Transparency in Cybersecurity: The Email Security Case
Cybersecurity is a massive market today — with more than 4,000 vendors all vying for attention. But when I started in this field over 20 years ago, things were very different. The word “cybersecurity” wasn’t even in common use yet, and I could count the number of players on one hand.
Fast forward to today, and the explosion of vendors, tools, and claims has made it increasingly difficult for CISOs and security teams to separate substance from noise. Every time I walk the expo floors at conferences like RSAC or Black Hat, I try to put myself in the shoes of someone genuinely looking for answers. Which booth do you visit first? The one with the biggest LED screen? The loudest voice? The best swag?
In this environment, millions of dollars are spent on marketing, and more often than not, the vendor that gets noticed is simply the one with the biggest budget. But visibility doesn’t always equal value — especially when we’re talking about protecting organizations from real and sophisticated threats.
As our late CTO Raimund Genes always said:
“We only have one competitor: the cybercriminals.”
That’s why transparency is more important than ever. In a market full of bold promises, what matters is real-world effectiveness. Vendors should be willing to show how their solutions perform — not in a controlled lab, but in live environments, against actual threats. That kind of honesty builds trust. It empowers customers to make informed decisions, and it elevates the entire industry.
So when I came across Microsoft’s recent blog post titled “Transparency on Microsoft Defender for Office 365 Email Security Effectiveness”, it struck a different chord. It wasn’t a marketing piece — it was a call for clarity, collaboration, and accountability in how we measure real-world email security.
Understanding the Email Security Market
Let’s begin by understanding the email security market — something I’ve had a front-row seat to since the beginning. In fact, the first commercial email security layer was invented by Trend Micro.
It’s a market that is often misunderstood unless you truly grasp how email flows, and how it can be intercepted, scanned, and protected at different stages. And it’s more critical than ever.
Why? Because email remains the #1 communication channel in nearly every organization. It drives business processes, project coordination, vendor communication, legal workflows, and more. And now, with the rise of generative AI, cybercriminals are crafting credible, context-aware, multilingual phishing emails at scale — targeting every role in every region with increasing precision.
From Business Email Compromise (BEC) to QR code phishing, payload-less attacks, and AI-generated impersonation, email remains the most common entry point for today’s cyberattacks.
If we want to improve our defenses, we must first understand how and where email security works — and what gaps still exist.
How Email Flows and Where Security Layers Fit
To understand the risk — and how to mitigate it — we need to visualize the three main layers of modern email defense: SEG, Microsoft Defender for Office 365, and ICES.
Here’s the flow:
External email enters the organization from the internet.
It’s first filtered by a Secure Email Gateway (SEG) — the first layer of defense. SEG vendors like Trend Micro, Proofpoint, Mimecast, and Barracuda apply security protocols like SPF, DKIM, and DMARC to validate sender identity. They also block spam, known malware, and malicious content before the message even reaches Microsoft’s infrastructure. (And I say this with pride — Trend Micro invented this layer. We pioneered the concept of scanning and filtering emails for threats long before cybersecurity became mainstream. SMTP and the TCP/IP stack were never designed for security — they were built in a more trusting digital era. So we built protection layers on top of it.)
After the SEG, emails are delivered to Microsoft Exchange Online, where Microsoft Defender for Office 365 performs another inspection — looking for dangerous attachments, suspicious links, or anomalies before the message reaches the end user’s mailbox. This layer is especially important for identifying internally sent threats — for example, if an attacker hijacks a legitimate account or compromised contractor credential.
Lastly, we have the third layer: Integrated Cloud Email Security (ICES) solutions like Trend Micro (Vision One), Abnormal, Darktrace, and PhishTitan. These tools operate post-delivery, meaning they analyze emails already delivered to inboxes, detecting threats that may have bypassed SEG and Microsoft’s inline protection.
The Third Layer: Why ICES is Not Optional
The ICES layer is often misunderstood — or worse, treated as optional. But Microsoft’s own architecture and recent report make it clear: it’s a necessary component of modern email defense.
Why? Because even with Defender for Office 365 in place, sophisticated threats still get through. Microsoft knew this and opened APIs to allow third-party vendors to integrate, detect, and remediate threats that slip past the first two layers.
As someone who’s been in the field long enough, I’ve seen it repeatedly: attackers only need one successful email to start their entire kill chain. That’s it — just one. As I always say:
If we catch something in this layer — even just one malicious email — we’re already improving our cybersecurity posture and cyber resiliency. That’s why this third layer is not optional.
These ICES tools bring unique capabilities:
Behavioral analysis
Natural language understanding
Real-time detection of anomalies
Cross-tenant threat intelligence
They also protect against advanced threats like BEC, impersonation, and targeted phishing that don’t rely on known signatures or traditional malware.
Microsoft says it well in the report:
“Security is a team sport, and we are grateful to our entire ecosystem for working together on protecting our customers. We encourage customers to see how the solutions deployed in their tenants are collectively performing for their needs.”
This isn’t just a nice quote — it’s a challenge to the entire industry to collaborate, integrate, and measure effectiveness based on real-world performance, not marketing claims.
