One of the most interesting moments during a live CYBR.HAK.CAST recording at CYBR.HAK.CON came when Scott DeLuke, Field Technical Director at Abnormal AI, challenged a long-standing assumption about email security.
Check our the full episode:


For decades, organizations have relied on secure email gateways as the primary line of defense. Increasingly, however, attackers are finding ways around those controls altogether.
Modern attackers are bypassing traditional inspection points, abusing trusted cloud platforms, leveraging legitimate services, and finding pathways that allow malicious messages to reach inboxes without ever triggering the controls organizations have relied upon for years.
The result is a growing realization across the cybersecurity industry: protecting the perimeter is no longer enough.
The Cloud Changed the Rules
The migration to Microsoft 365 and Google Workspace fundamentally altered the way organizations communicate.
Email is no longer tied to on-premises infrastructure sitting behind a corporate firewall. It exists inside massive cloud ecosystems that offer flexibility, scalability, and collaboration capabilities that businesses depend on.
Unfortunately, attackers understand these environments just as well.
More from CYBR.HAK.CON:


Instead of relying exclusively on malicious domains or suspicious infrastructure, threat actors increasingly abuse legitimate services that organizations already trust. They leverage trusted cloud providers, known-good domains, and communication methods that blend seamlessly into normal business activity.
This creates a challenge for traditional email security technologies that were designed to inspect traffic entering the organization from the outside.
If the attack doesn't arrive through the expected path, the gateway may never see it.
That's not a failure of the technology. It's a reflection of how dramatically the threat landscape has evolved.
The Rise of Security Blind Spots
One of the most concerning topics discussed during the podcast involved techniques that allow attackers to bypass traditional inspection layers entirely.
DeLuke pointed to tactics such as direct-send abuse, where messages can effectively slip underneath layers of traditional inspection and land directly in user inboxes. Organizations may believe they have implemented all the right controls—secure email gateways, DMARC, cloud-native protections, and additional security tooling—yet still find themselves dealing with successful phishing attacks.
The problem is visibility.
Organizations frequently possess strong security at the perimeter but limited visibility into communication patterns, identity abuse, and behavioral anomalies occurring inside their cloud environments.
As attackers shift toward business email compromise, social engineering, and cloud-service abuse, those blind spots become more important than traditional malware detection.
The challenge is no longer identifying obviously malicious content. It is identifying activity that appears legitimate until examined within a broader behavioral context.
Why Defense in Depth Still Matters
None of this means organizations should abandon traditional controls.
In fact, DeLuke repeatedly emphasized what many security practitioners have long described as a "plus-one" strategy. Native Microsoft and Google protections remain important. Secure email gateways continue to provide value. DMARC still matters. Defense in depth is still defense in depth.
The difference is that these technologies can no longer be viewed as complete solutions.
The organizations achieving the best outcomes are increasingly layering behavioral analytics, cloud-native visibility, and anomaly detection on top of their existing investments.
This reflects a broader truth across cybersecurity.
Attackers have learned how to navigate around static defenses. They exploit trusted platforms, legitimate services, and human behavior rather than simply attacking technology.
Defenders must adapt accordingly.
The future of email security will not be defined by building bigger walls around the organization. It will be defined by understanding what happens inside the environment after attackers find a way around those walls.
And increasingly, they already have.



