What kind of email security gateway do you use beyond default Microsoft / Google filtering?
Demonstrate that the organization has deployed and actively maintains a third-party email security gateway with advanced threat protection capabilities that supplement native cloud provider filtering.
Description
What this control does
This control evaluates the deployment and configuration of third-party email security gateways (e.g., Proofpoint, Mimecast, Barracuda, Cisco IronPort) that augment native filtering in Microsoft 365 or Google Workspace. These solutions provide advanced threat protection including sandbox analysis, URL rewriting, credential phishing detection, brand impersonation defense, and business email compromise (BEC) prevention beyond baseline SPF/DKIM/DMARC checks. Organizations use layered email security because native filters, while improving, still miss sophisticated attacks such as zero-day malware, polymorphic phishing campaigns, and social engineering tactics that exploit trust relationships.
Control objective
What auditing this proves
Demonstrate that the organization has deployed and actively maintains a third-party email security gateway with advanced threat protection capabilities that supplement native cloud provider filtering.
Associated risks
Risks this control addresses
- Credential phishing emails bypass native filters and harvest user credentials through lookalike login pages
- Polymorphic malware attachments evade signature-based detection in default email filters and execute on endpoints
- Business email compromise attacks using domain spoofing or display name deception trick employees into fraudulent wire transfers
- Zero-day exploits embedded in weaponized documents reach user mailboxes before vendor signatures update
- Lateral phishing from compromised internal accounts spreads malware or credential harvesting campaigns organization-wide
- URL-based attacks using time-delayed redirect chains or geo-fencing evade initial scan and deliver malicious payloads post-delivery
- Data exfiltration via outbound email occurs without content inspection or data loss prevention enforcement
Testing procedure
How an auditor verifies this control
- Obtain and review the current email flow architecture diagram showing MX records, mail routing, and the email security gateway position in the message path
- Export and examine the MX records from public DNS to verify third-party gateway receives inbound mail before delivery to Microsoft 365 or Google Workspace
- Request configuration exports or screenshots from the email security gateway console showing enabled protection modules (sandboxing, URL defense, impersonation protection, attachment analysis)
- Review threat detection policies including ATP (Advanced Threat Protection) rules, quarantine settings, and administrator notification configurations
- Select a sample of 20-30 quarantined or flagged messages from the past 30 days and verify the gateway identified threats missed by native filtering (compare detection timestamps and threat classifications)
- Interview the email administrator to confirm bypass rules, whitelists, and exceptions are documented with business justification and periodic review
- Test email flow by sending simulation messages (safe test files) and trace delivery through gateway logs to confirm active inline scanning
- Verify integration between the email security gateway and SIEM or logging platform to confirm threat event forwarding and alerting