Overcome AI-Powered Attacks by Leveling Up Your Email Security Platform
19 June 2025 - ID G00825819 - 12 min read
By Nikul Patel, Deepak Mishra, and 1 more
Email-based attacks have shifted from exploiting URLs/attachments to exploiting the message itself. Lack of protection against semantic attacks remains a critical gap in email security. To combat this threat, security and risk management leaders must plan to replace or augment their email security platforms.
Overview
Key Findings
- Attackers are using large language models (LLMs) to cut attack costs by over 95%, increasing the ROI of phishing and leading to more sophisticated, varied and frequent attacks. Despite efforts to upgrade or replace existing email security solutions, organizations continue to face challenges in countering these attacks.
- Lack of coordination between CISOs and teams responsible for infrastructure and operations, security program management, and security operations can lead to gaps in email security prevention, protection and response measures, resulting in blind spots.
- Business email compromise (BEC), vendor email compromise (VEC) and account takeover (ATO) attacks are becoming increasingly evasive and difficult to intercept using traditional email security solutions.
Recommendations
- Implement secure email gateway (SEG), integrated cloud email security (ICES) or both to help overcome AI-powered email attacks. Assess your threat environment to identify which email security approach will level up email protection.
- Adopt a multilayered approach to reduce the overall attack surface. Focus on aspects such as Domain-based Message Authentication, Reporting, and Conformance (DMARC; I&O), security awareness training (security program management), and phishing detection and response (security operations).
- Revisit your email security setup to evaluate its efficacy against modern email security attacks by engaging stakeholders across the organization who rely on email for productivity.
Strategic Planning Assumption
By 2030, use of advanced message content analysis will increase 1.5x as part of human-centric security investments, lowering business email compromise (BEC) susceptibility by at least 20%.1
Introduction
Phishing remains a significant attack vector, as demonstrated by its consistent year-over-year trend in the 2025 Verizon Data Breach Investigations Report].2 The attacks are getting more complex, with adversaries increasingly using generative AI (GenAI) and sophisticated social engineering techniques to launch highly evasive attacks. Furthermore, adversaries are using phishing as the primary access vector, leading to other kinds of cyberattacks, such as ransomware incidents.
The advent of GenAI is dramatically improving attackers’ ROI by enabling them to automate highly sophisticated phishing campaigns. Recent studies show that using LLMs can reduce the cost of the entire phishing process by 95% for attackers.3 Despite efforts to upgrade or replace existing email security solutions, organizations continue to face challenges in effectively countering these attacks and maintaining robust email security.
This situation contributes to a larger number of more sophisticated phishing attacks, as organizations struggle with identifying and implementing the most effective email security platform (ESP). Meanwhile, the fast-changing nature of phishing tactics demands a continuous update of security measures to stay ahead of emerging threats.
This research enables security and risk management (SRM) leaders to manage modern email-based attacks by helping them replace or augment their organization’s email security platform. First, it forces CISOs to explore two distinct email security approaches, either separately or in combination, based on deployment requirements, email scanning capabilities, architecture needs, and more.
Second, it introduces a multilayered email security approach to address CISO blindspots related to coordination with the infrastructure and operations team, the security operations team, and security awareness efforts. This multilayered approach establishes the prevention, protection and response measures needed to complement a modern email security platform.
Additionally, this research underscores the importance of end-user input and known behaviors in leveling up email security, especially where email continues to be a productivity tool in the digital workplace.
Figure 1 provides a high-level overview of the email security submarket.
Analysis
Assess Your Threat Environment to Determine Whether Your Email Security Requires SEG, ICES or Both
SEG and ICES represent two distinct approaches to email security. The rise of cloud-based email delivery and evolving threats have led to the emergence of ICES solutions, designed to meet modern threats and evolving infrastructure requirements. Choosing between the two approaches depends on the specific needs and circumstances of each organization.
Review SEG
Traditionally, SEG solutions served larger organizations with complex environments, supporting on-premises deployment. Acting as an email firewall, SEG solutions inspect emails predelivery and combat known threats, such as spam, malware and phishing (see Figure x). Despite innovations to address sophisticated attacks such as BEC and impersonation, SEG solutions face limitations in detection efficacy.
SEG is the minimum requirement for organizations looking to support hybrid environments, meet high customization requirements, and maintain low risk tolerance by filtering emails before delivery to users. SEGs also appeal to organizations with dedicated email teams and to those requiring message transfer agent (MTA) functionality. SEGs are frequently augmented with ICES solutions.
