Stairs yellow 5 FINAL

Webinar Recap: Blocking the Advanced Attacks Your SEG Never Could

April 21, 2022

High-impact email attacks are on the rise. Your organization has a 25% chance of receiving a supply chain compromise each week. And 75% of companies have already experienced an account takeover.

Here’s the worst part: if you’re relying on a secure email gateway (SEG) to protect your organization, you’re likely experiencing a false sense of security. SEGs were built to block traditional email attacks that contain known indicators of compromise (IOCs) within on-premises environments. But modern cybercriminals are launching attacks that don’t have those IOCs, and more organizations adopt cloud-based email every day.

I recently co-hosted a webinar with Hunter Hogan, Digital Technical Specialist at Microsoft, about the new generation of advanced attacks and the inability of legacy solutions to mitigate them. Here are a few key takeaways.

The Evolution of the Email Threat Landscape

Malicious emails have been around for more than three decades, nearly as long as email itself. The first iteration of email attacks used primarily low to mid-value and low to mid-impact tactics like spam. Threat actors would target a large number of people and then receive payment for each click of the spam email. Unfortunately for the cybercriminals, email security solutions providers recognized these patterns and developed technology that could effectively detect and block spam.

In response, cybercriminals transitioned to sending emails with malicious links and/or malicious attachments, which allowed them to infect the recipient’s network and steal valuable data. But, starting in the early 2000s, organizations could rely on their SEGs to block most of these attacks, reducing the ROI for attackers to the point it was no longer lucrative.

Now, threat actors have shifted their strategies once more, using never-before-seen URLs and malware and executing text-based social engineering attacks that focus on compromising people, rather than networks. Free of traditional IOCs, these high-value, high-impact campaigns are nearly impossible for traditional email security solutions to detect and yield a substantial ROI for cybercriminals.

While spam, graymail, and generic phishing emails still exist, advanced email attacks such as business email compromise, supply chain compromise, ransomware, and account takeover are becoming increasingly ubiquitous. For example, between 2020 and 2021, Abnormal observed a 300% year-over-year surge in ransomware payments.

Plus, not only are these modern attacks becoming more pervasive, the ensuing losses are growing. The 2021 Internet Crime Report from the FBI Internet Crime Complaint Center (IC3) revealed that cybercrime loss from business email compromise amounted to $2.4 billion last year.

Common Email Security Challenges

In addition to cybercriminals executing more sophisticated attacks, Hogan explained a few other reasons organizations are struggling to defend themselves.

First, the volume of threat signals being consumed by security teams is overwhelming, and in order to derive actionable insights, it requires extensive correlation, which is time-consuming and expensive.

Second, many organizations don’t have a unified cybersecurity tech stack, which causes inefficiencies and inconsistencies. “Stitching together expensive siloed tools can lead to gaps in coverage, limited visibility, and fragmented experiences,” said Hogan.

Finally, attack services have become considerably more accessible and affordable over the past decade. “Essentially, if you have access to a computer with an internet connection and the ability to convert Fiat currency to cryptocurrency to make a purchase from a bad actor, the average person could launch their own cyberattack,” said Hogan.

Why Modern Email Attacks Evade Secure Email Gateways

For years, secure email gateways were effective in filtering malicious emails because the vast majority of organizations used on-premises email environments and cybercriminals followed the same recognizable attack formula. But now, when 70% of organizations have adopted cloud email solutions and threat actors are constantly introducing new tactics, SEGs fall short for three main reasons.

Legacy Architecture

SEGs have a legacy architecture that is neither cloud-native nor features native API integrations with Microsoft 365. As a result, SEGs can only observe and block attacks that are in the ingress-egress external mail flow, also called the north-south traffic.

Without the ability to see east-west traffic, a secure email gateway has no visibility into internal email patterns or the contextual signals that are essential to stopping modern attacks that often originate from the inside.

Outdated Approach

SEGs rely on the concept of known bad, which refers to the idea that if an organization can identify patterns of past suspicious emails such as ones sent from a bad IP address or untrusted domain, it can flag future attacks that match these criteria. The problem is there’s a fundamental flaw in using a rules- and policies-based system that is triggered only by known threats. In today’s evolving threat landscape, there is no “known bad” to latch onto.

For example, what happens when the attack originates from a newly-created account on a trusted domain like Because SEGs only look for known IOCs, they can’t defend against never-before-seen attacks.

Limited Cloud Email Integration

Within the Microsoft 365 platform, there are thousands of context-rich signals such as sign-in events and compromised accounts that can be used to detect suspicious behavior. However, due to the shortcomings of its architecture and approach, a secure email gateway is unable to leverage these signals.

Say an employee who usually signs in from San Francisco is trying to sign in from the Netherlands. After multiple failed login attempts, suddenly the employee is trying to sign in from New York and then successfully logs in. This is a critical signal of a potential attack that a SEG would miss because it’s unable to ingest and correlate these insights.

Clearly, enterprises need to consider a new approach to email security that includes native cloud email protection and integrated cloud email security. Gartner reports that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a SEG.

Stopping the Full Spectrum of Email Attacks

Ultimately, the goal for organizations of any size is to achieve a security posture that ensures the company is protected from all types of email attacks—from the simplest spam to the most sophisticated account takeover. That just isn’t possible with a secure email gateway.

In fact, if you’re currently using a SEG with Microsoft Office 365, there’s a good chance you’re not reaping the full benefits of Microsoft’s built-in email security capabilities. We’ve often had customers tell us the SEG vendor has requested they disable certain features within the Microsoft platform, marginalizing the efficacy of a solution they’ve already paid for.

Further, during our risk assessments, we’ve found that SEGs only block about 17% of the attacks that Abnormal does. Without the right technology, more than 80% of malicious emails are safely delivered to your employees, putting you at risk of costly cybercrime.

But with Microsoft Defender for Office 365 and Abnormal, you receive comprehensive, defense-in-depth protection. Microsoft Defender for Office 365 identifies known bad as well as similar to known bad, while Abnormal models known good to identify anomalies. Together, the two solutions keep malicious emails from ever making it to employee inboxes.

Learn Even More About Microsoft and Abnormal

Hunter and I discussed so many great topics in the webinar that a single blog post isn’t enough to cover them all. If you’d like to learn about:

  • The four-phase approach Microsoft takes to threat protection

  • The three key elements of Abnormal’s integrated cloud email security solution

  • How Microsoft and Abnormal work together to keep your organization safe

Then we invite you to watch the recording here!


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More