I can point to the exact moment we realized our existing approach to email security wasn’t keeping up.

At Peak Technologies, where I lead IT and security across our global operations, we reached that moment in October 2023. We began seeing a wave of highly sophisticated phishing campaigns reach user inboxes. At a glance, these messages looked legitimate. Authentication checks like SPF, DKIM, and DMARC passed. The senders appeared trusted. But something was off, and we needed to analyze messages more deeply.

What we uncovered was a shift in how attacks were being executed. Threat actors weren’t spoofing domains or sending obviously malicious emails. They were operating from legitimate, compromised accounts we had already established relationships with. They would step into active email threads and inject malicious content into conversations our users were actively engaged in.

In practice, this often meant replacing a quote or modifying a response in an ongoing exchange with a vendor or partner. There were no obvious indicators to flag. The messages were timely, relevant, and aligned with existing business context.

This is why our existing controls started to break down.

To dive deeper into how Peak Technologies uncovered the limitations of traditional email security and responded to evolving phishing threats, watch the webinar Exposing the Gaps in M365 and Legacy SEG Protection.

Traditional email security tools are designed to identify known bad signals: malicious domains, suspicious attachments, known patterns of abuse. But the new attacks we saw didn’t rely on any of these signals. They relied on context.

We also started seeing campaigns that extended beyond text-based phishing. QR codes embedded in emails, links that redirected through legitimate services, and payloads that only revealed themselves after user interaction became more common. Natural language processing alone wasn’t enough to detect these messages.

Catching them required understanding not just what the message looked like, but how it fit into the broader pattern of communication—who was sending it, how the user typically behaved, and whether something subtle had changed in their behavior.

That level of analysis simply wasn’t something our existing SEG could provide.

As these attacks increased, the challenge quickly became operational.

When one of the malicious messages was opened and acted on, it often led to account compromise. From there, the attacker would use the same account to send similar messages—both internally and externally—expanding the attack surface in real time. In some cases, we were effectively chasing our own tail, with compromised accounts sending messages back into our environment.

Our team worked to stay on top of these attacks, but the volume and speed made that increasingly difficult. There were no meaningful controls within the SEG to tune detection for this type of activity. It became a race to identify and remediate issues before additional users were impacted.

At that point, it was clear we needed to look at a different approach altogether.

At Peak Technologies, we didn’t set out specifically to adopt an AI-based behavioral solution. The goal was more straightforward: find something that could actually detect and remediate the types of attacks we were seeing.

We brought Abnormal AI in for evaluation and immediately saw the platform’s effectiveness, driven by its ability to integrate via API without disrupting mail flow. That allowed us to compare our existing SEG directly against Abnormal using our own live data.

The results were immediate. The same advanced phishing messages that were reaching inboxes were being identified and remediated by Abnormal. That side-by-side visibility made the gap clear.

From there, the decision became less about features and more about overall platform effectiveness. We moved forward with adopting Abnormal as a core part of our email security strategy.

One of the most significant changes after implementing Abnormal was how we handled account takeover.

Previously, we relied on detailed runbooks to respond to these incidents. That often meant interrupting work—sometimes outside normal hours—to revoke sessions, reset credentials, and begin remediation. It was necessary, but it wasn’t scalable.

With Abnormal’s automated account takeover protection in place, much of that initial response now happens automatically. When sufficient signals indicate a compromised account, sessions are revoked and access is secured in near real time. We can still apply additional investigation and remediation steps as needed, but the most time-sensitive actions no longer depend on manual intervention.

That shift alone removed a significant operational burden from the team.

On the email side, detection also moved beyond static indicators. Evaluating links, analyzing message content, and understanding behavioral patterns allowed the system to make decisions that aligned much more closely with how modern attacks actually present.

No detection system is perfect, and we still encounter cases where messages need to be reviewed. What’s changed is how those cases are handled.

When a message is misclassified—either as a false positive or false negative—we can flag it, and Abnormal evaluates similar messages and adjusts its detection models accordingly. Those updates happen quickly, typically within a day, and improve overall detection going forward.

That’s particularly important in environments where not every partner or vendor follows strict email authentication practices. Some legitimate messages will always look imperfect from a technical standpoint. The ability to adapt to that reality without constant manual tuning has been critical to our operations.

As we gained confidence in the platform, we made the decision to move away from our legacy SEG.

This was driven in part by cost, but more importantly by the overlap in functionality and the operational overhead of maintaining both systems. The SEG required ongoing management and tuning, while Abnormal delivered results with far less direct intervention.

The migration itself was more straightforward than expected. With the right support from the Abnormal team, what could have taken months was completed in a matter of weeks without disrupting email delivery.

From a user perspective, the experience also improved. Rather than managing quarantines or reviewing digests, messages are now handled more intuitively, and the system adapts based on user behavior when needed.

The most noticeable change has been in how much attention email security now requires from our security team.

In a traditional model, even a small percentage of missed threats translates into a steady stream of compounding issues that require investigation. In practice, that often meant dealing with roughly one out of every hundred messages as a potential threat.

Today, that number is significantly lower, closer to one in a million. The reduction in volume has allowed my team to focus time and resources elsewhere, without sacrificing visibility or control.

The threat landscape will continue to change rapidly as threat actors find new ways to leverage AI for novel attacks. The tactics we saw last year have already shifted, and they’ll continue to do so at a pace legacy solutions can’t match.

What’s mattered most to my team is having a security approach that can adapt just as quickly thanks to Abnormal’s AI-native philosophy. That includes not only the underlying technology, but also the partnership behind it—being able to respond to new attack patterns and close gaps as soon as they emerge.

For organizations evaluating their current posture, the most effective starting point is visibility. Integrating at the API level and analyzing real traffic provides a clear picture of where gaps exist and what needs to change.

From there, the path forward becomes much easier to define.

To hear more about Peak Technologies’ experience adopting behavioral AI for email security, watch the full webinar, Exposing the Gaps in M365 and Legacy SEG Protection, featuring Jakob West and Abnormal AI.