Review ICES
ICES solutions are built with cloud-native architecture, emphasizing scalability, innovation and efficiency. They are ideal for organizations looking to layer on additional protection with minimal infrastructure demands. ICES solutions excel at addressing sophisticated attacks by utilizing AI and machine learning to analyze email content. Technologies such as natural language processing (NLP), LLMs and social graphing enable robust behavioral analysis, detecting complex threats.
Unlike SEG solutions, ICES solutions often deploy at the API layer or use connectors for in-line scanning, facilitating rapid proofs of concept (POCs) and seamless transitions between products (see Figure 4).
Review the Key Differences Between SEG and ICES
Table 1 compares the key differences between SEG and ICES.
Key Differences Between Secure Email Gateway and Integrated Cloud Email Security
SEG | ICES |
Conducts email scanning predelivery or in-line | Conducts email scanning primarily postdelivery |
Requires mail exchange (MX) record change | Integrates via APIs or mail flow rules(no MX record change required) |
Incurs complex deployment because mailflow is disrupted | Enables straightforward deployment by leveraging APIs |
Primarily uses techniques, including heuristic and behavior-based detection methods, to address payload-based threats | Primarily uses AI/ML-based detections to address threats, including BEC, VEC and impersonation attacks |
Supports on-premises or hybrid deployment | Supports primarily cloud-based deployment |
Supports in-bound and out-bound scanning | Supports internal email scanning or misdirected email protection |
Source: Gartner (June 2025)
A growing number of organizations are adopting both SEG and ICES solutions to enhance their email security. This combined approach compensates for underperforming SEG systems and enhances defense in depth, leveraging the strengths of both strategies for comprehensive protection (see Quick Answer: How Should I Connect My Email Security Platform?).
Organizations that need to meet compliance regulations, track insider-risk minimization and monitor data exfiltration vectors can benefit from email data protection (EDP) solutions offered by vendors. EDP adds encryption to track and prevent unauthorized access to email content both before and after it is sent. Additionally, EDP can help prevent accidental data loss due to misdirected recipients (see Market Guide for Data Loss Prevention).
Run a Pilot
Organizations often rush through testing ESP candidates and rely heavily on the RFP process. This misstep can prevent them from fully understanding the solution’s capabilities and identifying the most suitable ESP.
A significant obstacle to determining the best-fit solution is that ESPs are not widely tested by third-party organizations to validate their efficacy. Thus, Gartner strongly advises security leaders to conduct thorough evaluations by running POCs. POCs help security teams realize the full potential of a solution and resist the temptation to simply choose the most popular tool.
It’s important to note the deployment strategy and solution used during the POC.
SEG and ICES solutions are deployed differently architecturally and may come as two different solutions from the same provider.
In-line testing for ESPs that require MX record changes can disrupt email flow and communication if misconfigured. If a POC isn’t feasible, ask the vendor to demonstrate required capabilities through a demo or test lab setup.
Vendors offering ICES implementations can often operate in “read only” mode. This mode allows all of the necessary analytics and adjudication decisions to occur without taking actions against mail within the tenant. The resulting data can provide insights into what mail would be caught by a given solution.
Although detection rates may initially be low, conducting a POC helps you make informed decisions. Validate enterprise suitability by testing products over an extended period, and document lessons learned, revisiting evaluation criteria that may need adjustments.
Where possible, conduct POCs with multiple vendors concurrently to gather valuable data. This approach will maximize the opportunity for comparative analyses. It will allow you to draw comparisons against volume and quality of detections, enabling organization-specific insight into platform protection efficacy.
Finally, test interoperability and integration with security operations center (SOC) tooling, including extended detection and response (XDR) and security information and event management (SIEM). XDR solutions enhance threat prevention, incident detection and response, which is vital for improving phishing detection and response. As email-based attacks increase, email telemetry becomes crucial for most XDR tools. These tools collect telemetry from network, email, endpoint and cloud security products, triaging them for accurate detection and swift response and remediation.
Adopt a Multilayered Approach to Level Up Email Security
No email security solution can completely stop all email-based attacks. To address this shortcoming, organizations must consider additional security measures to reduce the likelihood of phishing. It’s also important to ensure that users are well-informed on how to handle phishing attacks when they occur.
