Email is the most popular vector through which to initiate successful cyberattacks. Statistics indicate that anywhere between 90% and 95% of all such attacks involve email, whether to deliver malware, to hoodwink a user into visiting a website from which ransomware will be downloaded, or simply to imitate a CEO or CFO and demand that a multimillion-dollar payment be expedited forthwith.

It should be no surprise, then, that email security is a core requirement for any organization. So much so that, in 2020, market leader and pure-play email security vendor Proofpoint produced more than $1 billion in revenue for the first time.

This is a sector in transition, however, as Omdia explains in a newly published report comparing top email security vendors, entitled "Omdia Universe: Selecting an Inbound Email Security Platform."

Omdia qualifies the description with the pseudo-epithet "inbound" because outbound email security is still quite a distinct market, at a much earlier stage in its development. Outbound email security features a different set of dedicated vendors, while only a few of the inbound security vendors have added features to address this requirement.

Inbound email security represents the lion's share of the overall email security market, and with good reason. Dodgy email attachments spawned the antivirus industry way back in the 1980s, creating a few industry titans like Symantec and McAfee along the way, and while creative solutions such as malware sandboxing have emerged to blunt the threat, email remains the easiest way into a target environment, particularly now that malware, spam, and spyware represent just a few of the tactics adversaries employ.

Change in the email security landscape is driven by two primary factors. First, there is the aforementioned evolution in the types of attacks, with methods such as phishing, business email compromise (BEC), and executive fraud now predominating (and doing the most monetary damage). Second, as with virtually every other area of IT, is the cloud.

Cloud Changes Everything
Since Microsoft started delivering email from cloud-based email servers in 2011 with the launch of Office 365, that part of the market has mushroomed; a decade later, the software giant now serves some 300 million corporate inboxes from the cloud.

One of the first consequences of the success of Office 365, now renamed as Microsoft 365, was to force all the vendors of on-premises email security products (the so-called secure email gateways, or SEGs), to develop cloud-based versions of their offerings.

More interestingly, however, an entire new market segment has now evolved, made up of companies with security platforms that reach into Office 365 via Microsoft's application programming interface (API). This is in contrast to SEGs, which sit in front of the email server (or, these days, service) and rely on an MX redirect for the message to go to them first and are thus a "one-time" security check.

Figure 1: The SEGs move into the cloud. Source: Omdia

The Redmond Leviathan Enters the Ring
Just as consequentially, Microsoft's move to the cloud for email services also brought it into the world of email security, in a way it had never been when it resided on corporate premises with an Exchange server. Its email security offering now includes two different products: Exchange Online Protection (EOP) to guard against malware, spam, and spyware; and Advanced Threat Protection (ATP, now also known as Microsoft Defender) to combat more modern attack methodologies.

So, is Microsoft a competitor in this market? Well, yes and no. It bundles EOP into all the various SKUs of Microsoft 365 and offers ATP as part of the higher-level, more expensive E5 SKU. It does not, however, offer them as stand-alone products, and one certainly wouldn't expect to use either platform to defend, say, Gmail accounts.

Nonetheless, the availability of Microsoft email security products does make the work of other vendors offering email security for O365 that little bit harder. Indeed, one might wonder, "If I'm already getting EOP, why do I need a SEG?"

One could ask a similar question with regard to ATP and the newer generation of email security vendors, which for simplicity's sake, Omdia calls simply the non-SEGs. (A competing research firm refers to these vendors with acronyms including IESS and CESS, but they don't seem to be catching on in the market, perhaps because no vendor wants to be classified as being in the CESS pool!)

However, both SEGs and non-SEGs insist that their detection and remediation capabilities are much better than Microsoft's, citing the number of corporate customers that use them, despite the availability of EOP and ATP.

Meanwhile the non-SEG vendors, all of whom are far smaller than the big SEG players, argue that a combination of Microsoft EOP, to stop the common-or-garden email-bound threats, and their technology for protection against the more advanced attacks, is a cheaper and more effective alternative to the SEGs, even though many of the latter have also added protection from phishing, BEC, and so on in recent years.

Email as a Fourth Pillar of XDR
As Omdia was finalizing the report, one of the most interesting of the non-SEGs was acquired by a security industry heavyweight, with Check Point buying Avanan.

Omdia highlighted Avanan as a leader in the space, despite its minuscule size compared with the likes of fellow leaders Proofpoint and Mimecast, because of its differentiated technical approach: It started out as an API-based non-SEG like the rest, then added an inline inspection capability to sit after, rather than before, the email service, casting itself as a "last line of defense." It also covers other software-as-a-service applications besides O365 and Gmail, including Box, Dropbox, Teams, and Slack.

The acquisition, aside from bolstering Check Point's email security offering, also highlights a broader trend, namely the integration of data from email security products into so-called extended detection and response (XDR) platforms. XDR takes telemetry from multiple security tools (particularly in the areas of endpoint, network, and cloud), analyzes it centrally, usually in a cloud-based data lake, and then takes decisions about remedial actions and pushes them back out to the individual tools for enforcement. And email is fast becoming the fourth obligatory pillar.

Figure 2: The four pillars of XDR. Source: Omdia

This situation favors those security vendors with portfolios covering all the pillars required to feed telemetry to an XDR platform. Three of the top five SEG players, Broadcom/Symantec, Cisco, and Barracuda, fall into that category. Numbers 1 and 2 on the list, however, are Proofpoint and Mimecast, neither of which are broad-based security players, so both must rely on integrations with partners' products if customers want to use them in an XDR deployment. Meanwhile, Check Point has already stated that the Avanan product will integrate with its Infinity architecture, which is its XDR offering.

Looking Ahead: The Future of Email Security
Omdia forecasts growth in the cloud-based SEG-as-a-service portion of the SEG market through 2024, when it should reach $2 billion, up from last year's $1.6 billion.

But which vendors are best placed to take advantage of that growth? Will it be existing SEG vendors, emerging players, or indeed, will Microsoft itself seek to mop up that extra email security spending by enterprises?

While Omdia believes competition will remain robust in all segments of the email security market, observers should watch Microsoft carefully. The vendor has promised to invest $20 billion in security during the next five years, quadrupling its current spending. Should Microsoft decide to add to its existing email security offerings, or merely make access more challenging or costly for email security vendors, the ramifications would be felt far and wide.