TL;DR: A global technology company found that Microsoft 365-native protection and a secure email gateway still let credential phishing and business email compromise through while also generating too many false positives, according to Proofpoint. The case shows that email defence now hinges on detection quality, authentication, and operational trust, not just layered tooling.
NHIMG editorial — based on content published by Proofpoint: Microsoft 365 email protection gaps, false positives, and platform consolidation
By the numbers:
- Proofpoint scored 24% higher than competing vendors in the evaluation rubric.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when email security misses phishing but also blocks legitimate executive mail?
A: The control stack starts to lose operational trust.
Q: Why do compromised executive mailboxes create broader identity risk?
A: Because they give attackers a trusted channel inside normal business workflows.
Q: How do organisations know if email security is actually working?
A: Look for fewer fraudulent requests reaching approval stages, faster triage of suspicious mail, and reduced analyst time spent on low-value noise.
Practitioner guidance
- Audit high-value mailbox identities Map executive assistants, finance, and legal mailboxes as privileged communication paths and review whether they have stronger authentication, alerting, and response handling than standard user accounts.
- Measure false positives as an operational risk Track how often legitimate messages are quarantined, delayed, or manually released, then tie those metrics to user workarounds and SOC time spent on harmless alerts.
- Correlate email and identity telemetry Join message authentication, impersonation, and account-compromise signals with IAM and SOC workflows so phishing becomes an identity investigation rather than a mail-only ticket.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- The evaluation context behind the 24% score difference and how SHI applied its rubric across the competing options.
- The platform-consolidation rationale for replacing separate email and authentication tools with a single operational model.
- The messaging and collaboration security workflow details that sit behind the unified management approach.
- The customer’s internal criteria for balancing detection efficacy, false positives, and executive trust.
👉 Read Proofpoint's analysis of Microsoft 365 email protection gaps and platform consolidation →
Microsoft 365 email security gaps: what IAM and SOC teams should watch?
Explore further
Email security is now an identity governance problem, not only a messaging-control problem. The article shows that a compromised executive assistant account can turn message handling into a privilege issue because trusted identities become delivery channels for fraud and phishing. That shifts responsibility toward IAM and security operations working together on mailbox trust, authentication assurance, and reporting quality. Practitioners should treat high-value mail identities as governed access paths, not routine user accounts.
A question worth separating out:
Q: Who is accountable when compromised cloud identity is used for business email compromise?
A: Accountability sits with the teams that govern identity scope, credential exposure, and service permissions across the cloud estate. IAM, security operations, and platform owners all have a role, because the abuse path usually depends on a permission decision made long before the incident. Regulatory and internal controls only work if those ownership boundaries are explicit.
👉 Read our full editorial: Email protection gaps in Microsoft 365 can become board-level risk