.png)
.png)
The TL;DR
SEGs still do valuable work filtering spam and known-bad malware before delivery. But two shifts have changed the game: cloud email now lives in Google Workspace/Microsoft 365, and the most costly attacks rely on social engineering and account misuse—tactics that often look clean at the gateway and turn malicious after a user engages. That’s why most modern teams keep the SEG for commodity threats but add API-based, in-tenant detection and post-delivery remediation to handle BEC, internal abuse, and living-off-the-land campaigns.
Why this matters now
The numbers keep climbing. The FBI’s 2024 IC3 report tallied $16.6B in cybercrime losses (up 33% YoY), with BEC among the costliest categories. IBM’s 2025 study still puts the average breach in the multimillion-dollar range, so shaving minutes off detection and containment meaningfully changes outcomes.
Verizon’s 2025 DBIR also underscores a stubborn reality: the human element hovers around 60% of breaches, which lines up with the kinds of incidents SEGs struggle with—credential reuse, internal email misuse, and clean-looking messages that only “turn bad” when the user clicks or replies.
How SEGs work—and where the gap appears
A SEG evaluates each message at the edge and makes a point-in-time decision based on content, headers, reputation, and known indicators. That architecture is perfect for spam and signature-driven malware, but it inherently misses:
- Post-delivery signals, like suspicious reply chains, mailbox forwarding rules, or user-to-user internal phish.
- Account takeover behaviors (impossible travel, OAuth abuse) that only surface inside the tenant.
- Context across apps (email ↔ files) that explains why a benign-looking note leads to risky Drive sharing.
A practical approach that works in 2025
Keep the SEG for commodity threats, but shift strategy to the risks that bypass or outlive it:
- Harden Gmail natively. Turn on Advanced phishing & malware protection and Security Sandbox for attachment detonation; enforce DMARC to curb spoofing. These controls reduce noise and catch known-bad content early.
- Add post-delivery detection and response in-tenant. Use an identity-centric layer that looks inside Google Workspace to catch BEC patterns (VIP/payment lures, vendor thread hijacks), dangerous mailbox rules, and risky Drive sharing triggered by email workflows—then remediate automatically by pulling messages, disabling forwarders, and tightening file access. That’s the part a SEG can’t do alone.
- Constrain blast radius with context. Pair detections with Context-Aware Access: restrict download/print/copy on unmanaged devices and raise friction for sensitive flows so a single phish doesn’t become an exfiltration event.
- Measure what matters. Track time-to-detect/time-to-remediate, number of post-delivery pulls, incidents involving internal mail, and downstream Drive exposures closed. Tie these to IC3/IBM cost benchmarks to show real risk reduction.
Admin-level details: what to turn on (and where)
- Gmail → Security: enable Advanced phishing & malware protection; scope stronger settings to high-risk OUs.
- Gmail → Content protection: enable Security Sandbox for high-risk org units.
- DNS & Gmail: publish DMARC with p=quarantine (pilot) then p=reject when confident; monitor aggregate reports.
- Access control: use Context-Aware Access to limit Drive actions on unmanaged devices (download/print/copy).
Connect with Material Security
If you’re keeping your SEG—but need coverage inside Workspace—Material adds the post-delivery detection and automated remediation you’re missing. It correlates identity, content, and behavior to stop BEC and account-misuse attacks, neutralizes malicious forwarders, and tightens risky Drive access created via email workflows—automatically. Explore the platform, see how we stop BEC & VEC, and request a demo today.
