Skip to content

Why the Email Gateway Is No Longer Enough

Modern phishing attacks bypass traditional email gateways. Learn why identity, behavior, and post-delivery security matter. (Sponsored by Abnormal AI)

One of the most interesting moments during a live CYBR.HAK.CAST recording at CYBR.HAK.CON came when Scott DeLuke, Field Technical Director at Abnormal AI, challenged a long-standing assumption about email security.

Check our the full episode:

AI vs. AI with Scott Deluke
In this episode of CYBR.HAK.CAST, hosts Michael and Phil speak with Scott Deluke of Abnormal AI live from the inaugural CYBR.HAK.CON.!
Email Security Has Become an AI Arms Race
During a live CYBR.HAK.CAST interview at CYBR.HAK.CON, Abnormal AI’s Scott DeLuke explained why AI-powered phishing has transformed email security into a machine-speed battle that humans can no longer fight alone.

For decades, organizations have relied on secure email gateways as the primary line of defense. Increasingly, however, attackers are finding ways around those controls altogether.

Modern attackers are bypassing traditional inspection points, abusing trusted cloud platforms, leveraging legitimate services, and finding pathways that allow malicious messages to reach inboxes without ever triggering the controls organizations have relied upon for years.

The result is a growing realization across the cybersecurity industry: protecting the perimeter is no longer enough.

The Cloud Changed the Rules

The migration to Microsoft 365 and Google Workspace fundamentally altered the way organizations communicate.

Email is no longer tied to on-premises infrastructure sitting behind a corporate firewall. It exists inside massive cloud ecosystems that offer flexibility, scalability, and collaboration capabilities that businesses depend on.

Unfortunately, attackers understand these environments just as well.

More from CYBR.HAK.CON:

Inside CYBR.HAK.CON.: A New Grassroots Cybersecurity Conference for Ethical Hackers
Built by the team behind HOU.SEC.CON. (now CYBR.SEC.CON.) and partnered with renowned penetration tester Phil Wylie, CYBR.HAK.CON. aims to reconnect cybersecurity conferences with their grassroots hacker culture through hands-on training, community collaboration, and practitioner-first experiences.
Highlights from CYBR.HAK.CON. 2026
Among the topics: Cognitive warfare and medical device mayhem.

Instead of relying exclusively on malicious domains or suspicious infrastructure, threat actors increasingly abuse legitimate services that organizations already trust. They leverage trusted cloud providers, known-good domains, and communication methods that blend seamlessly into normal business activity.

This creates a challenge for traditional email security technologies that were designed to inspect traffic entering the organization from the outside.

If the attack doesn't arrive through the expected path, the gateway may never see it.

That's not a failure of the technology. It's a reflection of how dramatically the threat landscape has evolved.

The Rise of Security Blind Spots

One of the most concerning topics discussed during the podcast involved techniques that allow attackers to bypass traditional inspection layers entirely.

DeLuke pointed to tactics such as direct-send abuse, where messages can effectively slip underneath layers of traditional inspection and land directly in user inboxes. Organizations may believe they have implemented all the right controls—secure email gateways, DMARC, cloud-native protections, and additional security tooling—yet still find themselves dealing with successful phishing attacks.

The problem is visibility.

Organizations frequently possess strong security at the perimeter but limited visibility into communication patterns, identity abuse, and behavioral anomalies occurring inside their cloud environments.

As attackers shift toward business email compromise, social engineering, and cloud-service abuse, those blind spots become more important than traditional malware detection.

The challenge is no longer identifying obviously malicious content. It is identifying activity that appears legitimate until examined within a broader behavioral context.

Why Defense in Depth Still Matters

None of this means organizations should abandon traditional controls.

In fact, DeLuke repeatedly emphasized what many security practitioners have long described as a "plus-one" strategy. Native Microsoft and Google protections remain important. Secure email gateways continue to provide value. DMARC still matters. Defense in depth is still defense in depth.

The difference is that these technologies can no longer be viewed as complete solutions.

The organizations achieving the best outcomes are increasingly layering behavioral analytics, cloud-native visibility, and anomaly detection on top of their existing investments.

This reflects a broader truth across cybersecurity.

Attackers have learned how to navigate around static defenses. They exploit trusted platforms, legitimate services, and human behavior rather than simply attacking technology.

Defenders must adapt accordingly.

The future of email security will not be defined by building bigger walls around the organization. It will be defined by understanding what happens inside the environment after attackers find a way around those walls.

And increasingly, they already have.

Latest