Most email security products are about as effective as eating spaghetti with a spoon. I have used quite a few. Three stand out. That number may shrink or expand because security tools change and evolve constantly. A firewall product that led the market twenty years ago should not be anywhere near a data center today. Email security is no different. These are the three worth your attention today.
The real threat has changed
Attachment detonation and URL rewriting still matter. They just no longer decide the big losses. Business Email Compromise (BEC) and thread hijacking do. These messages ride inside legitimate conversations with no payload to convict, clear the gateway, and reach finance within hours.
The most expensive attacks rarely look malicious. They read like a supplier’s finance director asking you to update wire instructions. SPF, DKIM, and DMARC all pass. The domain is clean. The thread is real because the supplier’s mailbox was compromised. The only tell is relational, not technical. If your stack cannot see relationship context and behavioral baselines, it will miss this every time.
Scanning attachments stops the noise. Understanding relationships stops the losses. If budget forces a choice, choose the latter.
Two layers, not one
Gateways like Proofpoint sit in the mail path, like a firewall for enail, and excel at volume defense, threat intel, URL rewriting, DLP policy enforcement, and court-ready logging. If you process millions of messages or need granular policy per domain, this layer stops the spam, threats, greymail, malware and phishing from hitting the mail store.
API-native controls like Abnormal and Check Point Harmony connect through Microsoft Graph or Google APIs with read scopes. They work post delivery, often in seconds after a message hits the inbox. They ingest delivered messages and historical conversations, then learn who talks to whom, how often, from where, and about which transactions. Because they model relationships over time, they can spot first-time banking change requests from a vendor, a suspicious reply-to change on a payment email, or OAuth grants that indicate account takeover. They can retroactively quarantine a message after delivery and hunt for lookalikes across the tenant. You cannot do that at the gateway because the evidence lives inside the inbox.
Where each product fits
When I say three products, I mean two. Or one, depending on your size. Above 250 users, Proofpoint and Abnormal are both viable and pricing starts around $30,000 per year. Below it, Harmony Complete is the answer. Not to say Harmony won’t work at scale, it will but it has competition.
SMBs (Small Medium Businesses) get hit with just as many cyberattacks as enterprises and have far fewer resources to deal with them. Harmony is the only vendor that took this seriously. They built genuine enterprise-grade detection and made it available on a per-mailbox, per-month model that smaller organizations can actually budget for and operate. Proofpoint and Abnormal have not done this.
Proofpoint tried by acquiring Hornetsecurity, which unfortunately blocks about as much malware, spam, and BEC as Microsoft’s native filtering. That is not a compliment. It would be like Gaggenau buying Just Play and slapping the Gaggenau name on an Easy-Bake Oven. Rebranding a mediocre product does not make it less mediocre. Hopefully they will also bring the capabilities of their enterprise product to the aquisition. Time will tell.
Above 250 users, the choice depends on your operating model. If you need gateway-level routing, DLP, and policy complexity, Proofpoint will feel native. If you need deep behavioral defense with minimal mail-flow changes, Abnormal is the stronger pick. Harmony is viable at enterprise scale as well but needs to be pressure tested in a bakeoff.
What to measure, not promise
Ignore vendor win-rate graphs from controlled bake-offs. Measure outcomes in your environment where money moves. The metrics that matter are median time from delivery to removal for confirmed BEC, false positive rate on VIP and supplier mail, and mean time to detect account takeover signals like OAuth grants and MFA changes.
Ask vendors how the tool learns baselines, whether it can act on messages without dangerous write scopes, and what happens if Graph API throttles. These questions separate tools from demos.
Practical buying questions
Push vendors on mechanics and ownership, not slogans. What mail-flow changes are required and how is rollback handled? How is post-delivery remediation executed at scale? How are supplier risk signals built and are they tenant-local or cross-tenant? Who owns the payment-change verification workflow and how is evidence captured for auditors?
My best tip on negotiating with OEM vendors is to pre-negotiate the uplift cost on renewal. If you can commit to 3 years at flat pricing do it. Five even better. Don’t be afraid to walk either.
