Abstract Violet Corner

SEG: An Outdated Technology Failing in the Face of Modern Email Attacks

As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?

June 17, 2022

In the past decade, there have been two major shifts in the world of email. First, the majority of enterprises have moved from on-premises email servers to cloud email solutions like Microsoft 365 for better employee experience and productivity. According to the 2021 Gartner Market Guide for Email Security, over 70% of enterprises globally have made significant investments in transforming their email infrastructure to the cloud.

The second shift has been in the mindset and tactics of threat actors. Attackers have shifted from traditional email attacks that were low-mid value and low-mid impact (such as spam, campaign phishing, and ransomware based on malicious URLs and downloads) to modern email attacks that are high-value and high-impact, such as business email compromise, supply chain compromise, and advanced ransomware. The shift in the attacker’s mindset is motivated by the fact that modern attacks yield a higher return on their investments.

That these modern attacks are delivering higher ROI for attackers is unfortunately evidenced by the rise in cybercrime losses, as these attack types evade traditional email security solutions like secure email gateways (SEGs). Business email compromise (BEC) cost businesses and consumers over $2.4 billion of the $6.9 billion lost—making up 35% of all losses, as per the 2021 IC3 Internet Crime Report, produced by the FBI.

Financial Losses Attributable to BEC

An Archaic Technology Not Built to Defend Against Modern Attacks

As enterprises globally struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs? The quick and straightforward answer is that the SEGs never evolved to adapt to those two major shifts—i.e., the movement to cloud email platforms and the shift in the attacker's mindset. A more elaborate explanation hinges on three key reasons.

Reason #1: Legacy Architecture

The majority of SEGs are not cloud-native and have limited to no native API integrations with modern cloud email solutions. Instead, they are mired in complex MX record integrations and tangled in a web of draconian rules and policies.

The lack of native API integrations allows them to only observe the ingress-egress external mail flow, often referred to as the north-south traffic. They don’t have the native API integrations with the cloud email providers’ infrastructure to observe east-west traffic. As a result, they have no visibility into internal email patterns and rich contextual signals that are critical to stopping modern attacks—for example, lateral phishing attacks or account-based attacks.

SEG Legacy Architecture

Reason #2: Outdated Approach

SEGs were built to protect against traditional attacks by creating rules and policies to block known threats based on static threat indicators. The outdated approach has been, essentially, “Oh! Here is an email originating from a bad IP address or untrusted domain. Let’s create a rule to block emails from it”.

But what happens when the attack originates from a newly created account on a trusted domain like gmail.com? Or what happens when the attack originates from a trusted third party that has been compromised or is being impersonated? SEGs have no way of detecting these modern and never-before-seen tactics being employed by threat actors.

As a result of relying on this known-bad approach, security teams find themselves on a backfoot when dealing with modern attacks.

SEG Outdated Approach

Reason #3: Lack of Cloud Email Intelligence

The third reason is closely related to the first two. SEGs are not structurally built to leverage rich and contextual signals provided by cloud email platforms (e.g., Microsoft 365 and Google Workspace) due to their architectural shortcomings. They cannot ingest signals like user sign-in events, compromised accounts, or user sign-in locations from email cloud providers.

As an example, let’s take a series of events in which an attacker tries to use a compromised employee account to launch an attack. The attacker impersonating the employee (who generally signs in from New York) tries to sign in from a suspicious location and fails to gain access to the email account. As a next step, the attacker spoofs the IP to a location in the US and after a few failed attempts is able to successfully sign in.

The events trail is rich with information to signal anomalous suspicious activity to an email security solution. However, as SEGs cannot ingest (let alone take advantage of) critical cloud email signals and events like the one mentioned, they miss advanced account-based attacks.

SEG No Native API Integration

When Modern Attacks Get Real and Evade SEGs

Attackers have figured out the formula for launching modern attacks to evade SEGs and extract significant sums of money from enterprises. Below is an example of a vendor impersonation attack on a Fortune 100 company in the financial industry. The company almost fell victim to the attack because its SEG incorrectly determined the email to be a legitimate vendor email.

(We say "almost fell victim" because, in the second part of this story, Abnormal detected and blocked the attack. We will celebrate that win as a security community in a subsequent blog post.)

The impersonated vendor email shown below has all the characteristics of a modern attack—socially-engineered, entirely text-based, no known bad IOCs, and payload-less. It was purposefully crafted to evade an outdated email security solution like the SEG. Let’s take a closer look at the critical misses by the SEG related to this attack.

Real Attack Missed by SEG

Actual email attack missed by a SEG

Miss #1: Relying on Trusted Assumptions

Since the request originates from a known vendor, the SEG did not trigger any warnings or alerts and delivered it to the employee’s inbox. It missed a critical signal that the email had originated from a never-before-seen IP address.

Known Vendor Never Before Seen IP Address

Miss #2: No Relationship Context

The attacker used social engineering and personalization to trick an unsuspecting employee into believing the conversation should be trusted. As SEGs don’t have any relationship context between an organization and their vendors, it misses the fact that John* (names changed to protect customer privacy) from the vendor has never emailed Steve* in accounts payable at this company.

Missed Attack No Relationship Context

Miss #3: No Tone and Content Analysis

SEGs don’t have advanced natural language processing (NLP), natural language understanding (NLU), or computer vision. Because the SEG lacks these capabilities, it fails to detect that a significant amount of funds were being asked to be transferred to a never-before-used bank account. It also misses the tone of the email, which is insinuating a sense of urgency for this transfer and trying to exploit human behavior.

Missed Attack No Tone and Content Analysis

Miss #4: Only Relies on Known-Bad IOCs

Most modern attacks, like this vendor impersonation attack example, are payload-less and text-based. As there are no malicious URLs or file attachments to scan, the text-only email did not trigger any known bad signatures from the SEG, leading it to evaluate the attack email as a legitimate vendor email.

Missed Attack Relying on Known IO Cs

An unsuspecting employee would have fallen victim to this modern email attack, leading to significant monetary losses to the company. Fortunately for this enterprise, at the time of the attack, Abnormal was being evaluated as an email security solution in passive mode. We precisely detected and blocked this attack and, in turn, won the trust of a notable brand as our customer.

A Modern Integrated Cloud Email Security Solution Is Required to Defend Against Modern Attacks

Thousands of enterprises, large and small, assess the efficacy of their SEGs to block advanced modern attacks through Abnormal’s email security risk assessment. We have found that SEGs only block approximately 17% of all attacks blocked by Abnormal! This clearly indicates that a modern email security solution is required to defend against modern email attacks with high efficacy.

Abnormal’s modern integrated cloud email security solution has been developed using:

  1. Native API integrations and cloud-based architecture
  2. A behavioral approach that baselines known good and detects anomalies with high precision
  3. Machine learning models to build federated user and supply chain graphs for rich context
  4. Natural language processing and natural language understanding models, image recognition, and more to perform precise tone and content analysis
  5. The full power of cloud email platforms by ingesting thousands of signals to augment its own machine learning and AI models


Not yet an Abnormal customer? Request a demo today to learn how Abnormal can enhance your email security capabilities and provide visibility into email threats that other solutions miss.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More