A Moment of Validation (and Amazement)
Reading Microsoft’s transparency report was, for me, a moment of genuine validation and amazement.
I’ve seen the value of this third layer of protection (ICES) for many years. I’ve witnessed firsthand how it catches what others miss — in live customer environments, in feedback from security teams, and in post-incident reviews where this final line of defense made the difference between a near miss and a full-blown breach.
But this is the first time I’ve seen Microsoft — the platform owner — publicly confirm and quantify this with real data.
Here’s what happens in just 1 million emails:
5,500 malicious emails detected by Trend Micro, missed by both the Secure Email Gateway (SEG) and Microsoft Defender for Office 365 (0.55%)
3,700 by KnowBe4 Defend (0.37%)
3,600 by Darktrace (0.36%)
3,300 by PhishTitan (0.33%)
3,300 by Abnormal (0.33%)
2,900 by Tessian (0.29%)
1,200 by Cisco (0.12%)
600 by Check Point (0.06%)
That’s thousands of malicious emails missed by two layers of protection — the SEG and Microsoft Defender — but caught by the ICES layer after delivery.
This is not a criticism of Microsoft Defender for Office 365 or the SEG layer. In fact, Microsoft deserves credit for enabling this layered model and for opening their ecosystem through APIs. What this data confirms is the reality many of us in the field have long known: even the best defenses miss things, and post-delivery detection is essential.
That’s also why I’m personally more focused on this third layer than ever before.
Attackers already know how to bypass the first two layers. With AI, they can now generate massive volumes of contextualized, multilingual phishing campaigns that feel human — and they can test those emails against market SEG and MDO solutions before launching their attacks. These layers are now predictable and, for many threat actors, defeatable.
But the post-delivery ICES layer is a different challenge altogether.
Here, attackers are forced to confront real-time behavioral analytics, AI-driven anomaly detection, and contextual analysis that they can’t easily simulate or evade. This layer deals with TTPs that are novel, adaptive, and often invisible to static defenses. This is where we detect what no one else can see — yet.
So when Microsoft published this report — acknowledging the real-world impact of ICES solutions and how they complement Defender for Office 365 — it wasn’t just another industry white paper. It was a moment where field experience and platform-level validation finally aligned.
And that gives me hope that we’re moving toward a more honest, integrated, and effective future for cybersecurity.
But This Is Not the End of the Story
Even with all these layers in place — SEG, Microsoft Defender for Office 365, and ICES — we still have to ask the most important question:
What happens if even the ICES layer misses one malicious email?
Because in cybersecurity, asymmetry defines the battlefield. Attackers only need one success. We, as defenders, need to stop everything, every time — and we know that perfect protection does not exist.
That’s why our responsibility doesn’t stop at blocking threats. As defenders, our mission is to continuously augment detection and reduce cyber risk — proactively, adaptively, and holistically.
This is exactly where Trend Micro is innovating again in the email security space.
We’ve realized that in today’s threat landscape, it’s not enough to just add one more layer between the user and the email threat. We now need two additional layers that go beyond prevention, into response and strategic cyber risk governance.
Layer 4: EmDR — Email Detection and Response
This is where XDR meets email — and where most organizations still have a critical blind spot.
EmDR (Email Detection and Response) is designed to extend visibility far beyond the inbox. It connects email telemetry with threat logs, user behavior, endpoints, identity systems, and lateral movement across the environment. In other words, it turns email into an active signal source in your broader detection and response strategy — not just a place to filter messages.
Just like in the image below, a single compromised email can give an attacker initial access. From there, they may infect a user’s device, harvest credentials, move laterally to unmanaged assets, or escalate privileges to reach high-value targets like the CFO.
EmDR helps us connect those dots, trace the full attack path, and respond across systems, not just contain a threat at the message level.
But here’s the challenge:
Most XDR strategies today are missing EmDR entirely.
They focus on endpoints, servers, cloud workloads, or identity systems — but ignore email as a core telemetry and response domain. And that makes little sense when email remains one of the top three initial access vectors in nearly every major breach, including ransomware, business email compromise (BEC), and supply chain attacks.
This oversight leaves a significant gap in visibility and response. Without EmDR, organizations can detect suspicious behavior on a device — but miss that it was triggered by a phishing email. Or worse, they can respond to endpoint alerts while the attacker is still quietly pivoting through compromised inboxes and cloud accounts.
That’s why EmDR isn’t just a feature — it’s a foundational layer in modern cyber defense. It brings email into the heart of threat detection and response, where it belongs.
Layer 5: EmCRM — Email Cyber Risk Management
The fifth and final layer is about stepping back to see the bigger picture — not just what threats are blocked, but what risks remain. This is the domain of EmCRM: Email Cyber Risk Management.
In previous articles, I introduced a simple but powerful way to visually define cyber risk: the intersection of three core elements — threat, vulnerability, and consequence. This Venn diagram isn’t just conceptual — it’s operational. And when we apply it to the email channel, it becomes the foundation of an effective EmCRM strategy.