A closing thought
Email security is no longer a content problem. It is a relationship and workflow problem that still generates a lot of content. Keep your gateway to handle the brunt of the onskaught and add an API-native layer to handle fraud in your business relationships. If you are under 250 users, Harmony Complete is the answer. If you are above it, buy what reduces time to decision for your SOC and closes the last mile with finance. The cheapest control in a BEC is still a verified out-of-band call. The second cheapest is a platform that knows when a supplier is acting out of character and gives you time to make that call.
Commonly Asked Questions
1. What is the difference between a secure email gateway and API-native email security?
A secure email gateway sits in the mail flow and filters messages before they reach the inbox. It is strong for spam, malware, URL rewriting, DLP, routing, and logging. API-native email security connects to Microsoft 365 or Google Workspace through APIs and analyzes delivered mail, historical communication patterns, user behavior, and account activity. The blog argues that gateways handle volume, while API-native tools are better positioned to detect relationship-based attacks like BEC, thread hijacking, and supplier payment fraud.
2. Why is BEC harder to stop than traditional phishing?
BEC often has no malicious attachment or obvious bad link. Many attacks use real business context, compromised supplier mailboxes, legitimate domains, and clean authentication signals. That means SPF, DKIM, and DMARC can all pass while the message is still fraudulent. Modern BEC detection depends more on relationship context, sender behavior, payment-change signals, and workflow verification than on traditional content scanning alone.
3. Is Proofpoint better than Abnormal Security?
Neither is automatically better. Proofpoint is often stronger when an organization needs gateway-level routing, DLP, threat intelligence, policy control, and detailed logging. Abnormal is often stronger when the priority is behavioral detection, account takeover visibility, vendor fraud detection, and minimal mail-flow disruption. The right choice depends on the organization’s size, operating model, compliance needs, and tolerance for mail-flow changes.
4. Where does Check Point Harmony fit in email security?
Check Point Harmony is positioned in the blog as a strong option for SMBs, especially companies under 250 users that need enterprise-grade email protection without enterprise-style pricing or operational overhead. Check Point describes Harmony Email & Collaboration as AI-powered email security for Microsoft 365 and Gmail, with protection against phishing, malware, and BEC.
5. Do companies need both a gateway and API-native email security?
Larger organizations often benefit from both. A gateway can reduce the volume of spam, malware, and policy violations before mail reaches the inbox, while an API-native layer can analyze behavior, relationships, account takeover signals, and post-delivery threats. The blog’s central recommendation is a two-layer model for larger environments and a simpler consolidated approach for smaller organizations.
6. What email security metrics should buyers measure during a bakeoff?
The most useful metrics are median time from delivery to removal for confirmed BEC, false positive rate on VIP and supplier mail, mean time to detect account takeover signals, remediation speed, and the quality of evidence captured for auditors. The blog specifically advises buyers to ignore vendor win-rate graphs and measure outcomes in their own environment where money actually moves.
7. Why is vendor email compromise becoming such a major risk?
Vendor email compromise is dangerous because attackers abuse trusted business relationships. Instead of pretending to be a random attacker, they may compromise a supplier account, reply inside a real thread, and request a banking change or urgent payment. Abnormal’s 2025 findings show vendor email compromise is a weekly exposure for many organizations, reinforcing the need for behavioral and relationship-aware detection.
8. Can SPF, DKIM, and DMARC stop BEC?
SPF, DKIM, and DMARC are important controls, but they do not stop every BEC attack. They help validate domain authentication and reduce spoofing, but they cannot reliably detect fraud sent from a legitimate compromised mailbox. That is why the blog emphasizes relationship context, account behavior, and finance workflow verification.
9. What should SMBs look for in an email security platform?
SMBs should prioritize strong phishing and BEC detection, simple deployment, predictable per-mailbox pricing, Microsoft 365 or Google Workspace integration, automated remediation, account takeover detection, and low operational burden. The blog recommends Harmony Complete for organizations under 250 users because it is positioned as more accessible for smaller teams.
10. What is the cheapest effective control against BEC?
The cheapest effective control is still a verified out-of-band call before changing payment instructions or sending money. The blog’s point is that technology should give teams enough context and time to make that call before a fraudulent payment leaves the business.
