Skip to main content

Jul 13, 2026

Microsoft + Abnormal: The Case for Third-Party SEG Just Got a Lot Harder to Make

Microsoft's E3 licensing shift and Abnormal's expanded platform mean Microsoft + Abnormal now deliver the same capabilities that once made legacy SEGs essential.

For security teams still maintaining a third-party secure email gateway (SEG) alongside Microsoft 365, one question is worth sitting with: what capabilities does a third-party SEG provide to justify its place in the stack?

The case for displacing a legacy SEG has never been stronger. As of July 1st, 2026, Microsoft has expanded its native email security capabilities by including Defender for Office 365 Plan 1 in Microsoft 365 E3 and Office 365 E3. Gartner® explains this “licensing shift commoditizes basic predelivery email security, making third-party SEG options redundant.1” For any organization approaching a SEG renewal, it's the right prompt for an honest evaluation.

At the same time, Abnormal AI has expanded its platform to cover many of the operational and workflow functions practitioners have historically relied on a SEG for. Together, the Abnormal + Microsoft stack now covers the core functions a third-party SEG was built to deliver, and adds a layer of behavioral AI detection that no gateway architecture can replicate.

What Microsoft Now Includes in E3

On July 1, 2026, Microsoft extended Defender for Office 365 Plan 1 to both Microsoft 365 E3 and Office 365 E3, bringing capabilities that previously required E5 licensing or a separate add-on into the subscription most enterprise organizations already own.

  • Safe Links adds time-of-click URL protection and dynamically blocks malicious destinations when users click links in email, Office documents, and Teams.

  • Safe Attachments detonates suspicious email attachments in an isolated environment to detect unknown and zero-day malware before delivery.

  • Advanced Anti-phishing applies multiple machine learning models to better identify phishing attempts and delivers controls for administrators to address several forms of BEC.

E3 customers who were paying for a third-party SEG specifically to access this functionality now have a viable native baseline at no additional cost.

How Abnormal Complements Microsoft 365

Microsoft’s broader native coverage is only half the story. Abnormal has expanded its capabilities to provide broader support across the workflows and control layers practitioners depend on. Over the past year, Abnormal has added the following:

  • Unified Quarantine brings Microsoft-quarantined messages into Search & Respond, so analysts can investigate and release mail from a single interface. Quarantine Auto-Release reduces false positives by automatically releasing messages Microsoft quarantines that Abnormal identifies as safe.

  • Email Digest gives end users a clear, configurable summary of the malicious, spam, and graymail messages removed from their inbox, with richer sender and subject context, configurable cadence, and rollout controls.

  • Custom AI Models let security teams address repeatable, organization-specific email patterns using real examples and natural language, giving teams more precise control alongside Abnormal's core behavioral detection.

  • ​​Calendar Invite Remediation automatically removes malicious calendar events created from phishing or spam emails when the linked email is remediated, closing a protection gap that legacy gateways typically miss.

  • Enterprise Remediation Settings let security teams configure remediation behavior by threat category, destination handling, tenant-level controls, and end-user warning options, with instant enforcement.

  • Auto-Forwarding Mail Protection evaluates messages before Microsoft applies auto-forwarding rules to external systems like Salesforce, ServiceNow, or Zendesk. An associated Pre-Delivery Mail Flow Dashboard adds real-time visibility into mailbox-level protection status, mail volume, and configuration health.

Where Microsoft handles foundational protection against a wide array of threats at scale, Abnormal provides the behavioral AI layer for the attacks tailored to your organization, which evade traditional inspection: business email compromise, vendor fraud, and account takeover attacks that arrive as technically clean, context-rich messages with no obvious payloads or known-bad indicators. This detection gap is experienced by all SEGs, and is responsible for 85% of all losses from cyber-enabled fraud attacks.

The Business Case is Catching Up to the Technical Reality

For organizations looking to optimize their native Microsoft 365 capabilities, the value equation changes quickly once the feature overlap becomes visible. According to Gartner, "ICES (integrated cloud email security) solutions can help augment most feature gaps, often at a lower or competitive price compared to third-party SEGs.1"

Steve Tieland, Senior Director of Corporate Security Operations at Pegasystems, described the experience this way:

"Unlike moving from SEG to SEG, trying Abnormal was low-risk, and the functionality was the reward. We already owned the M365 products that Abnormal complements, and it costs much less than our SEG."

Organizations that replaced their third-party SEG with Abnormal report measurable operational returns: a 59% reduction in administrative burden, 91% less time spent on user-reported emails, and a 92% reduction in false-positive investigation rates. Overall, they experience less tuning, less manual triage, and better return on the Microsoft investment they already have.

The Question Security Teams Should Ask Now

More than 900 organizations have already migrated from a third-party SEG to the Abnormal + Microsoft model, representing over 3.5 million mailboxes. Today, almost 80% of Abnormal customers operate without a third-party SEG.

If your organization already relies on Microsoft 365, the question becomes: “With Microsoft 365 and Abnormal working together, what new capabilities does a third-party SEG bring to the table?”

For a growing number of organizations, the honest answer is: not enough to justify the cost, complexity, and redundancy.

Schedule a demo to see how Abnormal + Microsoft can help you replace your legacy SEG with stronger protection, less overhead, and better ROI for the tools you already own.

Schedule a Demo

1Gartner, Capitalize on Microsoft’s Licensing Changes for Email Security, Max Taggett, Nikul Patel, Peter Firstbrook, April 1 2026. GARTNER is a trademark of Gartner, Inc. and/or its affiliates

Protect Against Evolving Email Threats

See how behavioral AI detects attacks that legacy defenses miss.