What is a secure email gateway (SEG)?

Egress | 21st Jun 2023

Email is the most frequent attack vector hackers use to target organizations. Secure email gateways (SEGs) have traditionally been relied on as the first line of anti-phishing defense. However, in recent years there has been a discussion surrounding the future of SEGs with the many advancements in the native email security capabilities of Microsoft 365.

A SEG provides pre-delivery protection to individuals by blocking (quarantining) known threats before they reach the mail server. They protect businesses against known viruses and malware, and DoS (denial of service) attacks, as well as filter out spam. However, they do not typically scan internal communications.

The SEG scans each inbound email to determine whether it’s safe for individuals to open, and if it's deemed unsafe, it'll be blocked and sent to quarantine. Some SEGs allow the quarantined emails to be accessed by administrators if necessary. These activities happen in the background, without any action needed from the recipient.

In this blog we will go through the pros and cons of a SEG and how an organization can create a layered approach to their email security.

What secure email gateways (SEGs) are good at

Secure email gateways (SEGs) are great at blocking known threats (such as malware), and they use filtering technology and threat intelligence to determine which emails are malicious.

This feature is an excellent add-on to basic anti-virus software. A SEG will perform its scan to detect the malicious payload before it enters the user’s inbox, whereas anti-virus software is local and can only scan data once it is in the network. SEGs also conduct sandboxing on malicious payloads to determine the goal of the attack.

What secure email gateways (SEGs) are not so good at

While SEGs provide a layer of protection against known threats that are listed in their definitions libraries or sent from suspicious email domains, they cannot detect advanced attacks. Cybercriminals are becoming increasingly sophisticated with how they engineer attacks — often, their goal is to bypass basic forms of email security like SEGs. There are many types of advanced phishing threats that can bypass SEGs, and we go through three examples of these below.

Zero-day or emerging attacks

While they detect known malicious content, secure email gateways (SEGs) can't protect against zero-day or emerging attacks that are not present in their definitions libraries. Zero-day attacks are usually sent from compromised accounts within the supply chain, and more recently, make use of legitimate URLs that carry malicious payloads.

Account takeover (ATO) attacks

Account takeover (ATO) attacks present another threat. They are a form of identity theft that allows hackers to send emails from a legitimate account within the organization or supply chain. SEGs only monitor emails outside the network, meaning emails between colleagues go unchecked. If a colleague's email is compromised, an attacker could freely send malicious emails within the business network without detection. Additionally, compromised accounts within the supply chain can bypass the reputation-based detection offered by SEGs.  

Business email compromise (BEC)

Business email compromise (BEC) attacks are a type of spear phishing where the attacker impersonates a trusted source to defraud an organization. These attacks tend not to include a traditional payload, so they won’t always contain the known malicious signatures that SEGs detect. This makes them more likely to slip under the radar. To catch sophisticated text-based attacks, organizations need an integrated cloud email security (ICES) solution with natural language processing (NLP) and natural language understanding (NLU) capabilities.

In addition to BEC, zero-day, and ATO attacks, SEGs won't always detect other types of spear phishing or social engineering attacks.

Replacing secure email gateways (SEGs) with Microsoft 365 native email security

In recent years, Microsoft 365 has continued to make improvements in its native email security. As a result, some organizations are seeing a total duplication in functionality between their SEG and Microsoft licenses. According to the 2023 Gartner Market Guide for Email security, ‘This makes it harder for SEG vendors to differentiate’. And with organizations looking to consolidate security vendors, Gartner predicts the combined functionality offered by Microsoft and integrated cloud email security (ICES) solutions will lead organizations to remove their SEGs: ‘Initially, these [ICES] solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.’

Whether they are replacing their SEG or not, due to the gaps presented by SEGs and Microsoft 365 detection, organizations need to take a layered approach to their email security to protect the organization from malicious actors.

Augmenting or replacing secure email gateways (SEGs) with an integrated cloud email security (ICES) solution

For organizations that choose to keep them, secure email gateways (SEGs) may provide a level of protection or serve specific use cases that Microsoft can’t meet (such as archiving functionality). However, It’s best to augment them with an integrated cloud email security (ICES) solution that uses machine learning, natural language understanding (NLU), and natural language processing (NLP) to detect advanced attacks.

NLU and NLP allow ICES solutions to look for unusual language within the content of an email. By analyzing the context of an email based on previous interactions and messages, these security solutions can detect advanced attacks such as zero-day or BEC attacks. As a result, an ICES solution can detect and prevent the threats that get through SEGs. Already using a SEG or thinking about purchasing one? Learn how to augment SEGs with Egress Defend.