Text: James Dyer, Threat Intelligence Lead at KnowBe4
The 2023 Gartner Market Guide for Email Security states: 'Impersonation and attacks via business email compromise (BEC) are on the rise and cause direct financial damage, as users place too much trust in identities associated with email, while email is inherently vulnerable to deception and social engineering.'
Gartner therefore advises organizations to use email security that includes BEC protection against phishing and to leverage AI to detect communication patterns and deviations in conversation style. Additionally, it is recommended to use computer vision to inspect suspicious URLs and to choose products that offer strong supply chain analysis and AI-driven analysis of contact chains. This way, socially manipulated, imitated, or BEC attacks can also be better detected.
What do secure email gateways (SEGs) do?
A secure email gateway (SEG) is located at the edge of the network and serves as the first contact point for all incoming and outgoing emails. Due to their position in the mail flow, SEGs typically do not analyze internal email communication. Some vendors may do this to a limited extent through journaling rules, but this requires the vendor to also have message retention or archiving functionality.
SEGs are inherently relatively static and use signature and reputation-based detection to identify phishing attacks. They provide protection before delivery by quarantining threats before they reach the mail server. In that role, they can be a valuable addition to existing antivirus software.
However, SEGs also have limitations in detection and recovery capabilities. For example, they are not well-equipped to detect advanced phishing attacks, such as business email compromise (BEC), when these do not contain known payloads and are sent from compromised accounts.
Although SEGs can retroactively remove phishing emails using PowerShell scripts, this process can be very time-consuming in the case of polymorphic attacks, as administrators often have to recover each email individually. As a result, a malicious email can remain in the inbox for a longer period, increasing the risk that users will interact with it. Additionally, implementing a SEG can be time-consuming. This requires adjusting the Mail Exchange (MX) record so that the mail flow is redirected through the SEG. This can be set up in on-premises, hybrid, or cloud environments.
Microsoft 365 and secure email gateways
In recent years, Microsoft has significantly expanded the native email security capabilities within the cloud platform Microsoft 365. Many of these features use similar signature and reputation-based detection as SEGs.
As a result, some organizations experience significant overlap between their Microsoft 365 licenses and their existing SEG solutions. Increasingly, organizations are choosing not to invest in a separate SEG and to consolidate their email security against phishing around the native security capabilities of Microsoft, supplemented with additional security layers.
Integrated cloud email security
One of those additional layers is integrated cloud email security (ICES), a term introduced by Gartner in 2021. ICES solutions integrate directly with cloud mail platforms and use machine learning, behavioral analysis, and natural language processing (NLP) to detect advanced phishing attacks that can bypass traditional signature and reputation-based detection, such as account takeover (ATO), business email compromise (BEC), and ransomware attacks.
Unlike traditional detection methods, these solutions do not only focus on known malware or suspicious links but also on the context and content of emails. This allows them to recognize attacks that utilize social engineering or deviant communication behavior.
ICES solutions can also display alerts in the inbox to inform users of potential risks. This also strengthens existing security awareness and training programs. According to data from KnowBe4 Defend, 50.72 percent of the phishing emails directed at KnowBe4 customers between June 1 and 14, 2023, managed to bypass a SEG, Microsoft 365, or both and ended up in users' inboxes.
By combining various intelligent detection methods, ICES solutions can detect a broader range of attacks, not just threats that have already been identified as 'known malicious'. In many cases, ICES solutions fill the gaps left by SEGs and provide organizations with an additional layer of defense against modern attacks.
Email security against phishing: complement or replace
Combining a SEG with an ICES solution can provide a layered approach to email security against phishing. At the same time, there is discussion about the future of the SEG, as the security functionality within Microsoft 365 in some cases leads to overlap with existing gateway solutions. The question of whether SEGs should be completely replaced often revolves around the capabilities of Microsoft 365 and the role that additional security layers play. ICES solutions can complement Microsoft, SEGs, or both.
Some organizations choose to retain their SEG to strengthen their defense strategy or because they need it for other applications, such as journaling and archiving, which Microsoft 365 does not always fully provide. Regardless of the chosen approach, organizations need advanced detection capabilities to remain protected against modern phishing attacks. ICES solutions play an increasingly important role in this.
