Email security architecture is shifting beyond SEG-era visibility

At a glance

What this is: This analysis compares secure email gateways, inline APIs, and pure API architectures, finding that broader behavioural context matters more than inbox-only inspection for modern email threats.

Why it matters: It matters because email now sits at the intersection of human identity, account takeover, and NHI-adjacent automation, so IAM teams need visibility and response models that match how attackers actually move.

By the numbers:

• In 2024 alone, the FBI reported $2.8 billion in business email compromise losses.
• Pure API architectures detect 665 advanced threats monthly that SEGs miss by analyzing behavioral, identity, and historical context across mailboxes.
• Organizations using Abnormal's pure API model save 15+ hours of security team time weekly.

👉 Read Abnormal AI's analysis of SEG, inline API, and pure API email security

Context

Email security still fails when teams treat the inbox as the only control point. Business email compromise, impersonation, and account takeover often unfold through identity signals that a gateway cannot see, especially once an attacker is already inside the tenant or moving laterally through internal mail.

The real decision is architectural: whether detection is based on message content alone, or on behavioural and historical context across users, vendors, and applications. That choice affects how well security, IAM, and SOC teams can spot identity abuse before it turns into fraud or broader compromise.

Key questions

Q: How should security teams handle email attacks that come from trusted accounts?

A: They should treat them as identity abuse, not just malicious content. The right response is to combine mailbox telemetry, communication history, and account risk signals so detections can recognise when a legitimate sender is behaving abnormally. Content-only controls will miss many of these cases because the email itself may look ordinary.

Q: When does a secure email gateway stop being enough?

A: A gateway becomes insufficient when the main risk is account takeover, internal-to-internal abuse, or vendor impersonation rather than spam and obvious malware. At that point, the control problem is behavioural trust, not simple message hygiene. Organisations need visibility into how identities normally communicate, not just what they send.

Q: What do teams get wrong about inline email security APIs?

A: They often assume more inline inspection automatically means better security. In practice, inline APIs can duplicate native controls, add routing complexity, and still lack the broader behavioural context needed for sophisticated attacks. The question is not whether a tool sits inline, but whether it adds genuinely new detection value.

Q: How can organisations reduce business email compromise risk without disrupting mail flow?

A: They should prefer architectures that analyse messages asynchronously and can remediate threats after delivery without rerouting mail. That approach preserves delivery reliability while adding richer context for detection and response. The goal is to reduce fraud risk without creating operational friction for users or the mail platform.

Technical breakdown

Why secure email gateways miss identity-driven attacks

Secure email gateways inspect mail in transit and make decisions using message-level signals such as sender reputation, URLs, attachments, and headers. That works well for spam and known malicious payloads, but it leaves little room for identity context, relationship history, or post-compromise behaviour. When attackers use trusted accounts, conversation hijacking, or internal-to-internal messaging, the gateway often sees only legitimate-looking mail. The result is a control that is strong at hygiene but weak at recognising abuse that looks normal in content and delivery path.

Practical implication: treat SEGs as a baseline filter, not a complete control for identity-led email abuse.

Inline APIs versus pure API detection

Inline APIs extend inspection into cloud email flow, but they still decide during delivery and often rely on fixed rules, sandboxing, and connector logic. That can introduce latency, mail-flow risk, and duplicate functionality already handled by native controls. Pure API architectures take a different approach: they analyse messages asynchronously inside the mailbox environment, correlating behavioural, identity, and historical signals across the tenant. That model is better suited to sophisticated attacks because it can identify patterns across communication graphs rather than only scanning the payload in motion.

Practical implication: evaluate whether your deployment model preserves mail flow reliability while adding genuinely new detection context.

Behavioural context as the real detection advantage

The key technical difference is not simply where analysis happens, but what data is available when the verdict is made. Behavioural models can compare sender-recipient history, message tone shifts, vendor relationships, and account activity to surface anomalies that static filters miss. This is especially relevant in cloud email, where compromised identities can produce perfectly valid messages that are still malicious in context. The strongest detections come from combining mailbox telemetry with identity and historical patterns, not from trying to squeeze more value out of message content alone.

Practical implication: prioritise architectures that can correlate mailbox telemetry with identity and communication history.

Threat narrative

Attacker objective: The attacker wants to abuse trusted communication to deceive users, move funds, or widen access without triggering traditional email controls.

