends an insurance card as a PDF. A vendor sends a quote as a Word document. A contractor sends plans as a ZIP file. Any of these could contain malware — ransomware, spyware, or a backdoor that sits quietly for months before activating.

Modern malware is designed to evade signature-based scanning. It may not "detonate" until it reaches your computer, or it may only activate when certain conditions are met. Standard attachment scanning often misses it entirely.

Conversation Hijacking

This is one of the more sophisticated attacks and one of the hardest to detect. An attacker gains access to a real email account — either yours or a vendor's — and monitors ongoing conversations. When the timing is right, they inject a reply into an existing thread. The email has a real history, a familiar name, and continues a conversation you were already having.

You're not being asked to trust a stranger. You're being asked to trust what looks like an established relationship — and that makes conversation hijacking extremely effective.

Important: HIPAA requires covered entities to implement technical safeguards that protect the confidentiality and integrity of ePHI. Email containing patient information — appointment confirmations, treatment summaries, billing details, referral letters — is ePHI. An email breach is a reportable HIPAA incident.

What Microsoft 365 Alone Gets Wrong

Microsoft 365 includes email filtering — Exchange Online Protection (EOP) — and an upgraded tier called Defender for Office 365. These tools are not bad. They catch a lot of spam and known malware. But for a HIPAA-covered dental practice, they have meaningful gaps.

Zero-Day Phishing Detection

Microsoft's filters rely heavily on known threats — URLs, domains, and file hashes that have already been flagged. A brand-new phishing campaign that launched this morning, using a domain registered yesterday, often passes through unchecked. By the time Microsoft updates its threat intelligence, your staff may have already clicked.

Sender Authentication Gaps

Email authentication standards (SPF, DKIM, DMARC) exist to verify that an email actually came from the domain it claims. Microsoft checks these, but many legitimate businesses have misconfigured or incomplete authentication records. Microsoft often lets these through rather than block them. An attacker sending from a look-alike domain — say, "adasupport.org" instead of "ada.org" — can sail right through.

No Outbound PHI Protection

HIPAA requires you to protect patient information going out, not just coming in. Microsoft 365's basic tier has no meaningful data loss prevention (DLP) for outbound email. A staff member could accidentally (or intentionally) email a patient list to a personal Gmail account, and Microsoft won't stop it or alert you.

Limited Encryption

When your office sends a treatment summary, referral letter, or billing statement by email, that message may travel unencrypted. Microsoft 365 has encryption options, but they require manual action or complex policy setup. In practice, most small offices never configure it, and most patients never receive encrypted email from their dental provider.

No Security Awareness Training

The human layer is the hardest to defend and the most important. Microsoft doesn't run simulated phishing campaigns against your staff or provide training modules tied to real-world threats. That means your team learns what phishing looks like only when they encounter the real thing — which is too late.

The takeaway: Microsoft 365 is a solid productivity platform with basic email filtering. It is not a compliance-grade email security solution for a practice handling PHI.

What Proofpoint Essentials Adds

Proofpoint Essentials is designed specifically for small and mid-sized businesses in regulated industries. It sits in front of your Microsoft 365 mailboxes and adds several layers that Microsoft doesn't provide.

Advanced Sandboxing

Suspicious attachments don't go straight to your inbox. They're detonated first in an isolated environment — a sandbox — where Proofpoint watches what the file actually tries to do. If it attempts to connect to a command-and-control server, drop a payload, or modify system files, it's blocked before you ever see it. This catches threats that signature scanning misses entirely.

URL Rewriting and Click-Time Scanning

Every link in every email gets rewritten. When a staff member clicks a link, Proofpoint checks the destination in real time — not just when the email was received. This matters because attackers commonly use clean links that redirect to malicious pages only after delivery. The scan happens at the moment of the click, not hours earlier.

Impostor Detection

Proofpoint's DMARC and display-name analysis catches the "from" field tricks that fool Microsoft. If an email claims to be from your practice owner but the actual sending address doesn't match, Proofpoint flags it or quarantines it. Same for look-alike domains — slight misspellings that a human glancing at their phone would never catch.

