The Evolution of Email Attacks
An interactive taxonomy of 37 attack subtypes across 6 categories, with detection likelihood ratings for SEGs, ML/Behavioral, LLM Wrapper, and Multi-Agentic Reasoning platforms.
Most email security stacks were built for a previous threat era
The attacks causing the most financial damage today contain no malicious payload, use no known-bad infrastructure, and look like normal business communication. BEC alone has produced $55 billion in cumulative losses since 2013. AI-generated spear phishing has collapsed personalization cost to near zero. AiTM phishing bypasses MFA by design.
These attacks share a common trait: they are structurally invisible to any detection system that only analyzes what arrives in the email itself. The gap is architectural, not configurational.
Traditional bulk phishing exhibits Jaccard similarity of 0.85–0.95. Advanced attacks from Q4 2025 showed average similarity of 0.458. 68% fell below 0.30 — where pattern-matching detection drops below statistical significance.
Four Eras of Email Attacks
Four generations of email security
Each architecture represents a structural generation. Detection likelihood ratings are assessed against all four.
37 attack subtypes across 6 categories
Click any cell to see the full breakdown: how it appears, evolution, and detection likelihood across all four architectures.
What to do next
1. Identify your current architecture
Determine which of the four architectural generations your primary email security solution represents. The detection ratings tell you what each architecture can and cannot do structurally, regardless of vendor or configuration.
2. Prioritize by your risk profile
Not every attack type is equally relevant. A mid-market company with significant vendor payment flows should prioritize Categories 1 and 3. Use the taxonomy grid above to identify where your current architecture rates Low or None.
3. Ask your current vendor these questions
Does your platform actively follow links to their final destination, including through redirect chains and AiTM proxies?
How does your platform detect a fraudulent payment instruction sent from a legitimately compromised vendor account?
How does your platform handle HTML smuggling, where the payload is assembled client-side and never transmitted as a file?
How does your platform evaluate email sent through a legitimate service like SharePoint or SendGrid that passes all auth checks?
4. Map the gap
For each attack type rated Low or None, assess business impact. Benchmarks: $50K–$120K for BEC, $1.5M–$4M for ransomware, $4.45M average breach cost where email was the initial vector.
© 2026 StrongestLayer · strongestlayer.com
Your gateway can't see
what's already inside.
Deploy in minutes, not months. Zero tuning. See what your current tools are missing.
Tomorrow's Threats. Stopped Today.
