TL;DR: A luxury retailer’s image-heavy sales workflow was disrupted when a legacy email gateway blocked photos while still missing a supplier-compromise phishing campaign that used PNG lures and Microsoft 365 credential theft, according to Proofpoint. The case shows that blunt filtering and mailbox-era controls can break revenue-critical communication while leaving human-targeted attack paths open.
NHIMG editorial — based on content published by Proofpoint: legacy email gateways, image-based phishing, and retailer workflow disruption
By the numbers:
- 80% of the retailer’s workforce are personal shoppers, l shoppers whose primary tool is sharing product photos with clients through email.
Questions worth separating out
Q: How should security teams stop image-based phishing without breaking business workflows?
A: Security teams should classify which groups depend on image-rich communication, then apply content-aware inspection rather than blanket stripping.
Q: Why do trusted supplier accounts increase phishing risk?
A: Trusted supplier accounts bypass the scepticism users apply to unknown senders, so attackers can deliver lures that appear routine.
Q: What breaks when email security relies on blanket file blocking?
A: Blanket file blocking can stop legitimate business communication, especially in workflows that depend on images, PDFs, or branded attachments.
Practitioner guidance
- Map email controls to business-critical workflows Identify which teams rely on image-rich or attachment-heavy email flows, then classify those channels before applying blanket blocking policies.
- Add identity response to email alerting Link phishing detections to Microsoft 365 account containment so compromised sessions, tokens, and passwords are isolated quickly.
- Inspect supplier-originated content for credential lures Treat trusted sender accounts as potential delivery paths for phishing pages hidden behind image files or branded documents.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- The retailer's staged migration path from API email protection to full Core Email Protection and then broader platform coverage.
- Proofpoint's specific detection claims for malicious images, URL scanning, and message-level inspection in Microsoft 365.
- The vendor's discussion of gateway architecture, pre-delivery blocking, and how it positions API and SEG deployment models.
- The supplier threat protection, DMARC, secure email relay, and workspace controls described in the source article.
👉 Read Proofpoint’s analysis of image-based phishing, supplier compromise, and email security gaps →
Image-based phishing and email security gaps: what teams need to know?
Explore further
Legacy email security becomes a governance failure when it forces business users to choose between protection and productivity. The retailer’s image-heavy workflow shows that email controls cannot be judged only by detection rates. If the control breaks the business process, users will route around it, and the security programme loses visibility. The practical conclusion is that email policy must be aligned to business workflow classification, not just threat filtering.
A question worth separating out:
Q: Who is accountable when phishing leads to account compromise?
A: Accountability is shared, but security leadership owns the control environment that made impersonation succeed. Email authentication, browser trust configuration, access scoping, and incident reporting are governance responsibilities, not just end-user habits. If phishing can repeatedly turn into compromise, the control model is failing at the organisational level.
👉 Read our full editorial: Legacy email gateways fail when business workflows depend on images