Getting through secure email gateways (SEGs) is simply the cost of doing business for a cybercriminal. Literally, detection at the perimeter by a SEG is the same as falling at the first hurdle.
SEGs have been adopted broadly, especially in larger organizations (although this picture has started to change in recent years - more on that below).
Even where organizations don’t use a SEG, many native controls in email platforms (like Microsoft Exchange) operate using the same principles. So a cybercriminal will be fairly confident they’ll need to get through at least a SEG or similar layer to reach a target’s inbox.
Cybercriminals can be incredibly clever and, like most of us, they need or want to get paid at the end of the day. If email security technology stands between them and whatever they’re planning, then they’ll do everything they can to evolve their attacks to bypass detection.
Here’s some proof. Below is a screenshot taken from the dark web. It shows details of a subscription-based phishing toolkit with access to 30+ brand impersonation templates. It’s advertised for sale at a monthly cost of $300 or lifetime access for $1,000, and comes with 24/7 support.
Crucially, the payloads are guaranteed to bypass named SEG vendors.
When you combine these details, they paint an interesting picture. The cybercriminal selling the kit is hoping to create renewing customers to generate ongoing business. Any failure to deliver on their guarantees will damage this business model - so we can anticipate they will look to uphold their promises.
Ad for a phishing toolkit, including brand impersonation templates and guaranteed delivery against named SEG vendors.
Are More Attacks Getting Through Secure Email Gateways (SEGs)?
Yes. That’s the short answer, unfortunately.
We know this because of the way KnowBe4 Defend - our anti-phishing product - integrates with customers’ tech stacks. We analyze mail after it’s passed through Microsoft and SEG defenses, so we catch what they’ve missed - and the number of phishing emails we’ve detected increases year on year.
In our Phishing Threat Trends Report from March 2025, we reported there was a 47.3% increase in attacks getting through Microsoft and SEGs in 2024.
Our report also showed that, over a six-month period, there had been a significant increase in three types of payload getting through perimeter detection:
- 38.8% increase for phishing hyperlinks
- 20% increase in malware
- 14.2% increase for emails that relied solely on social engineering
For this blog, I also analyzed the attacks getting through five SEGs with the largest customer footprints. Matching what we saw in our report, on average 60.9% of phishing emails that contained a malicious hyperlink bypassed these products. In terms of attack type, business email compromise (BEC) attacks were the most likely to get through, with 59.8% of these going undetected.
Five Tactics Cybercriminals Use To Get Through Secure Email Gateways (SEGs)
SEGs work using signature and reputation-based detection. To briefly summarize: they rely on blocklists of “known bad” hyperlink and malware payloads and authentication checks to let them know whether something is suspicious or not. It’s a pretty binary system: if it’s known to be bad or the domain looks suspicious, then emails are held in quarantine; if they look ok, they go into the inbox.
Back in the day - in a much less digitally complex world - SEGs were the kings of email security. This was a time when we all sent fewer emails and phishing attacks primarily featured terrible spelling and grammar, came with offers of millions to be paid by a long-lost relative or foreign royalty, and were sent from dodgy domains. So what wasn’t filtered out by a SEG would likely stick out like a sore thumb in the inbox.
Now, threats are much more sophisticated, with cybercriminals attempting to both bypass detection and fool the target into interacting with the email. Here are five ways they can achieve that.
- Using compromised accounts: When a cybercriminal sends a phishing email from a compromised but legitimate account, they leverage that trusted domain to get through a SEG’s reputation checks. Recipients can also be more trusting of emails that look like they’ve been sent by someone they know or a company or brand they trust.
- Leveraging third-party platforms: Typically, this involves creating an account on a trusted platform and using their legitimate communication infrastructure to send attacks. The effect is the same as compromising a legitimate account because of the sender domain reputation - but in this case, it’s as easy as signing up for a service, as the platform itself hasn’t been compromised. Our Threat Labs team has observed a significant increase in these kinds of attacks in 2025, such as this campaign that exploits Google AppSheet.
- Ageing the domain: It’s relatively easy to create a new email domain - but these can be flagged as suspicious by authentication checks. One way to increase the appearance of legitimacy is for cybercriminals to age the domain by, essentially, sitting on it until enough time has passed. Our Phishing Threat Trends Report showed that, on average, phishing domains had been aged for 3,829 days to help them evade SEG detection.
- Applying technical measures: Cybercriminals manipulate the body and payloads of phishing emails to obfuscate (hide) their true nature from SEG detection. HTML smuggling is a common way to disguise malicious JavaScript code as a seemingly benign HTML attachment. Invisible or unicode characters can be used to separate words or phrases or manipulate malicious hyperlinks. URL redirects mean that the target ends up at a completely different website than the SEG understood the hyperlink was directed at. (Our report goes into more detail about some of these tactics.)
- Creating undetectable payloads: SEG blocklists have to be updated to recognize hyperlink and malware payloads. So, naturally, new zero-day payloads won’t be on the list. With booms in GenAI and crime-as-a-service, it’s becoming easier than ever for cybercriminals to deploy novel payloads. There is also some lag time between a new payload being recognized in the wild and these lists being updated for a provider’s global customer base, which is a window that cybercriminals aim to exploit.
Alternatively, emails might not contain a “traditional” malicious payload (hyperlink or malware). The body copy of an email can be used to socially engineer a victim into carrying out a specific action or a “benign” fraudulent attachment won’t look suspicious but can be used in invoice fraud. Again, this won’t feature on SEG's blocklists.
What Can You Do To Protect Your Organization?
In light of these developments, you will likely need to make some improvements to your email security defenses.
As with all cybersecurity projects, the first step is to quantify your risk exposure, i.e. how many and what type of phishing emails are making it through your existing defenses. Once you know this information, you can then make improvements
Integrated Cloud Email Security (ICES) products (such as KnowBe4 Defend) provide AI-powered defenses that can detect a broader range of phishing attacks, including those that get through SEGs. It’s also much harder to engineer attacks to bypass ICES detection. It’s the recommendation of industry analysts Gartner that organizations use an ICES product to help stop sophisticated attacks such as those using GenAI and BEC.
Most organizations are now implementing ICES products into their cloud email environments. For many, the native security provided by Microsoft significantly overlaps with that provided by their SEG, so they choose a combination of Microsoft and ICES as their two layers of defense. Some organizations still find additional value in their SEG (for example, journaling capability) and therefore they layer an ICES product over the top of this.
KnowBe4 offers a free trial for Defend that you can use to quantify your risk - remember, we’re able to see what’s getting through your existing defenses - and assess the efficacy of our product. If you're interested in discussing this, you can request a demo with our team to kickstart the process.
With KnowBe4 Defend you can:
