Secure email gateways are not enough for identity-based attacks

At a glance

What this is: This is an analysis of why secure email gateways remain useful but cannot fully stop identity-driven email attacks on their own.

Why it matters: It matters because IAM, NHI, and human identity teams all have to treat email as an identity control problem, not just a message-filtering problem.

👉 Read SecurEnds' analysis of secure email gateways and identity risk

Context

A secure email gateway is a control layer that inspects inbound and outbound mail before delivery, but it only addresses part of the risk. In cloud-first environments such as Microsoft 365 and Google Workspace, the harder problem is no longer simply filtering hostile messages. It is controlling trusted identities that can send, receive, and exfiltrate data after compromise.

That is why email security now overlaps directly with IAM and identity governance. If an attacker takes over a mailbox, the gateway can no longer distinguish malicious use from legitimate use with the same confidence it had at the perimeter. This is a classic trust-boundary problem, and it becomes sharper when stale accounts, weak lifecycle controls, or overbroad access remain in place.

Key questions

Q: How should security teams use secure email gateways without overrelying on them?

A: Treat the gateway as a perimeter control, not a complete email security programme. Use it to block malicious content before delivery, then add identity monitoring, access reviews, offboarding, and mailbox anomaly detection for attacks that continue after compromise. The goal is layered control, because trusted identities can bypass message-level inspection once they are taken over.

Q: Why do compromised email accounts still create business email compromise risk?

A: Because once an attacker controls a valid mailbox, the messages often look legitimate to users and to some security tools. The attacker no longer needs to impersonate from outside the system. That is why account takeover, delegated access, and lifecycle gaps are the real drivers of business email compromise in cloud email environments.

Q: What breaks when email access reviews are infrequent?

A: Stale accounts, excessive delegation, and orphaned mailboxes remain trusted long after business need changes. That leaves attackers with easier paths to send internal-looking messages, forward data out of the organisation, or abuse shared mailboxes. In practice, infrequent reviews turn email trust into a durable attack surface.

Q: Who is accountable when a secure email gateway misses an identity-led attack?

A: Accountability sits across security operations, IAM, and the business owners who approve access. Gateway teams own message inspection, but identity teams own whether the mailbox should still exist, still have that privilege, or still be delegated. Mature programmes treat email compromise as a shared control failure, not a single-tool failure.

Technical breakdown

How secure email gateways inspect mail flow

A secure email gateway sits between the messaging system and the user mailbox, checking messages before delivery and sometimes on outbound paths as well. It combines signature checks, heuristic analysis, behavioral detection, sandboxing, and URL rewriting or detonation to catch known and unknown threats. In cloud deployments, it often integrates with Microsoft 365 or Google Workspace rather than replacing them. The gateway works best when the threat is still in the message itself, before a user clicks, opens, or replies.

Practical implication: route all mail through the gateway and verify that policy enforcement is actually covering every inbound and outbound path.

Why compromised identities bypass perimeter controls

Once an email account is compromised, the attacker is no longer trying to impersonate the identity from outside the system. They are operating inside a trusted mailbox with valid session context, which means many gateway checks lose their original signal value. This is why business email compromise often survives message-level filtering: the activity looks like legitimate internal communication. The security failure is not only phishing delivery, but the downstream identity abuse that follows account takeover.

Practical implication: pair gateway controls with identity monitoring, mailbox anomaly detection, and rapid account containment procedures.

Identity governance and email access lifecycle

Email is an identity service, not just a communications channel. Access reviews, offboarding, and privilege hygiene determine who can continue sending trusted mail long after business need has ended. When stale accounts, orphaned access, or excessive delegation remain active, attackers inherit an easier path to abuse the trust attached to the mailbox. That makes lifecycle governance a core email security control, especially in cloud environments where account state changes fast and blast radius can expand quickly.

Practical implication: connect mailbox access to joiner-mover-leaver processes so dormant, overprivileged, or orphaned identities are removed promptly.

NHI Mgmt Group analysis

Email security is now an identity governance problem, not just a filtering problem. Secure email gateways reduce exposure at the perimeter, but they cannot solve trusted-account abuse after compromise. Once a mailbox is legitimate in the system, the attacker’s activity often blends into normal communication patterns. The implication is that email defense has to be measured by identity integrity as much as message interception.

