Wichtige Erkenntnisse
Cloud web security has become a cornerstone of modern enterprise defense, protecting browser-based traffic and SaaS application access as workforces operate across distributed environments. Yet for security leaders responsible for safeguarding identity, data, and financial assets, these controls often lack visibility into the email-based attacks that lead to compromised sessions.
This matters because organizations that treat cloud web security as a complete defense leave the inbox without behavioral visibility. This exposes their business to the BEC, account takeover, and vendor fraud threats that drive the highest financial losses reported to the FBI each year.
This article breaks down what cloud web security actually covers, how modern attackers bypass it through techniques like AiTM phishing and OAuth consent abuse. We'll also have a look at what a complete architecture looks like when behavioral email security is paired with SSE controls.
Why Perimeter-Based Security No Longer Works
Cloud web security exists because the old perimeter model no longer matches how people work or how attackers gain access. The perimeter security model assumed a fixed boundary between trusted insiders and untrusted outsiders, and that assumption no longer holds.
For decades, cybersecurity operated like a castle defense: strong walls, guarded gates, and implicit trust for everything inside. That model made sense when employees sat at desks connected to company networks and data lived on servers you could physically secure.
That world is gone. Teams authenticate from home offices, airport lounges, and mobile devices. Critical data lives across Google Workspace, Salesforce, and dozens of other cloud platform integrations that exist far beyond any corporate firewall. As NIST SP 800-207 states directly: "Perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered."
Traditional firewalls and VPNs rely on location-based trust. Once attackers get past those outer defenses using compromised credentials or malicious OAuth tokens, they often find themselves in a trusted zone where legacy systems assume they belong. This can make lateral movement between systems straightforward.
Shifting to Identity-Centric Security Controls
Identity-centric controls scope access by user, device, and context, but valid credentials can still make malicious activity look legitimate. Modern security verification approach focuses on verifying who is making each access request and whether that request makes sense in context.
Rather than trusting anyone inside the network perimeter, identity-centric models verify the user and evaluate the risk of each access request. An employee accessing sensitive files from a corporate laptop at the office gets different treatment than the same person using a personal device from an unfamiliar location.
Contextual access risk factors like device posture, login timing, and behavioral patterns are considered before granting, limiting, or escalating access. This shift reflects a permanent change in how work operates. However, identity verification still has a limitation: when an attacker obtains valid credentials through credential phishing, they can satisfy authentication requirements and operate within a session that appears legitimate.
What Cloud Web Security Covers
Cloud web security covers web traffic and cloud application access through a coordinated set of access and inspection controls. It combines several technologies that protect an organization's internet activity and cloud application access through a unified framework.
- Secure Web Gateway (SWG): Filters all web traffic, blocking dangerous websites and malicious downloads while enforcing internet usage policies. SWG operates as an HTTP/HTTPS proxy, inspecting browser-based sessions.
- Cloud Access Security Broker (CASB): Monitors SaaS application usage, identifies which cloud services employees access, including unauthorized ones, and enforces security policies across sanctioned and unsanctioned applications.
- Zero Trust Network Access (ZTNA): Controls resource access by verifying user identity, device health, and contextual signals for each request rather than granting broad network-level trust.
These components work together through a Security Service Edge framework that delivers cloud-based security. SSE scales with distributed workforces and provides consistent policy enforcement regardless of user location.
Key Capabilities to Evaluate in a Cloud Web Security Platform
The strongest cloud web security platforms apply these controls as one system rather than as disconnected point products. When assessing cloud web security solutions, focus on capabilities that operate as a unified system rather than point solutions that create coverage gaps.
- Real-Time Threat Inspection: Scrutinizes HTTP and HTTPS sessions, blocking malware and phishing sites before they reach endpoints. This core SWG function should operate at network speed without introducing latency.
- Data Loss Prevention (DLP): Scans uploads, downloads, and SaaS interactions for sensitive content. Effective DLP enforcement automatically redacts, encrypts, or quarantines data based on predefined rules and regulatory requirements.
- Shadow IT Discovery: Reveals unsanctioned applications through continuous analysis of cloud traffic. CASB components within SSE platforms automatically discover unauthorized apps, enabling security teams to sanction, restrict, or block usage based on risk.
- Granular Access Policies: Control each access request through identity verification, device health assessment, and behavioral context. Permissions adapt based on risk signals rather than relying on static rules.
- Unified Policy Management: Consolidates security controls into a single console. Centralized policy creation helps changes propagate across environments, reducing configuration drift and administrative overhead.
- Cloud-Native Architecture: Delivers elastic capacity, automatic updates, and global proximity to users. Cloud-native solutions tend to outperform retrofitted appliances in scalability, API integration, and latency reduction.
How Modern Attacks Bypass Cloud Web Security Controls
Modern attacks increasingly bypass cloud web security by producing valid sessions or token-based access that these controls treat as legitimate traffic. Rather than attempting to breach SWG, CASB, or firewall defenses directly, attackers have shifted to targeting the identity layer, where web-focused controls have no inspection capability.
The techniques below illustrate how this plays out in practice. Each one begins with an email-delivered lure, routes the victim through trusted infrastructure, and ends with an authenticated session that downstream web controls see as normal activity.
