TL;DR: A European manufacturer found its legacy email security stack was missing hundreds of threats each day and allowed employees to email sensitive documents to personal accounts, according to Proofpoint. The case shows why email protection now has to combine post-delivery response, outbound data controls, and cloud-native visibility, not just perimeter filtering.
NHIMG editorial — based on content published by Proofpoint: a European manufacturer’s email security proof of concept behind Microsoft 365
By the numbers:
- 17 minutes, redentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, making poorly scoped access 4.5x more likely to lead to a security incident.
Questions worth separating out
Q: What fails when email security still depends on a legacy gateway in Microsoft 365?
A: A legacy gateway can miss threats that only become obvious after delivery, such as impersonation, delayed links, and no-payload BEC.
Q: Why do phishing attacks remain effective even with secure email gateways?
A: Because gateways inspect messages, not human decisions or downstream identity behaviour.
Q: How do security teams know whether email DLP is finding real exposure?
A: They should look for user behaviours that indicate data leaving normal boundaries, such as sensitive files sent to personal accounts or unapproved external mailboxes.
Practitioner guidance
- Test post-delivery remediation against live mailbox traffic Run a controlled evaluation that measures whether suspicious emails can be removed after delivery inside Microsoft 365, not just blocked at the perimeter.
- Measure outbound data exposure in the email channel Review how often users send sensitive documents to personal accounts, external addresses, or unsanctioned mailboxes.
- Validate phishing detection with real attack patterns Test delayed URLs, HTML redirect files, supplier impersonation, and no-payload BEC messages rather than relying on malware samples alone.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- How the Proofpoint Core Email Protection API was evaluated behind Microsoft 365 without changing mail flow
- What the Adaptive Email DLP findings showed about employees sending sensitive documents to personal accounts
- How the team used live threat removal, policy tuning, and mailbox investigation during the proof of concept
- Why the migration was considered operationally easier than a disruptive MX-record redesign
👉 Read Proofpoint’s analysis of modern email protection behind Microsoft 365 →
Email security behind Microsoft 365: are legacy gateways enough?
Explore further
Perimeter email filtering is no longer enough: the control model assumed the dangerous message could be identified before delivery, but modern phishing often becomes dangerous only after it lands. That creates a governance gap between detection and user exposure, especially in Microsoft 365 where email is deeply embedded in daily work. Practitioners should treat post-delivery remediation as a core requirement, not an optional add-on.
A question worth separating out:
Q: Who is accountable when risky email behaviour persists despite detection tools?
A: Accountability sits with the teams that own email governance, data protection, and identity policy, because the control failure is usually a mismatch between approved access and real user behaviour. Frameworks such as NIST CSF and NIST SP 800-53 expect organisations to validate that controls are working in practice, not just installed.
👉 Read our full editorial: Legacy email gateways miss modern phishing and data exfiltration