Perimeter inspection fails when the attacker becomes the sender. Phishing prevention helps only while malicious content is still outside the account. After takeover, the real control gap is account trust, session legitimacy, and mailbox-level abuse detection. Practitioners should stop treating gateway deployment as a complete email security strategy and instead see it as one layer in a broader access-control model.

Lifecycle governance is the named concept that separates durable email control from temporary detection. Joiner-mover-leaver discipline was designed for stable human account ownership. That assumption fails when stale mailboxes, delegated access, or unmanaged service identities can continue sending trusted messages long after business need changes. The implication is that email security programmes must rethink whether access ever truly ends.

Identity context must be part of email threat decisions. A gateway can inspect content, but only IAM and governance controls can tell whether the sending identity should still exist, still have that role, or still retain that privilege. That distinction matters most in cloud email platforms where trusted identities are central to collaboration and exfiltration paths. Practitioners need governance signals, not just message scores.

Secure email gateways remain necessary, but they are no longer sufficient for enterprise resilience. The article’s own logic points to a layered model in which filtering, access review, offboarding, and anomaly detection work together. That reflects the direction email defense has already moved in mature environments: from blocking bad messages to controlling identity-led abuse. Security teams should align email controls with IAM operations, not run them as separate programmes.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how far identity governance still has to go before perimeter controls can be considered sufficient.
• See also Ultimate Guide to NHIs , Key Challenges and Risks for the governance gaps that make trusted access harder to control.

What this signals

Lifecycle governance is becoming the control plane for email trust. If access reviews, offboarding, and delegation audits do not keep pace with cloud mailbox sprawl, gateway investment only reduces one layer of risk. The operational question is no longer whether messages are filtered, but whether the identities behind them are still valid.

The governance gap is widening in organisations that treat email security and IAM as separate programmes. That separation leaves a blind spot where compromised but legitimate accounts can operate entirely inside approved channels, making post-delivery identity telemetry essential.

For teams maturing their programme, the next step is not more inspection alone. It is linking email controls to lifecycle records, access governance, and shared mailbox ownership so trusted communication cannot outlive trusted access.

For practitioners

• Tie mailbox access to lifecycle controls Make sure joiner-mover-leaver processing removes mailbox access when a role changes or employment ends. Include delegated access and shared mailboxes in the same review cycle so stale trust does not remain active.
• Add identity monitoring to email defense Use mailbox anomaly signals, impossible travel, unusual forwarding rules, and suspicious sender behavior to detect compromise after delivery. Gateway inspection should feed these detections rather than operate in isolation.
• Verify mail routing end to end Confirm that all inbound and outbound mail actually traverses the secure gateway, including cloud-to-cloud connectors and legacy routes. Misrouted email creates blind spots that attackers can exploit without changing technique.
• Review overprivileged email delegations Audit who can send as, send on behalf of, forward from, or access shared mailboxes. Excess delegation turns one compromised identity into multiple abuse paths and expands the blast radius of a single takeover.

Key takeaways

• Secure email gateways still matter, but they only address the message layer and do not solve account takeover or trusted-identity abuse.
• The deeper risk is governance failure around stale mailboxes, delegated access, and identities that remain trusted after business need changes.
• Effective email defence now requires gateway controls, IAM oversight, and lifecycle governance to work as one programme.

Key terms

• Secure Email Gateway: A secure email gateway is a control layer that inspects email before it reaches users and can also inspect outbound mail. It filters malicious content, enforces policy, and reduces exposure to phishing, malware, and data leakage, but it does not replace identity governance or account monitoring.
• Business Email Compromise: Business email compromise is a form of fraud in which an attacker uses a trusted mailbox or believable impersonation to trick people into sending money, data, or approvals. It often succeeds because the message appears legitimate once it comes from an account the organisation already trusts.
• Mailbox Delegation: Mailbox delegation is the granting of send, send-as, send-on-behalf-of, or access rights to another person or service. It is useful operationally, but it expands the number of trusted paths an attacker can abuse if those permissions are not reviewed and removed on time.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SecurEnds: secure email gateway guidance and the role of identity governance in email security. Read the original.