Let’s break it down:
Threats: We’ve covered these extensively throughout this article — phishing, BEC, payload-less attacks, malicious links, QR code lures, AI-generated impersonation. These are the techniques attackers use to initiate compromise via email.
Vulnerabilities: In traditional security, we think of vulnerabilities as unpatched software or misconfigurations. But in email, the primary vulnerability is human. It’s the user — the person who clicks, replies, shares, downloads, or forwards. And unlike software, you can’t patch a human. What you can do is assess human behavior, understand susceptibility, and continuously educate and reinforce good habits. EmCRM is where you identify which users are consistently engaging with suspicious content, falling for simulations, or bypassing policy — and build programs to reduce those risks.
Consequences: This is about business impact. Not every inbox is created equal. A click from a frontline intern isn’t the same as a click from the CFO, general counsel, or product manager for your core IP. EmCRM helps you map your most critical users — based on their roles, access levels, and involvement in strategic decisions or high-value business processes. When you understand the potential blast radius of a single compromised email, you understand why risk visibility must be role-aware.
When you connect threats, vulnerabilities, and consequences in this way, you unlock a much clearer view of residual cyber risk in the email layer — and how to manage it actively.
If you don’t have all three components in place today —
Threat telemetry and analytics
Human vulnerability data and behavior insights
A clear mapping of your high-consequence users
— then now is the time to start your EmCRM project.
Because this is the layer where risk becomes measurable, where prioritization becomes possible, and where cybersecurity finally aligns with business context.
EmCRM is not just about preventing email attacks. It’s about managing exposure, driving down residual risk, and empowering leaders with actionable insights about their people, their processes, and their most exposed assets.
Bringing EmDR and EmCRM Together: From Simulation to Real-Time Risk Response
One example of how we’re operationalizing this fifth layer at Trend Micro is by integrating phishing simulations directly into both the EmDR and EmCRM layers — bridging behavior, detection, and risk-based response.
Here’s how it works:
When a user clicks on a phishing simulation link, it’s no longer just logged, and forgotten. That user’s risk score increases immediately. From that point on, every email threat targeting that user is evaluated differently — with more scrutiny and stronger automated protections applied.
If necessary, automated actions are triggered in real time, such as:
Flagging or isolating future inbound emails
Resetting passwords
Revoking sessions or escalating authentication requirements
Notifying identity and SOC teams for deeper investigation
Traditionally, after a failed phishing simulation, the next step is a scheduled awareness training — often days or weeks later. But in the cyber risk management world, that’s not enough. This behavior should trigger immediate, operationalized responses, because it reflects a real moment of increased exposure.
And the consequence dimension must be addressed too — not just based on static org charts or job titles.
In Layer 5 (EmCRM), we go further by continuously evaluating each user’s criticality based on their actual role in the business, their access privileges, their involvement in critical workflows, and their connectivity to high-value systems or data. This automated context-aware analysis helps ensure we’re not just reacting to behavior, but prioritizing based on potential business impact.
Because your most critical users may not be the ones on a list —
They may be a project manager with access to sensitive IP, a DevOps engineer with cloud keys, or a regional finance lead with payment authority.
And that’s exactly what needs to be done in Layer 5:
Turn cyber risk management from a spreadsheet or annual audit into a live, dynamic, operational layer of defense that helps you protect what truly matters — in real time.
Transparency Is the Way Forward
Cybersecurity is not a beauty contest. It’s not about who has the loudest booth, the flashiest claims, or the biggest marketing budget.
It’s about who delivers measurable protection — and more importantly, who is willing to be held accountable for it.
That’s why Microsoft’s report matters so much. It moves the conversation from claims to clarity, from competition to collaboration, and from security-as-a-product to security-as-a-measurable outcome.
This kind of transparency gives the industry a new benchmark — one rooted in real-world performance, not synthetic tests or theoretical assumptions. It’s an open invitation to all of us: do better, together.
At Trend Micro, that’s exactly what we’re doing.
We’ve seen firsthand that stopping threats isn’t just about adding tools — it’s about creating layers of intelligence, connecting detection to response, and tying security to business impact.
That’s why we believe the future of email security includes:
Layer 4: EmDR, where email becomes a signal within your XDR strategy, not an isolated silo.
Layer 5: EmCRM, where cyber risk is continuously assessed, behaviorally scored, and aligned with your real business priorities.
We’ve operationalized this by linking phishing simulations to real-time actions — increasing risk scores, adjusting detection thresholds, and even triggering automated password resets or identity actions when needed. And we continuously reassess user criticality, because risk isn’t static — and your org chart doesn’t tell the full story.
In short, we don’t just block threats.
We reduce risk, respond intelligently, and protect what matters most.
So yes — let’s celebrate Microsoft’s transparency. But let’s also raise the bar across the industry. Let’s encourage more vendors to open their performance data. Let’s empower more defenders to connect their layers. Let’s make cybersecurity accountable again.
Because at the end of the day, as Raimund Genes said:
“We only have one competitor: the cybercriminals.”
Castro,J. (2024). Decoding Cyber Risk: A Visual Representation. ResearchGate. https://www.researchgate.net/publication/388386953 DOI:10.13140/RG.2.2.33733.15849/1