Email Security Isn’t Working! Why Most Organisations Are Still at Risk and What to Do Next?

Written by Dionach by Nomios

November 21, 2025

Email remains the most exploited attack vector in cybersecurity despite years of investment in secure email gateways, phishing filters, awareness training, and cloud-native tools. For many organisations, these defences are simply no longer enough.

At Dionach, we see this reality firsthand. Across penetration tests, adversary simulations, and threat-led assessments, email continues to be one of the most common footholds for attackers. Whether through credential harvesting, MFA fatigue, misconfigured mail rules, or compromised third-party accounts, email compromise often becomes the starting point for much larger breaches.

And the statistics paint a clear picture:

91% of cyber-attacks start with email, according to multiple industry studies (Dark Reading).

Business Email Compromise (BEC) losses exceeded $2.9 billion in a single year (FBI IC3 Report).

A significant portion of Dionach’s assessments uncover issues related to misconfigured email security settings, weak authentication, open forwarding rules, or deficient behavioural controls (aggregated internal insight, anonymised).

Why Traditional Email Security Tools Are Failing

Most organisations rely on the same mix of controls they’ve used for years:
Secure Email Gateways (SEGs), signature-based filters, URL analysis, malware scanning, and user training. These measures are important but they’re no longer effective against modern attacks.

1. Most modern phishing attacks contain no malware or malicious links

Attackers increasingly use “clean” emails:

Impersonation of suppliers
Fake invoice requests
OAuth token abuse
Compromised internal mailboxes
Social engineering without payloads

Traditional tools can’t detect these because there’s nothing technically malicious inside the message.

2. Email security often focuses only on inbound threats

But attackers exploit:

Internal accounts taken over
Third-party vendor compromises
Lateral mailbox-to-mailbox phishing

Many solutions offer limited visibility into internal or supplier behaviour.

**3. SEGs can’t detect when a legitimate account is misused**

Once attackers gain access to a real mailbox, their activity looks “normal” to traditional filters.

4. Misconfigurations are more common than organisations realise

Dionach frequently identifies weaknesses such as:

Incomplete or missing MFA
Weak conditional access policies
Inadequate DMARC, SPF, DKIM deployment
Legacy authentication still enabled
Auto-forwarding rules to external mailboxes
Insecure OAuth app permissions

These misconfigurations create easy pathways for attackers, and most are invisible to users.

The Evolving Email Threat Landscape

Modern email attacks are no longer obvious or signature based. Attackers have shifted to low-signal, high-impact techniques designed to mimic legitimate behaviour:

Impersonation of executives or third-party suppliers
Account takeover leading to internal phishing sequences
Vendor and supply-chain compromise
Fraudulent invoice redirection
AI-enhanced phishing that mirrors writing style and tone

These threats aren’t detectable with traditional filters. They don’t contain malicious links, malware attachments, or known indicators of compromise. Instead, they exploit trust.

Healthcare providers, financial institutions, and public-sector organisations face this risk acutely. With limited security resources and high volumes of sensitive communication, even a single compromised mailbox can escalate into a major incident.

Introducing Abnormal Security: A New Approach to Email Protection

After years of observing the limitations of traditional email security tools, new behavioural-driven platforms have emerged and one of the most innovative is Abnormal Security.

Nomios (Dionach’s parent group) has partnered with Abnormal because it brings a fundamentally different approach to the problem.

What makes Abnormal different?

1. Behavioural AI instead of rule-based filtering

Abnormal learns:

How your users normally communicate
Who they communicate with
How conversations evolve over time
What constitutes a “normal” request

Anything that deviates from these patterns is flagged even if the email contains no malicious links or attachments.

2. API-native design with full visibility

No MX changes. No gateways.
It integrates directly with Microsoft 365 or Google Workspace, giving it access to extremely rich identity and behavioural signals.

3. Detection of internal and third-party threats

One of the biggest strengths of Abnormal is its ability to analyse:

Compromised supplier accounts
Abnormal vendor behaviour
Internal mailbox takeovers
Suspicious financial workflows

4. Automated remediation

Suspicious messages can be automatically removed across the organisation, cutting down response times dramatically.

How to Maximise the Benefits of Abnormal Security

Nomios recommends aligning deployment with a broader security strategy:

Assess your current email-security architecture
Integrate identity and MFA controls
Document third-party vendor communication flows
Establish internal reporting and user-awareness processes
Track meaningful metrics (MTTD, MTTI, prevented loss, ATO attempts)

Implementing Abnormal within a structured security programme ensures organisations get the full advantage of its behavioural-based detection and cloud-native efficiency.

Conclusion: A New Era of Email Security

Email is still the number one entry point for cyber-attacks, but it doesn’t have to remain the weakest link.

With the combined power of Nomios Group expertise and Abnormal Security’s behavioural AI platform, organisations can finally outpace modern email threats, reduce operational burden, and protect their people, systems, and data with confidence.

This partnership represents the future of email security: smarter, faster, cloud-native, and designed for the threats of tomorrow.

Ready to strengthen your organisation’s email defences?
Contact us to request a demo of Abnormal Security, pricing details, or a tailored security assessment.

Like what you see? Share with a friend.

Explore Our Services

Social Engineering Testing

Learn more »

Let’s Explore How We Can Support Your Cybersecurity Journey

Get in touch with our team today to find out how we can help you.

Discover Our Latest Research

From Policy to Practice: Penetration Testing for ISO 27001

ISO 27001:2022 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). While the standard does not explicitly mandate penetration testing, it remains a critical supporting activity for demonstrating technical assurance and verifying the effectiveness of security controls. By incorporating regular, scoped, and risk-aligned penetration testing into their […]

ISO 27001 & AI: Don’t Rebuild. Extend.

As organisations race to integrate AI for competitive advantage, we rarely see a lack of activity. Instead, we see a variation in strategy, often resulting in missed opportunities for efficiency. We tend to see businesses fall into one of three categories. First, there are those pushing for speed; deploying AI rapidly to gain an edge while viewing […]