Florida Crystals and the SEG replacement problem in email security

At a glance

What this is: This webinar case study says Florida Crystals moved away from a traditional secure email gateway after advanced attacks bypassed it and claims the change improved both security and cost efficiency.

Why it matters: It matters because email remains a frontline control point for human identity abuse, phishing, and business email compromise, and IAM teams need to understand when legacy detection models no longer match the threat.

By the numbers:

• Florida Crystals reduced email security costs by 40% after replacing its SEG with Abnormal.

👉 Watch Abnormal AI's webinar on Florida Crystals' SEG replacement and BEC defence

Context

Email security often fails when it relies too heavily on static gateway-era assumptions about what a malicious message looks like. In this case, the primary issue was not email volume, but the ability of advanced attacks to move past existing defenses and reach users.

For identity and access teams, that creates a governance problem as much as a detection problem. When business email compromise succeeds, the control failure is usually not one weak control in isolation, but a mismatch between attack technique and the organisation's actual email security model.

Key questions

Q: How should security teams reduce business email compromise risk beyond secure email gateways?

A: They should add controls that operate after delivery and after user interaction, because BEC usually succeeds by exploiting trust and workflow, not by delivering obvious malware. That means mailbox monitoring, identity-aware verification for financial requests, and escalation paths that do not depend on a single email being trusted. The strongest programmes treat email as an identity and process problem, not just a filtering problem.

Q: Why do traditional email gateways miss some advanced email attacks?

A: Traditional gateways are built to detect known-bad content, infrastructure, and attachment patterns. They struggle when the message is socially engineered, uses legitimate-looking language, or does not contain a malicious payload at all. In those cases, the attack succeeds through trust manipulation and process abuse rather than through malware delivery, which leaves signature-based inspection with very limited coverage.

Q: What should organisations measure when evaluating modern email security controls?

A: They should measure how quickly the team can detect and contain real abuse, not just how much mail gets blocked. Useful signals include false-positive volume, time to triage, the ability to spot mailbox compromise, and whether the control supports investigations without overwhelming analysts. If the team cannot act fast enough, the control is too noisy or too shallow to be effective.

Q: Who is accountable when a BEC attack succeeds through a trusted mailbox?

A: Accountability sits across email security, identity governance, and the business process that approved the action. If the organisation allowed a payment or account change to proceed without secondary verification, the failure is not only technical. Teams need a defined owner for mailbox compromise response, workflow verification, and fraud escalation before the attack reaches completion.

Background and context

Why secure email gateways miss modern email attacks

Traditional secure email gateways inspect inbound mail using reputation, signatures, attachment rules, and pattern matching. That model works best when attackers reuse obvious infrastructure or payloads, but it degrades against socially engineered messages, impersonation, and low-and-slow campaigns that look legitimate at delivery time. Once a message is delivered, the SEG has little visibility into user interaction, follow-on compromise, or the live business context that makes BEC effective. The core architectural limitation is that perimeter filtering does not equal behavioural detection across the mailbox and identity layers.

Practical implication: measure email security on post-delivery detection and response, not on gateway block rates alone.

How BEC survives layered defenses

Business email compromise succeeds because it targets trust relationships, not malware. Attackers impersonate executives, suppliers, or internal staff and rely on urgency, routine payment workflows, or account takeover to bypass user suspicion. In many environments, the attacker never needs a malicious attachment or link, which leaves content-based controls blind. The more mature the organisation's business processes are, the easier this becomes if verification steps are weak or informal. This is why email security and identity governance overlap: mailbox compromise is often an identity event before it becomes a financial one.

Practical implication: tie payment approvals, vendor changes, and mailbox monitoring to explicit verification and escalation paths.

Why productivity becomes a security metric in email defence

The case also shows that email security tooling affects operational load, not just threat coverage. If analysts spend too much time triaging benign mail or chasing noisy alerts, their ability to investigate real attacks drops. Productivity here is not a soft metric. It determines how quickly the team can confirm incidents, stop active compromise, and maintain coverage as attack volume changes. Security programmes that ignore this end up with controls that are technically present but operationally thin.

Practical implication: evaluate mailbox controls by analyst workload, investigation speed, and time to contain active abuse.

NHI Mgmt Group analysis

Legacy SEG assumptions collapse when the attacker no longer needs obvious malicious content. Secure email gateways were designed for a world where threat filtering could depend on signatures, attachments, and known-bad infrastructure. That assumption fails when the attacker uses impersonation, workflow abuse, and message content that looks routine to the filter. The implication is that email security programmes need to be judged against attacker behaviour, not against the lifespan of the gateway model.

