Getting via safe e mail gateways (SEGs) is solely the price of doing enterprise for a cybercriminal. Actually, detection on the perimeter by a SEG is similar as falling on the first hurdle.
SEGs have been adopted broadly, particularly in bigger organizations (though this image has began to vary in recent times – extra on that under).
Even the place organizations don’t use a SEG, many native controls in e mail platforms (like Microsoft Alternate) function utilizing the identical rules. So a cybercriminal might be pretty assured they’ll must get via a minimum of a SEG or related layer to achieve a goal’s inbox.
Cybercriminals will be extremely intelligent and, like most of us, they want or wish to receives a commission on the finish of the day. If e mail safety know-how stands between them and no matter they’re planning, then they’ll do every part they will to evolve their assaults to bypass detection.
Right here’s some proof. Under is a screenshot taken from the darkish internet. It reveals particulars of a subscription-based phishing toolkit with entry to 30+ model impersonation templates. It’s marketed on the market at a month-to-month value of $300 or lifetime entry for $1,000, and comes with 24/7 help.
Crucially, the payloads are assured to bypass named SEG distributors.
If you mix these particulars, they paint an attention-grabbing image. The cybercriminal promoting the package is hoping to create renewing clients to generate ongoing enterprise. Any failure to ship on their ensures will harm this enterprise mannequin – so we are able to anticipate they may look to uphold their guarantees.
Advert for a phishing toolkit, together with model impersonation templates and assured supply in opposition to named SEG distributors.
Are Extra Assaults Getting By means of Safe Electronic mail Gateways (SEGs)?
Sure. That’s the quick reply, sadly.
We all know this due to the best way KnowBe4 Defend – our anti-phishing product – integrates with clients’ tech stacks. We analyze mail after it’s handed via Microsoft and SEG defenses, so we catch what they’ve missed – and the variety of phishing emails we’ve detected will increase 12 months on 12 months.
In our Phishing Menace Tendencies Report from March 2025, we reported there was a 47.3% improve in assaults getting via Microsoft and SEGs in 2024.
Our report additionally confirmed that, over a six-month interval, there had been a big improve in three kinds of payload getting via perimeter detection:
- 38.8% improve for phishing hyperlinks
- 20% improve in malware
- 14.2% improve for emails that relied solely on social engineering
For this weblog, I additionally analyzed the assaults getting via 5 SEGs with the most important buyer footprints. Matching what we noticed in our report, on common 60.9% of phishing emails that contained a malicious hyperlink bypassed these merchandise. By way of assault sort, enterprise e mail compromise (BEC) assaults have been the more than likely to get via, with 59.8% of those going undetected.
5 Techniques Cybercriminals Use To Get By means of Safe Electronic mail Gateways (SEGs)
SEGs work utilizing signature and reputation-based detection. To briefly summarize: they depend on blocklists of “recognized unhealthy” hyperlink and malware payloads and authentication checks to allow them to know whether or not one thing is suspicious or not. It’s a reasonably binary system: if it’s recognized to be unhealthy or the area appears to be like suspicious, then emails are held in quarantine; if they appear okay, they go into the inbox.
Again within the day – in a a lot much less digitally complicated world – SEGs have been the kings of e mail safety. This was a time once we all despatched fewer emails and phishing assaults primarily featured horrible spelling and grammar, got here with provides of thousands and thousands to be paid by a long-lost relative or international royalty, and have been despatched from dodgy domains. So what wasn’t filtered out by a SEG would seemingly stick out like a sore thumb within the inbox.
Now, threats are far more refined, with cybercriminals trying to each bypass detection and idiot the goal into interacting with the e-mail. Listed here are 5 methods they will obtain that.
- Utilizing compromised accounts: When a cybercriminal sends a phishing e mail from a compromised however reliable account, they leverage that trusted area to get via a SEG’s popularity checks. Recipients will also be extra trusting of emails that appear to be they’ve been despatched by somebody they know or an organization or model they belief.
- Leveraging third-party platforms: Usually, this includes creating an account on a trusted platform and utilizing their reliable communication infrastructure to ship assaults. The impact is similar as compromising a reliable account due to the sender area popularity – however on this case, it’s as simple as signing up for a service, because the platform itself hasn’t been compromised. Our Menace Labs staff has noticed a big improve in these sorts of assaults in 2025, similar to this marketing campaign that exploits Google AppSheet.
- Ageing the area: It’s comparatively simple to create a brand new e mail area – however these will be flagged as suspicious by authentication checks. One approach to improve the looks of legitimacy is for cybercriminals to age the area by, primarily, sitting on it till sufficient time has handed. Our Phishing Menace Tendencies Report confirmed that, on common, phishing domains had been aged for 3,829 days to assist them evade SEG detection.
- Making use of technical measures: Cybercriminals manipulate the physique and payloads of phishing emails to obfuscate (cover) their true nature from SEG detection. HTML smuggling is a typical approach to disguise malicious JavaScript code as a seemingly benign HTML attachment. Invisible or unicode characters can be utilized to separate phrases or phrases or manipulate malicious hyperlinks. URL redirects imply that the goal finally ends up at a totally totally different web site than the SEG understood the hyperlink was directed at. (Our report goes into extra element about a few of these techniques.)
- Creating undetectable payloads: SEG blocklists need to be up to date to acknowledge hyperlink and malware payloads. So, naturally, new zero-day payloads received’t be on the record. With booms in GenAI and crime-as-a-service, it’s changing into simpler than ever for cybercriminals to deploy novel payloads. There may be additionally some lag time between a brand new payload being acknowledged within the wild and these lists being up to date for a supplier’s world buyer base, which is a window that cybercriminals intention to take advantage of.
Alternatively, emails may not comprise a “conventional” malicious payload (hyperlink or malware). The physique copy of an e mail can be utilized to socially engineer a sufferer into finishing up a particular motion or a “benign” fraudulent attachment received’t look suspicious however can be utilized in bill fraud. Once more, this received’t characteristic on SEG’s blocklists.
What Can You Do To Shield Your Group?
In mild of those developments, you’ll seemingly must make some enhancements to your e mail safety defenses.
As with all cybersecurity initiatives, step one is to quantify your danger publicity, i.e. what number of and what sort of phishing emails are making it via your current defenses. As soon as you already know this info, you may then make enhancements
Built-in Cloud Electronic mail Safety (ICES) merchandise (similar to KnowBe4 Defend) present AI-powered defenses that may detect a broader vary of phishing assaults, together with people who get via SEGs. It’s additionally a lot tougher to engineer assaults to bypass ICES detection. It’s the advice of business analysts Gartner that organizations use an ICES product to assist cease refined assaults similar to these utilizing GenAI and BEC.
Most organizations at the moment are implementing ICES merchandise into their cloud e mail environments. For a lot of, the native safety supplied by Microsoft considerably overlaps with that supplied by their SEG, so that they select a mixture of Microsoft and ICES as their two layers of protection. Some organizations nonetheless discover extra worth of their SEG (for instance, journaling functionality) and due to this fact they layer an ICES product excessive of this.
KnowBe4 provides a free trial for Defend that you should use to quantify your danger – keep in mind, we’re capable of see what’s getting via your current defenses – and assess the efficacy of our product. When you’re fascinated by discussing this, you may request a demo with our staff to kickstart the method.
