Guide to Finding the Best Email Security Gateways

Legacy secure email gateways rely on signature-based malware detection and URL reputation databases. Both are defeated by attackers who change payloads for each campaign and register new domains minutes before sending. Modern email security requires detection approaches that work against previously unseen attacks.

Abnormal Security's behavioral AI approach is architecturally distinct from all other vendors in the market. Rather than scanning for malicious content, it models normal communication behavior for every user and flags deviations — an email from a new external domain claiming to be the CFO requesting a wire transfer deviates from the historical communication pattern of the CFO's account, regardless of whether the domain is listed in any reputation database. This approach is uniquely effective against BEC and vendor email compromise (VEC), where no malicious content exists to detect.

Proofpoint's threat intelligence network — drawing on email telemetry from tens of thousands of enterprise customers — provides the most comprehensive threat intelligence for identifying campaigns at scale. When a phishing kit is used against one Proofpoint customer, the indicators propagate to protect all others within minutes.

Business email compromise is the highest-financial-impact email threat category, causing billions in annual losses through fraudulent wire transfers, payroll redirections, and gift card fraud. BEC attacks typically involve no malicious content — they succeed through social engineering alone, impersonating executives, vendors, or trusted contacts.

Evaluate BEC protection for three impersonation vectors: display name spoofing (sending as 'CFO Name' from an unrelated domain), domain lookalike impersonation (sending from cfom.company.com or company-finance.com), and compromised vendor account abuse (legitimate emails from a vendor's account that has been compromised).

Abnormal Security is the market leader for BEC detection, with the highest catch rates for zero-payload BEC attempts across independent evaluations. Proofpoint's Impostor Classifier provides strong lookalike domain and display name impersonation detection. Microsoft Defender for Office 365's anti-impersonation features (available in Plan 2) provide adequate BEC protection for organizations that cannot justify additional vendor spend beyond their M365 licensing.

Traditional secure email gateways deploy as an MX-record intermediary — all inbound email routes through the gateway before reaching the mail server. Modern API-based email security platforms (Abnormal Security, Tessian, Sublime Security) connect directly to M365 or Google Workspace via API, analyzing mail after delivery rather than before.

The API model has significant operational advantages: no DNS changes required, no email delivery latency introduced, no complex failover configuration, and the ability to retroactively remediate emails already delivered to inboxes. Abnormal's API deployment takes under an hour with zero DNS changes. The MX-record model provides pre-delivery blocking — preventing malicious emails from reaching the inbox at all — but at the cost of delivery latency and complex infrastructure management.

For M365 and Google Workspace deployments, the API model is now viable for most organizations. The question is whether you need pre-delivery blocking (MX-record gateway: Proofpoint, Mimecast) or post-delivery detection and remediation (API-based: Abnormal, Sublime Security). Organizations with high-risk environments (financial services, healthcare, critical infrastructure) should implement both layers: a gateway for pre-delivery filtering and an API-based platform for BEC and account takeover detection.

URL sandboxing (following links in emails to a cloud sandbox and testing for phishing pages or malware downloads) and attachment sandboxing (detonating attachments in an isolated environment before delivery) are foundational email security capabilities that all enterprise gateways provide. The differentiator is evasion resistance.

Modern phishing kits check visitor characteristics (browser fingerprint, IP geolocation, time of day) and serve a benign page to scanners and sandboxes while serving the phishing page to real users. Evaluate sandbox evasion resistance by testing known phishing kits that use visitor fingerprinting. Proofpoint's TAP (Targeted Attack Protection) and Mimecast's Targeted Threat Protection both include sandbox environments with evasion-resistance techniques. Microsoft Defender for Office 365's Safe Links and Safe Attachments provide adequate sandboxing for most organizations within M365 licensing.

For attachments, evaluate sandboxing support for the full range of file types relevant to your organization: Office documents (macro-enabled), PDFs (JavaScript), archive files (ZIP/RAR containing executables), and OneNote files (which became a popular malware delivery format after macros were disabled by default).

Proofpoint is the strongest choice for enterprises that need the broadest threat intelligence, the most comprehensive gateway, and advanced phishing simulation capabilities. Abnormal Security is the strongest choice for BEC and account takeover detection in M365 and Google Workspace environments. Mimecast is competitive for organizations needing email archiving bundled with security. Microsoft Defender for Office 365 Plan 2 is the correct baseline for any M365 E3/E5 customer. Combining Defender for Office 365 with Abnormal Security covers the full threat spectrum (Defender for commodity threats, Abnormal for BEC) at lower total cost than a standalone gateway for many M365-standardized organizations.