Why do legacy email gateways fail against modern impersonation attacks?

Legacy gateways are strongest against known malicious content, but impersonation attacks often use clean language, legitimate infrastructure, and human timing. That means the message can look harmless while the request is fraudulent, so organisations need behavioural detection and workflow controls, not just content filtering.

Why This Matters for Security Teams

Legacy email gateways are built to score content, reputation, and known-bad indicators, but impersonation attacks exploit trust signals that are much harder to filter. A message can be syntactically clean, sent from legitimate infrastructure, and timed to match an expected workflow. That is why modern attacks increasingly bypass the “malicious attachment” model and succeed through urgency, authority, and business context rather than obvious malware. NHI Management Group has documented how identity-centric abuse repeatedly outpaces perimeter assumptions in the The 52 NHI breaches Report. The same pattern appears in AI-enabled social engineering, where adversaries adapt language and timing faster than static filters can learn. CISA’s cyber threat advisories continue to emphasise that defenders must look beyond payload inspection and focus on authenticated context, user behaviour, and downstream actions. In practice, many security teams discover impersonation only after finance, HR, or executive workflows have already been manipulated, rather than through intentional detection design.

How It Works in Practice

Modern impersonation campaigns succeed because the message is only one part of the attack chain. The real objective is to push a person or workflow into making a trusted action, such as changing payment details, approving MFA resets, or sharing a sensitive file. A gateway may see no malicious link, no weaponised attachment, and no obvious spoofing if the sender infrastructure is clean. That leaves the attack to be judged by context the gateway often does not have.

Effective defence shifts from content filtering to layered verification and workflow friction. Current guidance suggests organisations should combine:

• Sender authentication controls such as DMARC, SPF, and DKIM, while recognising that these do not stop lookalike domains or trusted-account compromise.
• Behavioural analysis that looks for unusual urgency, payment changes, vendor banking edits, and requests outside normal thread history.
• Step-up verification for high-risk requests, especially those involving payments, credentials, or data export.
• Out-of-band confirmation and approval paths for executive, procurement, and payroll workflows.
• Monitoring for account takeover signals so the gateway is not the only control making trust decisions.

This matters because impersonation often rides on legitimate identity, not malicious code. The same operational lesson appears in NHIMG’s Top 10 NHI Issues, where trust in credentials and identity context matters more than payload inspection alone. MITRE’s MITRE ATLAS adversarial AI threat matrix is also useful for understanding how adversaries adapt tactics, including language and targeting, to evade static controls. These controls tend to break down when an attacker already controls a legitimate mailbox or can mimic an approved business process, because the gateway has no reliable way to distinguish a valid-looking request from a fraudulent one.

Common Variations and Edge Cases

Tighter email control often increases operational friction, requiring organisations to balance fraud resistance against user disruption. That tradeoff is especially visible in environments with high-volume vendor traffic, shared mailboxes, or outsourced finance operations, where legitimate exceptions are common and rigid policy can slow the business.

Best practice is evolving here. There is no universal standard for detecting every impersonation attempt at the gateway layer, so teams should treat gateway filtering as a first pass, not a control boundary. A few edge cases deserve special attention:

• Business email compromise from compromised real accounts, where authentication passes and the message appears normal.
• Thread hijacking, where attackers insert themselves into an existing conversation and inherit trust from the original exchange.
• Executive impersonation, where urgency and hierarchy are used to suppress scrutiny even when the email is technically clean.
• Third-party and supplier fraud, where the request is socially plausible but operationally abnormal.

NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks shows why identity abuse is hard to stop once trust is granted, and the same logic applies to impersonation in email workflows. For teams building a more resilient programme, the practical answer is to pair detection with approval controls, anomaly review, and rapid revocation paths. That approach aligns with the operational reality highlighted in the DeepSeek breach, where trust boundaries were not the same thing as security boundaries. In highly decentralised organisations, these controls tend to break down because no single team owns the full approval chain.

Related resources from NHI Mgmt Group

• How should security teams defend against modern email attacks that bypass legacy filters?
• Why do vendor fraud and impersonation attacks bypass legacy email defenses?
• Why do legacy gateways struggle with modern phishing and BEC attacks?
• Why do traditional email gateways miss some advanced email attacks?