Outbound DLP for PHI

Proofpoint can scan outgoing messages for patterns that look like patient data — Social Security numbers, date-of-birth combinations, insurance IDs. If a message matches your DLP policy, it can be held for review, blocked, or automatically encrypted before it leaves your network. This directly addresses the HIPAA requirement for outbound ePHI protection.

Policy-Based Encryption

You can set rules: any email to a patient domain, any email containing certain keywords, any email from clinical staff gets encrypted automatically. The patient receives a notification and can read the message securely without needing any special software. No manual steps required from your staff.

Simulated Phishing and Security Awareness Training

Proofpoint sends realistic fake phishing emails to your staff periodically. If someone clicks, they're redirected to a brief training module right then — not a lecture scheduled for next month. Over time, your team gets measurably better at recognizing attacks. You get reports showing who clicked, who's improving, and where you still have risk.

Three Real-World Scenarios Proofpoint Would Have Stopped

Scenario 1: The Fake Patterson Dental Invoice

Your accounts payable contact receives an email that appears to be from Patterson Dental. The subject line references a real recent order. The email asks her to update your payment account via a link to "verify billing information." The link goes to a convincing fake page that captures her Patterson portal credentials.

What Microsoft 365 does: The domain used was registered 48 hours ago. EOP has no threat intelligence on it yet. The email passes through.

What Proofpoint does: URL rewriting fires at click time. The destination domain was just added to Proofpoint's threat feed minutes ago based on a campaign detected at another customer. The link is blocked. Your contact sees a warning page instead.

Scenario 2: The "CEO Email" Asking for a Wire Transfer

Your front desk manager gets an email from the practice owner — at least, the display name says it's the owner. The message says there's an urgent equipment purchase that needs to be wired today, and asks her to process it quietly before end of day. The actual sending address is a Gmail account the attacker created an hour ago.

What Microsoft 365 does: The display name matches. The email passes basic checks. It lands in the inbox.

What Proofpoint does: Impostor detection flags the mismatch between the display name and the actual sending domain. The email is quarantined with a notification to the manager that this message is flagged as a potential impersonation attempt.

Scenario 3: The Malicious "Patient Intake Form" Attachment

A new patient emails to say they filled out their intake forms before the appointment. The Word document looks normal. Your treatment coordinator opens it and enables macros when prompted. Within minutes, ransomware begins encrypting your Dentrix database and patient imaging files.

What Microsoft 365 does: The file has no known malware signature. It passes through. The macro execution is on the workstation.

What Proofpoint does: The attachment is routed to sandbox analysis. When the sandbox opens the file and attempts to enable macros, it detects outbound callback attempts to a known C2 server. The file is blocked and quarantined. The email is flagged as malicious.

What This Costs

Proofpoint Essentials runs roughly $5–10 per mailbox per month, depending on the feature tier you choose. For a practice with 10 mailboxes, that's $600–$1,200 per year.

Compare that to the average cost of a healthcare data breach — which regularly exceeds $10 million when you factor in regulatory fines, legal fees, notification costs, and reputational damage. For small practices, even a modest breach that triggers an HHS investigation can cost $50,000–$500,000 before you're done.

The math is straightforward. The more important question is whether your practice has the right protection in place before something happens — not after.

When Your Practice Needs This

You need a dedicated email security layer if any of the following apply:

  • Your practice sends or receives any patient information by email — appointment reminders, treatment summaries, billing communications, referral letters.
  • Your staff regularly receives attachments from patients, vendors, or labs.
  • You've never run a simulated phishing test against your team.
  • You rely solely on Microsoft 365's built-in filtering.
  • You process wire transfers, ACH payments, or vendor banking changes via email.
  • You have a HIPAA compliance program and want to demonstrate reasonable safeguards to an auditor.

If you checked more than one of those, the gap between what you have and what you need is real — and it's costing you exposure every day.