There’s something of a renaissance happening in cybersecurity. No, it never went away, you’re right, but the level of vocal engagement coming out of every enterprise software vendor in this space now spans traditional anti-virus protection to network-level robustness controls and onward to (obviously) agentic AI lifecycles… and then leaps forward to the next era of optical photonics-based computing and, of course, quantum encryption.

Working in the here and now with a self-imposed remit to protect the most pressing cyber vulnerabilities is StrongestLayer. The company’s new threat intelligence report (jauntily named What Your Email Security Can’t See) is based on an analysis of 2,042 advanced email attacks that successfully bypassed Microsoft Defender E3/E5 and well-known secure email gateways before being detected. 

Quick, Hide Behind the Platform

The findings may point to a shift in attacker behavior, where adversaries increasingly hide behind well-known platforms such as DocuSign, Microsoft and Google Calendar, which are all services that organizations typically cannot block without disrupting operations.

Rather than relying on malware or obvious phishing techniques, today’s attackers exploit trust, authentication gaps, and operational dependency. The report provides rare visibility into the techniques that define modern email threats by examining only attacks that incumbent security controls missed.

“Email security has reached an inflection point,” said Alan LeFort, CEO and co-founder, StrongestLayer. “The controls enterprises depend on were designed to detect patterns and known bad signals. But attackers are now exploiting trusted brands and legitimate infrastructure, areas that those systems were never built to reason about.”

The company says that 77% of attacks failed Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication yet still reached inboxes, exposing a widespread enforcement gap. 100% of threats bypassed incumbent email security, including Microsoft E3/E5 and leading secure email gateways. Approximately 45% of attacks showed indicators of AI assistance, a figure projected to rise to 75–95% within the next 18 months

Trusted Brands, New Attack Surface

The report thinks that attackers are no longer trying to look legitimate – they are hiding behind platforms that already are. DocuSign alone accounted for more than one-fifth of all attacks analyzed, particularly targeting legal, financial and healthcare organizations where document-signing workflows are deeply embedded in daily operations.

Google Calendar attacks represent an especially concerning trend. Because calendar invitations are delivered via calendar APIs rather than email, these attacks bypass secure email gateways entirely, creating a blind spot for most security teams.

The Authentication Challenge

Email authentication is widely promoted as the solution to impersonation attacks, yet the data tells a more complex story. Most organizations maintain permissive DMARC policies to avoid blocking legitimate but misconfigured senders. Attackers knowingly exploit this reality, delivering messages that fail authentication but are still allowed through.

“StrongestLayer’s analysis shows AI-assisted phishing has fundamentally changed the economics of detection. Traditional phishing campaigns reuse templates with high similarity, allowing pattern-based systems to work. AI-generated attacks, however, share as little as 12–18% similarity across variants, rendering pattern matching mathematically ineffective – a phenomenon [our] report calls the Pattern-Matching Cliff. As AI-generated attacks become the default, organizations relying solely on pattern-based detection face a rapidly narrowing window to adapt,” explains LeFort and team

The attacks in this report share a common trait: they don’t look malicious in isolation. Legacy systems operate as “prosecutor-only” architectures, searching for evidence of guilt such as malicious links or known-bad indicators. What they lack is the ability to prove legitimacy – whether a DocuSign notification aligns with real business activity or a calendar invite reflects an authentic workflow.

Defending against trust-exploitation attacks requires a dual-evidence approach that evaluates both threat signals and business legitimacy signals, enabling confident decisions without the false-positive burden that plagues traditional tools.