1. Entry occurs when an attacker gains access through compromised credentials or a trusted account that can send convincing internal email.
2. Escalation follows as the attacker uses that identity to operate inside existing communication channels, bypassing content-only inspection.
3. Impact lands as business email compromise, impersonation, or fraudulent payment diversion that the organisation recognises too late.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-led email abuse is no longer a content problem, it is a governance problem. Gateways were designed to judge messages at the perimeter, not to reason over who is speaking, how they normally communicate, and whether a trusted identity has become a fraud vector. That is why internal-to-internal abuse and account takeover keep slipping through legacy email stacks. Practitioners should treat mail security as an identity control surface, not just a filtration layer.

Pure API visibility changes the control question from blocking bad mail to recognising abnormal trust. Once a solution can correlate behavioural, identity, and historical context across the mailbox, the unit of defence shifts from message content to relationship integrity. That is a better fit for attacks that exploit familiarity, vendor trust, and compromised accounts. The practitioner conclusion is that detection quality now depends on context depth, not just delivery-stage enforcement.

Standing trust assumptions collapse when email is used as an authenticated business process. The assumption that a legitimate mailbox sender is a legitimate business actor was designed for stable human communication patterns and limited automation. That assumption fails when attackers inherit accounts, imitate vendors, or weaponise internal routing because the transport layer still sees authorised communication. The implication is that identity assurance and message inspection can no longer be separated in email governance.

Identity blast radius in email is larger than most teams model. A single compromised mailbox can impersonate finance, procurement, HR, or executives without tripping traditional perimeter rules. That makes the downstream blast radius a governance issue, not just a detection issue. Security and IAM teams should measure how far one trusted account can be leveraged across the business before a control reacts.

Automation only helps when it is paired with mailbox-level authority boundaries. The value in asynchronous remediation is not speed alone, but the ability to remove malicious mail without breaking normal flow or waiting for analyst intervention. That matters because modern abuse often happens faster than manual response. Practitioners should treat automated remediation as part of identity defence, not as an email-only convenience.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, followed by inadequate monitoring and logging at 37%.
• To see how this governance problem scales across real incidents, compare this finding with The 52 NHI breaches Report.

What this signals

Identity visibility is becoming the differentiator in email defence. As more attacks arrive through trusted accounts and internal mail paths, teams that can correlate mailbox behaviour with identity context will outpace those relying on content inspection alone. The operational signal is clear: email security is converging with identity governance, and the stack must reflect that.

72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities. That level of exposure shows why trust decisions cannot stop at the inbox boundary. Security programmes that still separate mail controls from identity telemetry are under-reading their own risk.

Email abuse is increasingly a relationship problem, not just a content problem. The next wave of controls will need to understand sender history, vendor trust patterns, and account behaviour at the same time. Teams that can connect those signals to their broader IAM and SOC workflows will be better positioned to contain fraud before it spreads.

For practitioners

• Map email controls to identity risk, not just inbox hygiene. Review where your current stack can see internal-to-internal mail, account impersonation, and conversation hijacking. If the answer is mostly at the perimeter, you have an identity visibility gap rather than an alerting gap.
• Test for behavioural context coverage. Validate whether detections can correlate sender-recipient history, vendor relationships, and message tone shifts across the mailbox. If they cannot, they are likely over-reliant on static content signals.
• Separate mail flow reliability from detection depth. Assess whether inline routing adds latency, connector complexity, or duplicate controls that increase operational risk. Prefer architectures that improve analysis without forcing mail rerouting or fragile transport changes.
• Measure the blast radius of a compromised account. Model how many internal workflows a trusted mailbox can influence before a response occurs, including finance approvals, vendor correspondence, and executive impersonation paths.

Key takeaways

• Email security fails when it only inspects message content and ignores identity behaviour inside the tenant.
• Behavioural and historical context can expose advanced email threats that gateway-style filtering routinely misses.
• Practitioners should align email controls with identity governance, mail-flow reliability, and automated remediation capability.

Key terms

• Business Email Compromise: Business email compromise is a fraud pattern in which an attacker uses a trusted email identity to manipulate payments, approvals, or sensitive communication. The message often looks legitimate, so the control problem is not spam filtering alone but detecting abnormal use of a trusted account or relationship.
• Secure Email Gateway: A secure email gateway is an inline mail control that filters messages before they reach the inbox. It is effective for spam, known malware, and policy enforcement, but it has limited visibility into internal mail traffic and little context for identity-driven abuse.
• Pure API Email Security: Pure API email security connects directly to cloud mail platforms and analyses messages asynchronously after delivery. It can combine mailbox telemetry with identity and behavioural context, which improves detection of account takeover, impersonation, and other attacks that look normal at the message level.

Deepen your knowledge

NHI governance, machine identity security, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Abnormal AI: selecting the right email security approach for modern attacks. Read the original.