Secure email gateways (SEGs) were designed to address high-volume spam and known malicious payloads. But today’s attacks are more targeted, more human, and often lacking the malicious links or attachments that traditional tools were designed to detect. Attackers now use generative AI to personalise and scale socially engineered messages that appear credible to both users and filters. Many enterprises continue to use legacy tools alongside newer cloud-native solutions, but increasingly recognise that this creates operational complexity and coverage gaps.

At Abnormal AI, we've spent the past few years helping organisations augment or retire their SEGs and move to AI-native protection that plugs directly into Microsoft 365 or Google Workspace. Having migrated more than 550 enterprises and 2.7 million mailboxes, we’ve distilled a repeatable, low-risk path to stronger security at lower overall cost.

Secure email gateways sit in front of the mail provider and triage messages using static rules. They look for the common patterns in spam messages—things like “known bad” domains, spoofed sender addresses, or malicious links and attachments. Anything flagged as suspect is sandboxed until its fate is decided. When an email contains no signals of compromise, the SEG will often wave it through.

This approach is no longer the most effective. Modern attacks play on human vulnerability, and rarely display typical spam or phishing flags, leaving your organisation vulnerable to account takeovers, invoice fraud, and business email compromise.

Static Filters Miss Dynamic Threats

Generative AI is making life easier for cybercriminals in every way. With just a few prompts, AI can conduct deep research on an organisation’s environment, learning about its employees, executives, suppliers, and clients—and who works with whom. It only takes a few seconds to incorporate that information into a contextually intelligent spear phishing email that’s so targeted and convincing that some people receiving it will fall for the scam.

AI also enables criminals to cast a wide net. Consider, for example, supply chain compromise. In this cyberattack, a criminal compromises not your organisation’s credentials, but those of a trusted vendor. The impersonator then sends an email to one of your employees seeking a payment transfer from the company’s bank account. The email is text-based only. It contains no malicious links or attachments, so the SEG will likely let it through.

It’s often left to a sharp-eyed staff member to spot subtle flags in the email before the money moves. That’s a fragile last line of defence. In a real incident, an employee transferred $753,000 (roughly £560,000) after receiving a plausible-looking message from a frequent contact.

Increased Cost Without Coverage

Malicious emails are a numbers game. The more that reach a user's inbox, the higher the risk that someone is going to engage with one of them. If an employee pays a fake invoice or shares confidential files, your organisation will suffer a direct loss to its bottom line and reputation.

However, direct losses are not the only reason why many organisations have decided to replace the SEG—the productivity cost of maintaining a legacy solution can also be steep.

SEG tools need frequent patching, endless rule updates, and manual policy tweaks for every new threat. Meanwhile, analysts are stuck triaging false positives instead of stopping real attacks—burning time and energy on work that never ends.

Enterprises deploying SEGs often pay twice, once for the SEG licence and again in lost analyst productivity, to stay only marginally protected.

The modern organisation requires a modern security stack that protects the cloud email environment from increasingly clever and intricate threats.

Behavioural AI security represents the next evolution in email defence. Instead of searching for the “known bad,” it builds a dynamic understanding of the “known good”—learning what normal communication and behaviour look like across users, devices, and applications. By analysing thousands of data points such as sender relationships, communication frequency, and message tone, behavioural AI can identify the anomalies that signal risk.

This is the foundation of Abnormal AI’s approach.

Built to be cloud-native, Abnormal uses behavioural anomaly detection to stop the full spectrum of social engineering attacks, including account takeovers across cloud applications and the email supply chain. By integrating directly with Microsoft 365, Google Workspace, and other cloud platforms, Abnormal analyses identity, context, and communication signals to create a precise baseline of normal activity for every user and vendor.

When behaviour deviates from that baseline—such as an unexpected change in payment details or an unfamiliar sign-in—the system isolates the message before anyone can engage. Automated remediation handles routine incidents while surfacing only high-risk events for review, dramatically reducing false positives and allowing security teams to focus on genuine threats.

Behavioural AI security redefines how organisations defend against modern attacks, combining understanding, automation, and intelligence to protect people where they work.

The native security features of cloud email providers like Microsoft 365 and Google Workspace provide solid first-layer defence for spam and commoditised malware. CISOs, seeking defence in depth, often add a SEG on top. But these tools largely duplicate each other’s features, so you get twice the cost without twice the protection.

Combining your cloud email platform with an API-based solution gives far greater defence in depth. By layering Abnormal on top, organisations create a static layer for commodity threats plus a dynamic layer for the sophisticated ones, without the complexity of a separate perimeter appliance.

Here’s what enterprises gain by combining Abnormal with their cloud email platform:

• Improved Security Posture: Abnormal detects high-impact, socially-engineered attacks that SEGs often miss, increasing protection against the full spectrum of threats.
• Stop Evolving And Zero Day Attacks: Anything that falls outside your behavioural norms stands out, even for threat types we haven’t seen before.
• Cost Savings: The average organisation saves 42% in licencing costs by replacing add-on SEGs due to redundant features, and cuts SOC time by 95%.

One of the most reassuring discoveries is that replacing (or augmenting) SEGs with an API-based solution won't leave you drowning in change management. Yes, migration requires careful handling—most SEGs have a complicated manual setup that involves changing MX records, and you might not know all the different ways it's been configured. But with the right planning and support, organisations can migrate to modern solutions without disrupting mail flow.

If you’re still on the fence about making the switch, here are three practical steps that can help you move forward with confidence:

1. Think Beyond Detection
What is your SEG costing you in licence fees and undetected threats? When considering this question, think beyond the number and type of attacks getting through to inboxes. Look at false positives and the workloads SOC teams are experiencing as well. Use productivity data alongside threat detection data to guide your decision.

2. Run a Proof of Value
Look for a solution you can run in monitor-only mode alongside your current SEG for 30 days. You’ll see exactly which threats sneak through legacy filters, but not the AI-behaviour solution. Speak with CISOs who have already displaced their gateways, and read vendor success stories for proof that the solution works. We have helped 550-plus CISOs complete this journey, and 76% of our customers now operate without a third-party secure email gateway.

3. Insist on a Structured Migration Plan
Look for a solution that offers a robust migration programme, like Abnormal’s SEG displacement service. Offered free of charge to customers, our migration specialists work with you to evaluate your policies and safely migrate them to the cloud email provider and Abnormal. It’s a fully-guided, low-risk path from assessment to cut-over with a rollback option at every stage. There's no disruption to mail flow, and we never do anything that feels uncomfortable to you in your own environment.

Legacy SEGs served us well when “spray-and-pray” spam dominated the inbox. But today’s attacks are personalised, payload-less, and often generated by AI in seconds. These modern attacks often slip through the SEG layer, and the humans hired to shore up these tools are burning out fast.

But with your native cloud email security and Abnormal, you receive comprehensive protection. By working together, the two solutions provide layered protection that helps stop malicious emails before they reach employees—a stronger, smarter defence in depth.

Interested in learning more about Abnormal protection? Schedule a demo today!