When a Read-Only POC Catches a Live CEO Impersonation Attack

Most email security evaluations are quiet. You connect a tool in read-only mode, let it watch traffic for a few weeks, pull a report, and make a decision. Nobody in the business ever knows it ran.

Keelings' evaluation was not quiet. While IRONSCALES sat in read-only mode, watching mail but touching nothing, it flagged a live CEO impersonation attack that the company's secure email gateway had already waved through. The proof of concept caught a real attack before Keelings had even signed. The evaluation became the first save.

Here is how that happened, and what the next 90 days looked like.

Who Keelings Is

Keelings is a 100% Irish-owned, third-generation family business that has been growing fresh produce since 1926. The company farms more than 3,000 hectares across Ireland, Costa Rica, and Brazil, sources from 46 countries, and supplies over 1,000 customers across 30 countries. More than 2,700 people from 58 nationalities work across seven countries, in fresh fruit, vegetables, flowers, and ERP software.

Warwick Botwright is Group Head of IT for Infrastructure, Security and Operations. His team runs on Microsoft 365 E3, with Mimecast in front as the secure email gateway. On paper, that stack looks complete. In practice, one category of attack kept getting through.

The Attack the Gateway Kept Missing

Someone would impersonate a Keelings executive and ask an employee to buy gift vouchers. No malicious link. No infected attachment. Nothing for a gateway to scan. Just a well-written message with the right name on it and a plausible reason to move fast.

This is textbook Phishing 2.0. There is no payload to block, so a rule-based gateway built to scan content has nothing to catch. The old tell, the clumsy grammar that used to give these away, is gone now that attackers draft with AI. The messages read clean.

The impersonation attempts bypassed the SEG on multiple occasions and led to real gift voucher fraud. Each time, the response was manual. The team searched gateway logs, warned recipients one at a time, and hoped everyone deleted the message before acting on it. There was no guarantee anyone did.

Warwick wanted an adaptive layer that could catch intent-based attacks a content scanner was built to ignore, and do it without adding risk to mail delivery.

The Architecture Question Warwick Asked First

Keelings looked at several options and took two to a full proof of concept. One was a journal-based tool that mirrors mail to a separate system for analysis. The other was IRONSCALES, which connects to Microsoft 365 through the API and analyzes mail directly in the mailbox after delivery.

Warwick had a strong opinion about the difference, and he raised it himself before any vendor could spin it.

"I didn't want another hop for mail to go through and potentially a point of failure. It's a mirroring of mail, rather than delving into somebody's mailbox and analyzing it."

An API-based layer adds no hop to the mail flow. There are no MX record changes, no gateway to route through, and nothing new that can break delivery if it goes down. For a team of eight covering seven countries, one less point of failure mattered.

That preference is also how Keelings found IRONSCALES in the first place. While researching alternatives during an earlier round, they searched for options and IRONSCALES came up as one of the leading solutions. When budget landed the following year, it was one of the first names on the list.

The Catch That Ended the Evaluation

IRONSCALES deployed for the POC in read-only mode. It watched traffic and flagged threats, but took no action. This is the trust-building phase, where a security team confirms the tool sees what it claims to see before letting it remediate anything.

During that window, a live CEO impersonation attack came through. Mimecast had let it pass. IRONSCALES flagged it. The Adaptive AI read the message the way the gateway could not, by modeling who normally emails whom, how they write, and what a real request from that executive looks like. The impersonation did not match the pattern, and the platform caught it in real time.

An evaluation is supposed to tell you whether a tool works. This one showed Keelings a real attack the incumbent had already missed. That was the answer.

What 90 Days Looked Like

Keelings deployed IRONSCALES as a post-delivery layer alongside Mimecast, connected through the Microsoft 365 API, with a report-phishing button rolled out to every Outlook user. Activation was uneventful, which is exactly what Warwick wanted.

"When we activated it, nobody noticed across the business. We activated banners, sent communications. Nobody talked about it. And that's quite refreshing, because generally when we make a change across the business, there's a bunch of people who chirp up."

In the first 90 days, IRONSCALES monitored 3.5 million emails and automatically remediated 584 email attacks. It caught 742 impersonation attempts through exact display-name matching, removed 76,100 spam emails, and surfaced 1,235 mailbox anomalies. Twenty VIP accounts were actively targeted with 114 dedicated BEC and phishing attempts. Employees sent 65 reports through the phishing button. The threat mix broke down into 262 general phishing detections, 188 vendor scams, and 91 credential theft attempts, alongside image-based attacks, advance-fee scams, and invoice fraud.

Against the prior 90-day period, threat visibility rose 224%. Most of that had been happening the whole time. Keelings just could not see it before.

And the ongoing workload dropped rather than grew.

"We don't need to tweak it. No rule tuning. No policy updates. No constant feeding and watering."

 

"It's about as close to 'set it and forget it' as you can get, especially compared to the daily management a traditional gateway requires with all its rules and policies."

The daily review shrank from a 20-minute manual sweep to a 15-second scan of the quarantine digest.

The Mistake That Fixed Itself

One story from the deployment says more about API-based architecture than any feature list.

A technician mistakenly removed a batch of legitimate HR platform notifications, about 1,500 emails, across the group. With a gateway, unwinding that means restoring from logs and hoping nothing breaks. Here, the fix was a single reclassification.

"Nobody notices because it just drops straight back into people's mailboxes. It's so reversible on any mistake you make."

Because IRONSCALES operates inside the mailbox through the API, remediation is not a one-way trip through a gateway. Mark it safe and the mail returns instantly. The 1,500 emails were back before most people noticed they had gone.

What Keelings Proves

Keelings did not rip out its gateway. It added an adaptive layer where the gateway was blind, through the API, with no new hop and no delivery risk. The POC caught a live attack the SEG missed, the first 90 days quantified how much had been slipping through, and the daily grind got smaller instead of bigger.

If your gateway keeps letting CEO impersonation through, the fastest way to find out what else it misses is to watch. Turn on an adaptive layer in read-only mode and see what it flags. Sometimes the evaluation is the proof.

Read the full Keelings case study, or see how the IRONSCALES platform catches what secure email gateways miss.

 


Frequently Asked Questions

Can IRONSCALES run alongside an existing secure email gateway like Mimecast?

Yes. IRONSCALES connects to Microsoft 365 through the API and works as a post-delivery layer alongside an existing SEG. There are no MX record changes and no new hop in the mail flow, so it adds detection where the gateway is blind without touching mail delivery.

Why do secure email gateways miss CEO impersonation attacks?

CEO impersonation is a business email compromise (BEC) attack. It carries no malicious link or attachment, so a gateway built to scan content has nothing to block. IRONSCALES uses Adaptive AI to model normal communication patterns and flag messages that impersonate an executive, even when the content looks clean.

How long does IRONSCALES take to deploy?

Deployment takes minutes through the Microsoft 365 API, with no MX changes and no agents. Many teams start in read-only mode, where the platform flags threats without taking action, to build trust before enabling automatic remediation.

Is automatic remediation reversible?

Yes. Because IRONSCALES operates inside the mailbox through the API, a message removed by mistake can be restored instantly by reclassifying it as safe. Keelings restored roughly 1,500 legitimate emails this way, and they dropped straight back into users' mailboxes.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.