If you’ve followed Part 1 and Part 2 of this series, you already know one of the biggest takeaways from our inbox-level research: Credential phishing is consistently one of the most-missed types of attacks.
But the “why” behind that stat is what really matters, especially if you're still relying on a Secure Email Gateway (SEG) for protection.
Unlike traditional phishing, credential theft attacks don’t come with an obvious “tell.”
No sketchy attachments.
No weird URLs (at least not always).
No malware payloads.
Instead, they’re designed to look legit...as in, “security update from your IT team” or “verify your account activity” kinds of legit.
Sometimes they include a link to a real-looking login page.
Other times, they’re just plain text emails asking you to call, click, or confirm something that sounds urgent.
They don’t trip the usual filters, because they don’t play by the usual rules.
The short version: credential phishing is subtle, socially engineered, and constantly evolving.
Traditional SEGs use static detection logic, i.e. rule sets and pattern matching that look for signs of known-bad behavior. That works for payload-based threats, but that approach breaks down when:
Even SEGs that claim AI/ML capabilities often struggle because their models aren’t designed to detect "malicious intent," they’re tuned for threats, not tactics.
And credential phishers are masters of tactics. “It’s not about the link. It’s about the trick.”
Across all the SEG vendors we analyzed (Barracuda, Cisco IronPort, Mimecast, and Proofpoint), credential phishing attacks ranked as one of the top two missed attack types, every time.
Here’s a snapshot the percentage of missed credential theft attacks:
Barracuda: 35.7%
Cisco IronPort: 33.0%
Mimecast: 30.3%
Proofpoint: 29.8%
And these weren’t edge cases, they showed up consistently across different org sizes and environments.
Credential phishing isn’t going away. If anything, it’s getting better at looking real and slipping past perimeter defenses (ahem, thanks to GenAI). A few recommendations:
Stop relying on legacy indicators like blacklisted URLs or attachment scans
Add behavioral and contextual detection at the inbox level
Loop in users, they’re your best sensors when empowered with good tools.
Watch for impersonation patterns, especially those that mimic internal tools, SSO pages, or IT service alerts.
In [Part 4], I’ll dig into the other category of phishing attacks that SEGs routinely miss—vendor scams. These are harder to detect, easier to trust, and more expensive to recover from than most people realize.
In the meantime, if you’ve seen credential attacks sneak through your SEG, I’d love to hear your story.