Business email compromise is an identity failure before it is an email failure. Once a message reaches a user, the real question is whether the organisation has enough identity-aware process controls to resist trust manipulation. Payment approvals, vendor updates, mailbox access, and escalation paths all become part of the control surface. Practitioners should treat email security and identity governance as one operating problem, not two separate teams.

Productivity is part of control efficacy, not a separate convenience metric. If a security stack increases false positives or slows triage, the organisation loses defensive capacity even if the control looks stronger on paper. That is particularly true for inbox-based attack response, where speed determines whether the team can stop active abuse before it spreads. The practical conclusion is that control value must be measured in containment capacity, not tooling density.

Email security modernization is a runtime detection problem, not a procurement story. Replacing one gateway with another only matters if the new model sees the attack types the old one missed. The field should stop treating this as a simple architecture swap and instead focus on what telemetry is visible after delivery, how quickly abuse is detected, and where identity verification still fails.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap aligns with the governance challenge exposed here, and the NHI Lifecycle Management Guide helps teams close the lifecycle gap that attackers often exploit.

What this signals

SEG replacement is a signal that email defence is shifting from perimeter filtering to identity-aware detection. Teams that still treat inbox security as a static gateway problem will keep missing the behavioural layer where BEC, impersonation, and trust abuse actually happen. The practical shift is toward controls that can see mailbox context, user actions, and downstream workflow risk, not just message content.

Confidence in NHI and identity controls is still too low for the rate at which trust-based attacks evolve. When organisations cannot clearly see third-party access pathways, they also struggle to understand how a compromised mailbox can become a broader identity event. That is why email security programmes increasingly need to align with the Ultimate Guide to NHIs , Key Challenges and Risks and other identity governance resources.

The next maturity step is not another gateway layer but a clearer operating model for mailbox abuse response, workflow verification, and fraud containment. Teams that separate these responsibilities will keep discovering that the technical control is present while the business loss still slips through.

For practitioners

• Map email attack paths to identity-dependent workflows Identify where mailbox compromise, impersonation, and vendor-change requests can trigger payment or access decisions without secondary verification. Prioritise the workflows that turn email trust into business loss.
• Test controls against post-delivery abuse Run exercises that assume the message reaches the mailbox and ask whether the organisation can still detect suspicious replies, forwarding rules, payment redirection, or account takeover indicators.
• Measure analyst capacity as a security control Track triage time, false-positive load, and the number of incidents the team can investigate before attacker activity completes. A control that overwhelms the team is not effective in practice.
• Reassess SEG dependence for high-risk user groups Review whether executives, finance teams, and supplier-facing staff need controls that look beyond inbox filtering, including behavioural detection and stronger verification for sensitive requests.

Key takeaways

• The core issue is not just email filtering, but the gap between modern attack techniques and legacy SEG assumptions.
• Abnormal AI says Florida Crystals cut email security costs by 40% while stopping an active BEC attack during evaluation.
• Practitioners should measure email security by containment speed, identity-aware verification, and real post-delivery detection coverage.

Key terms

• Secure Email Gateway: A secure email gateway is a control layer that filters incoming and outgoing email before it reaches users or leaves the organisation. It typically relies on reputation, signatures, policy checks, and attachment inspection, which makes it effective against known bad patterns but weaker against socially engineered abuse and post-delivery misuse.
• Business Email Compromise: Business email compromise is a form of fraud where attackers use trusted or compromised email channels to redirect payments, request sensitive actions, or impersonate legitimate parties. The attack succeeds by manipulating process and trust, so the real control problem is often identity verification and workflow governance rather than message filtering alone.
• Post-delivery detection: Post-delivery detection is the ability to identify malicious or risky email activity after a message has reached a mailbox. It matters because many modern attacks are not obvious at delivery time, so defenders need telemetry from user interaction, mailbox rules, and account behaviour to spot abuse before business impact occurs.
• Mailbox compromise: Mailbox compromise occurs when an attacker gains control of an email account or can act within it as if they were the legitimate user. In identity terms, it turns email into an abuse channel for fraud, lateral trust exploitation, and policy bypass unless the organisation can detect and contain the takeover quickly.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Bucking Tradition: How Florida Crystals Ditched the SEG to Improve Email Security. Read the original.