← All articles

How phishing slips past secure email gateways

GottaPhish Team · June 27, 2026

A secure email gateway (SEG) is often the first line of defense against phishing, filtering spam, malware, and known-bad senders before mail reaches the inbox. It stops enormous volumes of low-effort attacks. But attackers design specifically to evade it, and understanding those techniques conceptually is how defenders keep the human layer sharp for what gets through.

What a SEG checks — and what it can't

A gateway evaluates messages at the moment of delivery using sender reputation, authentication results, content signatures, attachment sandboxing, and URL analysis. Its structural weakness is simple: it inspects the message once, mostly from the outside, and mostly at delivery time. Everything below exploits one of those constraints.

Trusted senders: internal and compromised accounts

The most effective phishing often doesn't come from outside at all.

These messages ride on relationships the SEG is configured to trust, which is exactly why they land.

Hiding the payload from content scanners

Image-only emails

The entire message is a single rendered image with no scannable text. Signature and keyword filters see nothing to match; the human sees a convincing invoice or notice with a phone number or QR code to act on.

QR-code phishing (quishing)

The malicious link is encoded in a QR image rather than a clickable URL. The gateway sees a picture, not a link, and the victim scans it with a personal phone that often sits outside corporate web filtering and MFA controls entirely.

HTML smuggling

The email or attachment carries benign-looking markup that assembles the real payload in the browser, after delivery — so the gateway inspects an innocuous file and passes it. The reconstruction happens on the endpoint, past the point of email inspection.

Beating time-of-delivery scanning

Delayed weaponization of URLs

A link is scanned at delivery and found clean because, at that moment, it points to a harmless page. Hours later the attacker swaps the destination for the phishing payload. The SEG already made its verdict and moved on.

09:00  link → benign placeholder page   → SEG verdict: clean, delivered
13:00  same link → live phishing page   → victim clicks

Benign-first and cloaked pages

Even at click time, the page can serve harmless content to automated scanners and the real lure only to targeted victims, using geofencing, referer checks, and CAPTCHA gates to separate the two.

A SEG makes a point-in-time decision about a message that attackers can change after the decision is made. That timing gap is not a bug in any product — it is inherent to filtering mail at delivery.

Why the human layer still matters

None of this means the SEG is failing. It means a gateway is one probabilistic filter in a chain, and the residual — the mail engineered specifically to pass it — is by definition the most convincing. That residual reaches a person.

A trained, skeptical, reporting workforce is the control positioned exactly where the SEG's guarantees end:

Every report is also a live signal your SOC can pivot on — to pull the same message from other inboxes and shorten the campaign's dwell time. Layer this with phishing-resistant MFA, so that even a successful credential lure cannot complete a login.

How GottaPhish helps

A secure email gateway stops enormous volumes of attacks, but determined attackers design specifically to slip past it — and no filter alone catches everything that reaches the inbox. GottaPhish and its expert support team measure the exact scenarios that survive a SEG — compromised-account and internal-looking sends, quishing, image-only lures, and delayed-weaponization links — through authorized, fully audited simulations, so you see which employees engage, which report, and how quickly. Our experts help you design realistic scenarios, deploy the campaigns, and interpret the dashboards, turning every campaign into targeted training and concrete detection signals for your SOC. That strengthens the human layer precisely where technology reaches its limits.