Legacy SEG overlap in Microsoft 365: where email defense fails

TL;DR: Many organisations pairing Microsoft 365 with a legacy secure email gateway are duplicating baseline protections while still missing advanced attacks, with Abnormal customers seeing 462 advanced attacks per month bypass Microsoft native controls per 1,000 mailboxes and AI-driven phishing now four times more effective than traditional campaigns, according to Abnormal AI and Microsoft. The real governance gap is not more inspection, but different detection logic for identity-based and text-only threats.

NHIMG editorial — based on content published by Abnormal AI: Key insights on why legacy SEGs with Microsoft 365 create overlap instead of true defense in depth

By the numbers:

• Abnormal customers see an average of 462 advanced attacks per month bypassing Microsoft native controls per 1,000 mailboxes.
• 76% of Abnormal customers now run without a third-party SEG.
• More than 800 organisations have migrated over 3.5 million mailboxes to the native plus AI model.

Questions worth separating out

Q: How should security teams decide whether to keep a legacy SEG with Microsoft 365?

A: They should decide based on control independence, not habit or procurement history.

Q: Why do business email compromise attacks bypass traditional email controls?

A: Because they often use legitimate accounts, clean text, and believable business context instead of malware or obvious indicators.

Q: How do security teams know if their email controls are actually overlapping?

A: Look for the same threat categories being claimed by both layers, the same messages being inspected twice, and the same native protections being disabled to keep the SEG functional.

Practitioner guidance

• Audit overlap between native and third-party email controls Inventory which spam, malware, URL, attachment, and policy functions are already enforced in Microsoft 365, then identify where the SEG duplicates the same inspection logic.
• Separate known-threat filtering from behavioural detection Keep baseline protection focused on known indicators, while using a distinct behavioural layer for vendor fraud, BEC, and account-takeover patterns that look clean at the message level.
• Measure advanced-attack coverage rather than product count Track the rate of socially engineered messages, suspicious internal mail, and account takeovers that bypass each layer, then compare that result to manual triage burden.

What's in the full article

Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:

• How the native-plus-AI model fits into Microsoft 365 routing without the control duplication of a legacy SEG
• The operational distinction between spam and malware filtering versus behavioural detection for BEC, vendor fraud, and account takeover
• Customer migration examples, including the scale of mailbox moves and the operational burden reduced after displacement
• The specific evidence behind the claim that advanced attacks bypass Microsoft native controls and legacy inspection models

👉 Read Abnormal AI's analysis of Microsoft 365 and legacy SEG overlap →

Legacy SEG overlap in Microsoft 365: where email defense fails?

Explore further

View Full Forum →  |  NHI Foundation Course →