New research from StrongestLayer highlights a fundamental shift in attacker behavior, where adversaries increasingly hide behind business-critical platforms such as DocuSign, Microsoft, and Google Calendar — services organizations can’t block without disrupting operations.
The research analyzed analyzing 2,042 advanced email attacks that successfully bypassed Microsoft Defender E3/E5 and market-leading secure email gateways before being detected by StrongestLayer.
“Email security has reached an inflection point,” says Alan LeFort, CEO and co-founder of StrongestLayer. “The controls enterprises depend on were designed to detect patterns and known bad signals. But attackers are now exploiting trusted brands and legitimate infrastructure; areas those systems were never built to reason about.”
The study shows 77 percent of attacks impersonated business-critical brands such as DocuSign, Microsoft, and Google. 77 percent of attacks also failed SPF, DKIM, or DMARC authentication yet still reached inboxes, exposing a widespread enforcement gap. 17 attacks passed all authentication checks, demonstrating that SPF, DKIM, and DMARC validate infrastructure, not attacker intent
The findings suggest attackers are no longer trying to look legitimate, they’re hiding behind platforms that already are. DocuSign alone accounted for more than one-fifth of all attacks analyzed, particularly targeting legal, financial, and healthcare organizations where document-signing workflows are deeply embedded in daily operations.
Google Calendar attacks represent an especially concerning trend. Because calendar invitations are delivered via calendar APIs rather than email, these attacks bypass secure email gateways entirely, creating a blind spot for most security teams.
Although DMARC is widely cited as a solution to impersonation attacks, most organizations maintain permissive DMARC policies to avoid blocking legitimate but misconfigured senders. Attackers knowingly exploit this reality, delivering messages that fail authentication but are still allowed through.
You can read more on the StrongestLayer site.
Image credit: jittawit.21/depositphotos.com
