Secure email gateways in cloud email: what teams should rethink

TL;DR: Clean-text BEC, vendor fraud, and credential phishing now bypass perimeter filters by abusing identity and behaviour, while Microsoft 365 and Google Workspace already cover many commodity threats, according to Abnormal AI. The result is a governance problem, not just a tooling problem: teams must judge email security on post-delivery detection, identity signals, and operational overlap rather than gateway habit.

NHIMG editorial — based on content published by Abnormal AI: The Essential Guide to Retiring the SEG

Questions worth separating out

Q: How should security teams handle clean-text phishing that passes email authentication checks?

A: They should stop treating SPF, DKIM, and DMARC as proof of safety and instead correlate message delivery with identity and behaviour signals.

Q: When does a secure email gateway add less value than native cloud email security?

A: A SEG adds less value when Microsoft 365 or Google Workspace already covers commodity spam, malware, and basic phishing, and when the remaining threats depend on identity abuse or post-delivery manipulation.

Q: What do security teams get wrong about vendor impersonation in email?

A: They often assume authenticated sender infrastructure means lower risk.

Practitioner guidance

• Map email security to identity signals Correlate mailbox events, OAuth consent, forwarding rule changes, and unusual sender behaviour so the control plane reflects how clean-text attacks actually progress.
• Measure gateway overlap against native cloud filtering Inventory which SEG functions are already handled by Microsoft 365 or Google Workspace, then quantify where the third-party layer adds unique detection value.
• Run parallel validation before changing mail flow Deploy the replacement platform alongside the existing gateway, compare detections on real traffic, and only consolidate routing after coverage and remediation behaviour are proven.

What's in the full article

Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanation of how the platform validates coverage before routing changes are made.
• Operational comparison points for what native Microsoft 365 and Google Workspace protections already cover versus a third-party SEG.
• Migration sequencing guidance for running two controls in parallel without disrupting mail flow.
• Examples of email security events that are better handled after delivery than at the perimeter.

👉 Read Abnormal AI's analysis of why secure email gateways are losing value →

Secure email gateways in cloud email: what teams should rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →