It depends on how you define missuse...
Basic email injection should not work no matter what when using Universal Email... however there are many more ways you can missuse a form... for instance, simply trying to use a form with a bot testing if it has any vulrnerabilities could be considered misuse in itself.
For the most complete security you can do things like:
1) Use the trigger "current page submit" in universal email. It will do referrer checking to make sure the page is submitted to itself and nobody is posting from their own form.
2) Add email address validation on the email field and don't use that as the to field or mentioned anywhere except the email body.
3) Add alphanumeric validation to the Name field so that no code can be entered, even though it is unlikely the code would work, it prevents them from even trying.
4) Add entry length validation to the Message field. I don't think you expect a large volume of data to be typed into that field, but a hacker would likely have quite a bit if they were trying to use email injeciton techniques.
5) Honeypot validation will often prevent bots... this is just a matter of placing a few blank hidden fields and text fields with style="display:none" and style="visibility:hidden" on the page and verifying they are still blank after the page is submitted. Bots often can't resist filling out all fields in a form and no human could possibly enter a value, so you can catch bots this way.
6) CAPTCHA is a good option, since most bots cannot read them, and would also prevent a submission from a remote domain, the only limitation is that blind people could not fill out your form without help.
7) Obvious question is a great preventor of bots, since it pretty much ensures only a human can fill out and submit the form. It also can be read by screen readers for the blind, and prevents any submission from a remote server.
8) Be sure to use Server Validation where I mention validation, since client validation is really only good for aesthetics and not real security since javascript can always be disabled on the client.