TL;DR: A global technology company reduced spam, phishing, and business email compromise by replacing a layered Cisco ESA and Microsoft Defender setup with a single email security platform, after Proofpoint’s proof of concept caught most unwanted mail and removed many custom rules. The case shows that operational complexity, not just detection coverage, remains a decisive control gap for security teams.
NHIMG editorial — based on content published by Proofpoint: a case study on layered email security, phishing, and BEC response
Questions worth separating out
Q: What breaks when organisations add a second email gateway behind an existing mail filter?
A: A second gateway can break authentication alignment, duplicate policies, and create conflicting trust signals across external and internal mail.
Q: Why do business email compromise attacks succeed even in well-run organisations?
A: They succeed because many organisations still treat routine communication as proof of authority.
Q: How do organisations know if email security is actually working?
A: Look for fewer fraudulent requests reaching approval stages, faster triage of suspicious mail, and reduced analyst time spent on low-value noise.
Practitioner guidance
- Reconcile SPF and DMARC paths across all relays Map how inbound and internal mail is rewritten, relayed, and authenticated at each hop.
- Rationalise custom mail rules into fewer policy layers Identify rules that only exist because a prior gateway could not block the threat natively.
- Add identity signals to email abuse detection Correlate inbox behaviour, sender reputation, and account takeover indicators so finance, executive, and internal-user impersonation can be detected as an identity event as well as a content event.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- The month-long proof-of-concept setup that split inbound mail flow across two stacks for side-by-side comparison.
- The specific operational changes that removed the need for many bespoke Cisco ESA rules.
- The Identity Management Defense response to a compromised internal account and the follow-on behaviour it aimed to stop.
- The day-to-day migration support steps that helped the team move from manual tuning to a simplified mail security model.
👉 Read Proofpoint's analysis of layered email security and BEC control gaps →
Email security layers and BEC risk: what practitioners are missing?
Explore further
Email security has become an identity governance problem, not just a filtering problem. When impersonation and compromised internal accounts are the real attack paths, the control question shifts from message volume to trust in sender identity. That is why email defence increasingly overlaps with IAM, PAM, and account monitoring, especially where executives and finance teams are targeted. Practitioners should govern sender trust as an identity signal, not a mail-only setting.
A question worth separating out:
Q: Who is accountable when email impersonation leads to account takeover?
A: Accountability sits with the organisation that owns the sender domain, the security team operating mail authentication, and the business owners responsible for customer communication. If brand trust is weak, those functions have to coordinate the controls and maintain them over time.
👉 Read our full editorial: Layered email security controls still leave phishing and BEC gaps