Notifications
Clear all
Topic starter
27/06/2026 1:09 pm
TL;DR: Florida Crystals said advanced email attacks were slipping past its existing defenses, and that replacing its SEG with Abnormal reduced email security costs by 40% while stopping a BEC attack during the proof of value, according to Abnormal AI. The lesson is that email controls must be judged on attack interception and operational fit, not on whether they preserve legacy architecture.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Florida Crystals reduced email security costs by 40% after replacing its SEG with Abnormal.
Questions worth separating out
Q: How should security teams reduce business email compromise risk beyond secure email gateways?
A: They should add controls that operate after delivery and after user interaction, because BEC usually succeeds by exploiting trust and workflow, not by delivering obvious malware.
Q: Why do traditional email gateways miss some advanced email attacks?
A: Traditional gateways are built to detect known-bad content, infrastructure, and attachment patterns.
Practitioner guidance
- Map email attack paths to identity-dependent workflows Identify where mailbox compromise, impersonation, and vendor-change requests can trigger payment or access decisions without secondary verification.
- Test controls against post-delivery abuse Run exercises that assume the message reaches the mailbox and ask whether the organisation can still detect suspicious replies, forwarding rules, payment redirection, or account takeover indicators.
- Measure analyst capacity as a security control Track triage time, false-positive load, and the number of incidents the team can investigate before attacker activity completes.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- How Florida Crystals identified the specific attack types affecting its global workforce and where its earlier controls were failing
- The proof-of-value details behind stopping an active BEC attack in progress, including the response sequence
- The security and productivity outcomes Abnormal AI says the team saw after the SEG replacement
- Why the organisation decided the legacy email architecture no longer matched its risk profile
👉 Watch Abnormal AI's webinar on Florida Crystals' SEG replacement and BEC defence →
Legacy SEG replacement in email security: what changed for Florida Crystals?
Explore further
27/06/2026 2:22 pm
Legacy SEG assumptions collapse when the attacker no longer needs obvious malicious content. Secure email gateways were designed for a world where threat filtering could depend on signatures, attachments, and known-bad infrastructure. That assumption fails when the attacker uses impersonation, workflow abuse, and message content that looks routine to the filter. The implication is that email security programmes need to be judged against attacker behaviour, not against the lifespan of the gateway model.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a BEC attack succeeds through a trusted mailbox?
A: Accountability sits across email security, identity governance, and the business process that approved the action. If the organisation allowed a payment or account change to proceed without secondary verification, the failure is not only technical. Teams need a defined owner for mailbox compromise response, workflow verification, and fraud escalation before the attack reaches completion.
👉 Read our full editorial: Florida Crystals and the SEG replacement problem in email security