Rather than concentrating all attention and resources on fine-tuning the efficacy of the ESP, organizations should explore areas adjacent to email infrastructure to enhance their defenses (see Figure 4). Syncing aspects that overlap with infrastructure and operations, security operations, security program management, and identity management functions will yield better results in stopping modern email security attacks.
DMARC
Implementing measures to reduce phishing- or impersonation-based attacks resulting from domain compromise is crucial. DMARC serves as a first layer of defense against phishing by decreasing the number of phishing emails that reach your ESP. For more information on DMARC, see Implement DMARC to Prevent Business Email Compromise.
Identity Protection and ATO
Attackers are finding easier ways to launch their attacks, with credential misuse remaining one of the leading causes of cyberincidents. Email-based identity attacks are also on the rise. Attackers are stealing identities or purchasing stolen credentials to launch complex attacks that bypass email infrastructure by logging into SaaS applications.
By focusing on how email identities are used across email infrastructure and applications, you gain an advantage in blocking attacks that have bypassed the email detection stack (see How to Mitigate Account Takeover Risks).
Phishing Detection and Response
Establish strong bidirectional integration between your ESP and threat detection, investigation and response (TDIR) tools to investigate and respond to user-reported phishing emails, or to recall emails from users’ mailboxes that were reported as phishing.
Automated solutions leveraging AI are increasingly available to address user-reported phishing incidents. However, these solutions may produce false negatives, potentially allowing users to interact with phishing emails. Thus, Gartner recommends supplementing the automation with human analysis, while allowing automation to filter out the obvious true positive cases (see Predict 2025: There Will Never Be an Autonomous SOC).
Security Awareness
Even the strongest multilayered strategy may miss some phishing attempts. End users in your organization are your last line of defense. According to the 2024 Verizon 2024 Data Breach Investigations Report, the median time for users to fall for phishing emails is less than 60 seconds. This alarming statistic reveals how vulnerable users are and underscores the importance of security awareness.
Security awareness training (SAT) traditionally focuses on one-time learning modules, which users often perceive as burdensome, completing them merely to check a box. A more effective way to deliver awareness is through teachable moments and real-time nudges when users encounter potential phishing emails. Establishing a good security culture that incorporates user behavior, awareness and attitude is paramount to implementing a human-centric security approach (see Moving Beyond Security Awareness to a Security Culture in Midsize Enterprises).
Revisit Current Email Security Setup Requirements
Assess Current Solutions to Determine What Is Effective and What Needs to Change
To effectively plan an upgrade or change in your email security solution, begin by assessing your current setup. Document the strengths of your existing solution, noting essential features, desirable additions and obsolete elements. Determine what aspects work well and should be retained, and identify any features that can be discarded.
Recognizing triggers for change, such as contract renewals, migration to cloud services or operational issues, can provide insight into must-have features for a new solution. Additionally, consider factors like cost, lack of support or missing capabilities that might necessitate a change.
Engage Stakeholders Across Security and End Users Who Rely on Email for Productivity
Identifying key decision makers is crucial for project success. Engage stakeholders from email security, security operations and business units to ensure comprehensive input. As email solutions transition to the cloud, include legal or privacy officers, procurement, and budget approval representatives to understand financial constraints and vendor options.
This groundwork helps you document your current situation, articulate any gaps and build a strong business case for upgrading your email security infrastructure. Focus on defining technical requirements and evaluating prospective vendors, ensuring the new solution meets all necessary criteria and aligns with organizational needs.
Incorporate Current Capabilities and Stakeholder Requirements to Identify Gaps in Existing Technologies
To define your technical requirements for evaluating email security vendors, start by listing existing capabilities you wish to retain, even after upgrading or replacing your solution. Consider features that can be utilized natively, especially if you are transitioning to cloud-based systems dominated by providers like Microsoft and Google (see Tool: Cybersecurity Platform Consolidation Workbook).
Additionally, identify the new technical capabilities you desire in the upgraded solution. Utilize resources, such as Gartner’s Critical Capabilities for Email Security Platforms, to classify features as required, preferred or optional, ensuring a comprehensive evaluation of vendors based on how well they meet these criteria and align with your specific needs.
2 2025 Data Breach Investigations Report, Verizon.
3 F. Heiding, S. Lermen, A. Kao, B. Schneier, A. Vishwanath, Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects, arXiv.
4 2024 Data Breach Investigations Report, Verizon.