Abstract Violet Corner

SEG: An Outdated Technology Failing in the Face of Modern Email Attacks

As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?

June 17, 2022

In the past decade, there have been two major shifts in the world of email. First, the majority of enterprises have moved from on-premises email servers to cloud email solutions like Microsoft 365 for better employee experience and productivity. According to the 2021 Gartner Market Guide for Email Security, over 70% of enterprises globally have made significant investments in transforming their email infrastructure to the cloud.

The second shift has been in the mindset and tactics of threat actors. Attackers have shifted from traditional email attacks that were low-mid value and low-mid impact (such as spam, campaign phishing, and ransomware based on malicious URLs and downloads) to modern email attacks that are high-value and high-impact, such as business email compromise, supply chain compromise, and advanced ransomware. The shift in the attacker’s mindset is motivated by the fact that modern attacks yield a higher return on their investments.

That these modern attacks are delivering higher ROI for attackers is unfortunately evidenced by the rise in cybercrime losses, as these attack types evade traditional email security solutions like secure email gateways (SEGs). Business email compromise (BEC) cost businesses and consumers over $2.4 billion of the $6.9 billion lost—making up 35% of all losses, as per the 2021 IC3 Internet Crime Report, produced by the FBI.

Financial Losses Attributable to BEC

An Archaic Technology Not Built to Defend Against Modern Attacks

As enterprises globally struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs? The quick and straightforward answer is that the SEGs never evolved to adapt to those two major shifts—i.e., the movement to cloud email platforms and the shift in the attacker's mindset. A more elaborate explanation hinges on three key reasons.

Reason #1: Legacy Architecture

The majority of SEGs are not cloud-native and have limited to no native API integrations with modern cloud email solutions. Instead, they are mired in complex MX record integrations and tangled in a web of draconian rules and policies.

The lack of native API integrations allows them to only observe the ingress-egress external mail flow, often referred to as the north-south traffic. They don’t have the native API integrations with the cloud email providers’ infrastructure to observe east-west traffic. As a result, they have no visibility into internal email patterns and rich contextual signals that are critical to stopping modern attacks—for example, lateral phishing attacks or account-based attacks.

SEG Legacy Architecture

Reason #2: Outdated Approach

SEGs were built to protect against traditional attacks by creating rules and policies to block known threats based on static threat indicators. The outdated approach has been, essentially, “Oh! Here is an email originating from a bad IP address or untrusted domain. Let’s create a rule to block emails from it”.

But what happens when the attack originates from a newly created account on a trusted domain like gmail.com? Or what happens when the attack originates from a trusted third party that has been compromised or is being impersonated? SEGs have no way of detecting these modern and never-before-seen tactics being employed by threat actors.

As a result of relying on this known-bad approach, security teams find themselves on a backfoot when dealing with modern attacks.

SEG Outdated Approach

Reason #3: Lack of Cloud Email Intelligence

The third reason is closely related to the first two. SEGs are not structurally built to leverage rich and contextual signals provided by cloud email platforms (e.g., Microsoft 365 and Google Workspace) due to their architectural shortcomings. They cannot ingest signals like user sign-in events, compromised accounts, or user sign-in locations from email cloud providers.

As an example, let’s take a series of events in which an attacker tries to use a compromised employee account to launch an attack. The attacker impersonating the employee (who generally signs in from New York) tries to sign in from a suspicious location and fails to gain access to the email account. As a next step, the attacker spoofs the IP to a location in the US and after a few failed attempts is able to successfully sign in.

The events trail is rich with information to signal anomalous suspicious activity to an email security solution. However, as SEGs cannot ingest (let alone take advantage of) critical cloud email signals and events like the one mentioned, they miss advanced account-based attacks.

SEG No Native API Integration

When Modern Attacks Get Real and Evade SEGs

Attackers have figured out the formula for launching modern attacks to evade SEGs and extract significant sums of money from enterprises. Below is an example of a vendor impersonation attack on a Fortune 100 company in the financial industry. The company almost fell victim to the attack because its SEG incorrectly determined the email to be a legitimate vendor email.

(We say "almost fell victim" because, in the second part of this story, Abnormal detected and blocked the attack. We will celebrate that win as a security community in a subsequent blog post.)

The impersonated vendor email shown below has all the characteristics of a modern attack—socially-engineered, entirely text-based, no known bad IOCs, and payload-less. It was purposefully crafted to evade an outdated email security solution like the SEG. Let’s take a closer look at the critical misses by the SEG related to this attack.

Real Attack Missed by SEG

Actual email attack missed by a SEG

Miss #1: Relying on Trusted Assumptions

Since the request originates from a known vendor, the SEG did not trigger any warnings or alerts and delivered it to the employee’s inbox. It missed a critical signal that the email had originated from a never-before-seen IP address.

Known Vendor Never Before Seen IP Address

Miss #2: No Relationship Context

The attacker used social engineering and personalization to trick an unsuspecting employee into believing the conversation should be trusted. As SEGs don’t have any relationship context between an organization and their vendors, it misses the fact that John* (names changed to protect customer privacy) from the vendor has never emailed Steve* in accounts payable at this company.

Missed Attack No Relationship Context

Miss #3: No Tone and Content Analysis

SEGs don’t have advanced natural language processing (NLP), natural language understanding (NLU), or computer vision. Because the SEG lacks these capabilities, it fails to detect that a significant amount of funds were being asked to be transferred to a never-before-used bank account. It also misses the tone of the email, which is insinuating a sense of urgency for this transfer and trying to exploit human behavior.

Missed Attack No Tone and Content Analysis

Miss #4: Only Relies on Known-Bad IOCs

Most modern attacks, like this vendor impersonation attack example, are payload-less and text-based. As there are no malicious URLs or file attachments to scan, the text-only email did not trigger any known bad signatures from the SEG, leading it to evaluate the attack email as a legitimate vendor email.

Missed Attack Relying on Known IO Cs

An unsuspecting employee would have fallen victim to this modern email attack, leading to significant monetary losses to the company. Fortunately for this enterprise, at the time of the attack, Abnormal was being evaluated as an email security solution in passive mode. We precisely detected and blocked this attack and, in turn, won the trust of a notable brand as our customer.

A Modern Integrated Cloud Email Security Solution Is Required to Defend Against Modern Attacks

Thousands of enterprises, large and small, assess the efficacy of their SEGs to block advanced modern attacks through Abnormal’s email security risk assessment. We have found that SEGs only block approximately 17% of all attacks blocked by Abnormal! This clearly indicates that a modern email security solution is required to defend against modern email attacks with high efficacy.

Abnormal’s modern integrated cloud email security solution has been developed using:

  1. Native API integrations and cloud-based architecture
  2. A behavioral approach that baselines known good and detects anomalies with high precision
  3. Machine learning models to build federated user and supply chain graphs for rich context
  4. Natural language processing and natural language understanding models, image recognition, and more to perform precise tone and content analysis
  5. The full power of cloud email platforms by ingesting thousands of signals to augment its own machine learning and AI models


Not yet an Abnormal customer? Request a demo today to learn how Abnormal can enhance your email security capabilities and provide visibility into email threats that other solutions miss.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More
B 11 07 22 Vision 23 Blog
Discover the latest trends in cybersecurity as we look toward the email threats of the future in partnership with SecureWorld.
Read More
B 1500x1500 Crimson Kingsnake L2 R1
Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.
Read More