1. Adversary-in-the-Middle (AiTM) Phishing
AiTM phishing can capture a verified session and let an attacker access cloud applications without raising the controls that inspected the login flow.
AiTM attacks use a reverse proxy positioned between the victim and a legitimate authentication endpoint. The victim interacts with the real login page, completes MFA as normal, and the proxy captures the resulting session token. The attacker then replays that token to access cloud applications without triggering further authentication challenges.
SWG may miss this because the phishing link often resolves to a legitimate CDN or identity provider domain. CASB observes a legitimate login event resulting in a valid session token issued by the platform's own infrastructure. Firewalls see standard HTTPS traffic to trusted endpoints. Standard MFA bypass techniques provide no protection because the challenge and response are relayed in real time.
2. OAuth Consent and Device Code Phishing
OAuth consent abuse and device code phishing work through trusted identity infrastructure, which leaves web controls with little basis to block the interaction.
Attackers register malicious OAuth applications requesting broad permission scopes, then deliver consent URLs via email. These URLs resolve to legitimate identity provider domains like login.microsoftonline.com, giving SWG no basis to block them. Once the victim grants consent, the attacker receives OAuth access and refresh tokens that provide persistent access to email, files, and collaboration platforms.
Device code phishing flow exploits the OAuth Device Authorization Grant. The attacker sends a device code to the victim via email; when the victim authenticates at the legitimate identity provider URL, the attacker's polling session receives the resulting access token. Every interaction occurs on trusted infrastructure.
3. Session Cookie Hijacking
Session cookie hijacking targets the authenticated state after login, which means downstream controls often see a normal session rather than a stolen one.
Modern session hijacking targets post-authentication cookies that encode a fully verified session state. Because the cookie represents a session where MFA was already completed, replaying it bypasses downstream authentication controls. Email-delievred attach chains share email as the primary delivery mechanism and produce sessions that appear legitimate to cloud web security controls.
Why Cloud Web Security Falls Short Without Email Protection
Cloud web security often lacks visibility into the email layer where many high-impact attacks begin and where message intent matters most. SSE platforms are architecturally scoped to web, cloud application, and private application access. Email security is a separate control plane, evaluated independently by analysts like Gartner and Forrester.
The gap is structural, not configurational. SWG is an HTTP/HTTPS proxy.SMTP protocol structure differs with its own message syntax, MIME encoding, and layered content structure. Even when email is accessed through a browser, SWG may inspect the outer web session but has no mechanism to parse message content, evaluate sender identity signals, or model communication relationship patterns.
This matters because business email compromise (BEC) is consistently the most financually damagaing crime category tracked by the FBI IC3. According to the FBI IC3 Annual Report, BEC accounted for approximately $2.77 billion in adjusted losses across 21,442 complaints in 2024.
BEC attack characteristics typically involve no malicious URL or file attachment. The threat exists entirely in the identity and intent of the message: a compromised executive account instructing a wire transfer, or a spoofed vendor requesting updated payment details. These messages pass SPF, DKIM, and DMARC checks. They carry no payload for SWG to inspect.
Legacy email gateways (SEGs) rely on static rules, known-bad signatures, and blocklists, methods that often struggle against personalized, payload-free attacks. Vendor fraud arrives from authenticated domains with established communication history.
The single overlap between SSE and email-delivered threats occurs post-click: when a user clicks a URL in an email, the browser session may transit the SWG for URL reputation checking. This is a secondary control that does not address payload-less BEC, depends on user click behavior, and is defeated by dynamic rendering techniques.
How Abnormal Helps Close the Email Security Gap
Abnormal helps close the email gap by applying behavioral AI to email-borne threats that web-focused controls were not designed to interpret.
Abnormal is designed to address this gap with behavioral AI that analyzes the communication patterns, timing, and relationship history of senders and recipients across an organization's email environment. Rather than relying on known indicators of compromise, Abnormal builds dynamic behavioral baselines that help surface subtle anomalies: unexpected wire transfer requests, shifts in writing style, messages from first-contact domains that closely resemble established vendor addresses, or workflow cadence deviations that suggest account takeover.
This identity-aware approach is designed to detect advanced threats like business email compromise, account takeovers, and vendor fraud that legacy email gateways often miss. Abnormal works alongside existing security infrastructure, including SSE platforms and email gateways, to provide the behavioral intelligence layer that web-focused controls lack.
Abnormal deploys via API with no MX record changes or endpoint agents, integrating natively with Microsoft 365 and Google Workspace. It delivers contextual alerts, automates threat remediation, and helps reduce false positives so security teams can respond faster with less manual effort.
Building a Complete Cloud Security Architecture
A complete cloud security architecture pairs cloud web security with email protection because these controls address different parts of the attack chain.
Cloud web security addresses a critical portion of the attack surface, but email remains one of the most common attack vectors for enterprise breaches. A complete architecture pairs SSE controls for web and cloud application access with behavioral email security that operates at the identity layer.
Organizations that treat these as complementary rather than interchangeable controls close the structural gap attackers rely on. Recognized as a Leader in the Gartner® Magic Quadrant™ for Email Security Platforms, Abnormal provides the behavioral detection layer that cloud web security was never designed to deliver.
Book a demo to see how Abnormal's behavioral AI helps protect against the email-based attacks that bypass traditional cloud web security defenses.
