The Last 1% of Attacks: Rise and Fall of the SEG

For decades, secure email gateways (SEGs) were the go-to solution for defending against threats delivered via email. They filtered spam, blocked viruses, and stopped well-known malicious senders. For a long time, that was enough.

But the threat landscape has changed.

Modern attacks don’t announce themselves with obvious signals. They don’t carry single-stage malware, include obviously suspicious links, or come from flagged domains. Instead, they arrive as routine messages—fake invoices, wire transfer requests, HR and employee handbook updates—from sources that appear legitimate. These threats are subtle, precise, and increasingly effective as they abuse legitimate content and security services to improve perceived legitimacy.

They make up the final 1% of attacks. And they’re often the most costly.

SEGs emerged to combat the threats of the early internet era. They were designed to block large-scale spam campaigns and malicious payloads using rules, signatures, and reputation data. But today’s attacks exploit trust, not technology.

With the shift to cloud-based platforms like Microsoft 365 and Google Workspace, native security has become more robust—offering malware scanning, impersonation protection, and link analysis. These built-in features handle the majority of traditional threats well.

Yet attackers have adapted. Instead of relying on malicious content, they manipulate context. They impersonate vendors. They imitate executives. They craft believable requests and time them perfectly.

And they bypass the defenses that were never meant to understand behavior.

Most email security tools are designed to recognize known and similar-to-known threats. But many of today’s most dangerous attacks don’t fit known patterns. They’re subtle by design, engineered to slip through filters and avoid raising alarms.

They’re hard to detect—and even harder to stop.

These attacks often contain no links or attachments. They exploit the human layer, not technical vulnerabilities. And when successful, they result in serious outcomes: stolen funds, exposed data, damaged reputations.

SEGs and traditional defenses were never built to interpret relationships or detect subtle shifts in behavior. As a result, the threats that do the most damage are often the ones no one sees coming.

Stopping 99% of threats sounds impressive—until you realize what’s hiding in the remaining 1%.

That last percent includes the most advanced, socially-engineered attacks. The kind that evade conventional detection and exploit what feels normal. These threats don’t just slip through the cracks—they aim for them.

This is why, even with widespread use of secure email gateways, email remains the most common entry point for threat actors. It’s also why business email compromise (BEC) has cost organizations billions over the past decade.

Protecting against them means moving beyond rules and signatures. It means recognizing when something feels off, even if it looks right on the surface. It requires an understanding of identity, behavior, and context, not just content.

This isn’t about tearing down what’s already in place. But it is about reconsidering whether the SEG, once the cornerstone of email security, still serves its purpose in a cloud-first world.

As threats evolve, defenses must adapt. Preventing the most advanced attacks means embracing models that detect anomalies, not just known indicators. It means shifting from static protection to dynamic analysis.

By integrating directly with Microsoft 365 and Google Workspace, Abnormal complements these existing defenses by focusing on the 1% and leveraging novel detection techniques by profiling how people and systems communicate, surfacing anomalies that indicate attack. Rather than replicate what native tools already do, Abnormal delivers what they can’t: understanding subtle deviations that indicate targeted, socially-engineered attacks.

For many organizations, this approach makes traditional SEGs redundant. More importantly, it makes their defenses more resilient, designed not just for yesterday’s threats, but for today’s reality.

Interested in learning more about how Abnormal stops the last 1% of attacks? Schedule a demo today!