Traditional email security solutions (also known as email gateways) fail to stop targeted attacks because they:

  1. Can't stop account takeover. Email gateways sit on the mail flow from the external world into the mail server. For that reason, they can only prevent external attacks coming into the email server, but not attacks that come from internal users. Most email gateways have no way of observing internal email traffic, let alone stop attacks when they happen.

  2. Don't understand the context of the email: Email gateways typically look for obviously malicious signals in an email (e.g., the email has an attachment with malware, or there is a link pointing to a blacklisted website). However, attackers have learned to create emails without any obviously malicious signals. They use legitimate email addresses to send their emails, and when they do insert a link into the email, that link might belong to a compromised website that has a high reputation and doesn't appear on any blacklists.

  3. Rely on static rules. Email gateways can be really good at stopping mass email campaigns (e.g., mass spam or phishing campaigns) by observing the same text or link being sent at once to many different users, and by also applying simple rules to stop obvious malicious patterns. But they aren't good at stopping targeted attacks where the attacker tailored the email to the recipient and did not reuse the same email across multiple targets. These emails often escape static rules because their text does not hit any obviously spam-based keywords and the sender reputation is high.