chat
expand_more

The Last 1% of Attacks: Rise and Fall of the SEG

Traditional secure email gateways once defined email security. Today, they’re struggling to catch the final—and most dangerous—1% of attacks.
May 29, 2025

For decades, secure email gateways (SEGs) were the go-to solution for defending against threats delivered via email. They filtered spam, blocked viruses, and stopped well-known malicious senders. For a long time, that was enough.

But the threat landscape has changed.

Modern attacks don’t announce themselves with obvious signals. They don’t carry single-stage malware, include obviously suspicious links, or come from flagged domains. Instead, they arrive as routine messages—fake invoices, wire transfer requests, HR and employee handbook updates—from sources that appear legitimate. These threats are subtle, precise, and increasingly effective as they abuse legitimate content and security services to improve perceived legitimacy.

They make up the final 1% of attacks. And they’re often the most costly.

What SEGs Were Built to Do—And Where They Fall Short

SEGs emerged to combat the threats of the early internet era. They were designed to block large-scale spam campaigns and malicious payloads using rules, signatures, and reputation data. But today’s attacks exploit trust, not technology.

With the shift to cloud-based platforms like Microsoft 365 and Google Workspace, native security has become more robust—offering malware scanning, impersonation protection, and link analysis. These built-in features handle the majority of traditional threats well.

Yet attackers have adapted. Instead of relying on malicious content, they manipulate context. They impersonate vendors. They imitate executives. They craft believable requests and time them perfectly.

And they bypass the defenses that were never meant to understand behavior.

The Last 1%: Highly Targeted, Often Overlooked

Most email security tools are designed to recognize known and similar-to-known threats. But many of today’s most dangerous attacks don’t fit known patterns. They’re subtle by design, engineered to slip through filters and avoid raising alarms.

They’re hard to detect—and even harder to stop.

These attacks often contain no links or attachments. They exploit the human layer, not technical vulnerabilities. And when successful, they result in serious outcomes: stolen funds, exposed data, damaged reputations.

SEGs and traditional defenses were never built to interpret relationships or detect subtle shifts in behavior. As a result, the threats that do the most damage are often the ones no one sees coming.

Redefining What “Good Enough” Means

Stopping 99% of threats sounds impressive—until you realize what’s hiding in the remaining 1%.

That last percent includes the most advanced, socially-engineered attacks. The kind that evade conventional detection and exploit what feels normal. These threats don’t just slip through the cracks—they aim for them.

This is why, even with widespread use of secure email gateways, email remains the most common entry point for threat actors. It’s also why business email compromise (BEC) has cost organizations billions over the past decade.

Protecting against them means moving beyond rules and signatures. It means recognizing when something feels off, even if it looks right on the surface. It requires an understanding of identity, behavior, and context, not just content.

A New Way Forward

This isn’t about tearing down what’s already in place. But it is about reconsidering whether the SEG, once the cornerstone of email security, still serves its purpose in a cloud-first world.

As threats evolve, defenses must adapt. Preventing the most advanced attacks means embracing models that detect anomalies, not just known indicators. It means shifting from static protection to dynamic analysis.

How Abnormal Closes The Gap

By integrating directly with Microsoft 365 and Google Workspace, Abnormal complements these existing defenses by focusing on the 1% and leveraging novel detection techniques by profiling how people and systems communicate, surfacing anomalies that indicate attack. Rather than replicate what native tools already do, Abnormal delivers what they can’t: understanding subtle deviations that indicate targeted, socially-engineered attacks.

For many organizations, this approach makes traditional SEGs redundant. More importantly, it makes their defenses more resilient, designed not just for yesterday’s threats, but for today’s reality.

Interested in learning more about how Abnormal stops the last 1% of attacks? Schedule a demo today!

Schedule a Demo
The Last 1% of Attacks: Rise and Fall of the SEG

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans

Related Posts

B Vendor Email Compromise Case Study Blog
See how a real vendor email compromise attack fooled multiple employees. Learn why VEC succeeds and how AI makes these threats more dangerous.
Read More
AI Innovation Using AI to Simplify Cover pptx
Explore how Abnormal's engineering team advances internal development with an AI-driven platform that standardizes infrastructure, reduces setup time, and enables both engineers and AI agents to build and deploy services more efficiently.
Read More
B Flux Panel Ecommerce Checkout Hijacking via Phishing
FluxPanel turns legitimate ecommerce checkouts into live data theft operations. Learn how this dark web tool works, the role phishing plays, and how to stop attacks at their source.
Read More
B Fin Serv Attack Trends Blog
Email attacks on financial services rose 25% year-over-year. Learn why FinServ is a top target and how threat actors exploit trust to deceive employees.
Read More
B Flask Phishing Kit
Learn how threat actors used Flask, a popular Python framework, to build a versatile phishing kit for evasive campaigns that bypass traditional defenses.
Read More
B-Trust Trap Social Engineering Blog
The psychology of the modern work environment has become a roadmap for attackers—and a blind spot for traditional email security.
Read More