TL;DR: Clean-text BEC, vendor fraud, and credential phishing now bypass perimeter filters by abusing identity and behaviour, while Microsoft 365 and Google Workspace already cover many commodity threats, according to Abnormal AI. The result is a governance problem, not just a tooling problem: teams must judge email security on post-delivery detection, identity signals, and operational overlap rather than gateway habit.
NHIMG editorial — based on content published by Abnormal AI: The Essential Guide to Retiring the SEG
Questions worth separating out
Q: How should security teams handle clean-text phishing that passes email authentication checks?
A: They should stop treating SPF, DKIM, and DMARC as proof of safety and instead correlate message delivery with identity and behaviour signals.
Q: When does a secure email gateway add less value than native cloud email security?
A: A SEG adds less value when Microsoft 365 or Google Workspace already covers commodity spam, malware, and basic phishing, and when the remaining threats depend on identity abuse or post-delivery manipulation.
Q: What do security teams get wrong about vendor impersonation in email?
A: They often assume authenticated sender infrastructure means lower risk.
Practitioner guidance
- Map email security to identity signals Correlate mailbox events, OAuth consent, forwarding rule changes, and unusual sender behaviour so the control plane reflects how clean-text attacks actually progress.
- Measure gateway overlap against native cloud filtering Inventory which SEG functions are already handled by Microsoft 365 or Google Workspace, then quantify where the third-party layer adds unique detection value.
- Run parallel validation before changing mail flow Deploy the replacement platform alongside the existing gateway, compare detections on real traffic, and only consolidate routing after coverage and remediation behaviour are proven.
What's in the full article
Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how the platform validates coverage before routing changes are made.
- Operational comparison points for what native Microsoft 365 and Google Workspace protections already cover versus a third-party SEG.
- Migration sequencing guidance for running two controls in parallel without disrupting mail flow.
- Examples of email security events that are better handled after delivery than at the perimeter.
👉 Read Abnormal AI's analysis of why secure email gateways are losing value →
Secure email gateways in cloud email: what teams should rethink?
Explore further
Perimeter email filtering is no longer the primary control boundary for business email compromise. Clean-text attacks that pass SPF, DKIM, and DMARC expose a control model built for malicious payloads, not for identity abuse and social engineering. When a message looks authentic, the decisive failure is not detection of malware but the inability to evaluate trust at the point where a human or delegated identity acts. Practitioners should treat email security as an identity problem first and a content problem second.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts.
A question worth separating out:
Q: What should organisations do before retiring a third-party secure email gateway?
A: They should run the replacement platform in parallel, validate detection coverage on live traffic, and compare how each control handles mailbox behaviour after delivery. That approach shows whether the gateway is still providing unique value or only duplicating what the native cloud stack already does. Consolidation should follow evidence, not assumption.
👉 Read our full editorial: Why third-party secure email gateways are losing value