What if a Phish Sat in Your Inbox for Two Minutes While the API Throttled?

Graph API throttling is documented in Microsoft's own support materials. When load spikes, remediation requests queue. That phishing email your post-delivery scanner flagged? It sits in the inbox while the API catches up.

Users open it. They click. Your M-SOAR tool is still waiting for capacity to pull it back.

This is the operational reality of API-only email security in high-volume environments. It's not hypothetical.

Why This Matters Now

Email remains the primary attack surface for credential theft and account compromise. Attackers have adapted to both Microsoft 365 native protections and traditional Secure Email Gateways (SEGs).

Threats now bypass signature-based and reputation-based detection by using legitimate compromised URLs, natural language manipulation, and zero-day social engineering tactics. Microsoft's built-in tools catch known threats effectively but lack the behavioral AI and natural language understanding (NLU) required to detect novel attacks.

Meanwhile, organizations running both a SEG and Microsoft 365 are paying for overlapping functionality. A significant portion of enterprises report complete duplication between their gateway and Microsoft's native filtering. The gateway blocks spam Microsoft already caught. But when a sophisticated attack arrives, both tools miss it.

Gartner introduced the term Integrated Cloud Email Security (ICES) to describe API-integrated solutions that augment cloud email platforms without replacing them. Gartner predicts that by 2025, 20% of anti-phishing deployments will use API integration, up from less than 5% when the category was first defined.

Three Strategic Gaps Exposed

Graph API Throttling Delays Remediation When It Matters Most

Post-delivery remediation relies on API capacity. When your environment experiences a burst of email activity or a coordinated phishing campaign hits multiple mailboxes simultaneously, the Graph API throttles requests to protect platform stability.

• Remediation commands queue while malicious emails remain accessible
• Users interact with threats before quarantine or warning banners are applied
• Incident response timelines extend beyond acceptable risk windows
• Security teams lose visibility into whether remediation actually completed

Native Tools Miss Attacks That Use Legitimate Infrastructure

Attackers have shifted to using compromised legitimate domains and URLs as delivery mechanisms. Phishing campaigns now frequently use trusted infrastructure to host credential harvesters or deliver malware through HTML smuggling techniques.

• Reputation-based detection fails when the URL or domain has clean history
• Signature-based tools can't detect text-based social engineering that uses natural language manipulation
• Account compromise scenarios bypass sender authentication because the email originates from a legitimate mailbox
• Zero-day phishing tactics require behavioral analysis and NLP that native tools don't provide

SEG and Microsoft 365 Overlap Creates Cost Without Coverage

Organizations running a traditional SEG in front of Microsoft 365 are paying for two layers of protection that largely duplicate effort on low-complexity threats while both miss advanced attacks.

• Gateway hygiene and Microsoft filtering target the same spam and known malware
• Neither tool applies AI-driven inspection to detect novel phishing techniques
• MX record changes and gateway maintenance add operational overhead
• Vendor consolidation becomes necessary but teams lack a clear replacement path

The Strategic Shift Required

Email security architecture needs to augment cloud-native protections rather than replace them. Microsoft 365 handles bulk filtering and known threat removal effectively. The gap is in advanced threat detection, behavioral analysis, and fast remediation.

ICES solutions integrate via API to inspect email content using AI, natural language processing (NLP), and NLU. They detect threats based on intent and behavior rather than signatures or reputation. And they enable remediation without the architectural complexity of a gateway.

This approach also addresses the API throttling problem. Solutions that support mail flow rule inspection divert emails for analysis before delivery, avoiding post-delivery API dependency entirely. Threats are caught inline, and remediation happens before users see the message.

• Deploy without changing MX records or replacing existing infrastructure
• Use AI and NLP to detect zero-day phishing and social engineering
• Apply M-SOAR for automated response and user education at the mailbox level
• Consolidate vendors by removing the SEG while maintaining advanced threat coverage

How Security Awareness Training Addresses This

KnowBe4 provides ICES capabilities through its Defend platform, which integrates with Microsoft 365 to deliver the detection and remediation layer native tools can't provide.

• Graph API throttling delays: Defend supports mail flow rule inspection to catch threats before delivery, bypassing the post-delivery API queue entirely and ensuring remediation happens in real time.
• Native tools missing advanced threats: Defend uses AI, NLP, and NLU to analyze email content for intent and behavior, detecting zero-day phishing, business email compromise, and account takeover attempts that signature-based tools miss.
• SEG and Microsoft overlap: Defend deploys in minutes without MX changes, enabling organizations to remove their SEG and consolidate vendors while maintaining coverage for sophisticated attacks through API-based inspection and M-SOAR.

Who This Is For

• Security engineers managing Microsoft 365 environments who need advanced threat detection without gateway complexity
• IT managers evaluating SEG consolidation and looking for API-integrated alternatives
• CISOs addressing gaps in phishing protection and account compromise risk
• Compliance managers ensuring email security controls meet regulatory requirements without operational disruption

Call to Action

See how KnowBe4 Defend detects the threats Microsoft 365 misses and enables real-time remediation without MX changes. Visit https://content.optrics.com/knowbe4-security-awareness-training

FAQ

What is ICES and how does it differ from a traditional SEG?
ICES, or Integrated Cloud Email Security, integrates via API with cloud email platforms like Microsoft 365 to provide advanced threat detection without replacing native protections. Unlike SEGs, which sit in the mail flow and require MX changes, ICES solutions deploy quickly and focus on detecting sophisticated attacks using AI and behavioral analysis rather than signature-based filtering.

How does mail flow rule inspection avoid Graph API throttling?
Mail flow rule inspection diverts emails for analysis before they reach the inbox, allowing the ICES solution to inspect and remediate threats inline. This avoids the post-delivery API dependency that causes throttling delays during high-volume periods, ensuring that malicious emails are caught before users can interact with them.

Can ICES solutions detect phishing that uses legitimate compromised URLs?
Yes. ICES platforms use NLP and NLU to analyze email content for social engineering tactics and intent rather than relying solely on URL reputation or signatures. This enables detection of phishing attacks that use trusted domains or compromised infrastructure to deliver credential harvesters or malware.

Does removing a SEG reduce email security coverage?
Not if the ICES solution provides advanced threat detection and remediation capabilities. Microsoft 365 handles bulk filtering and known threats effectively. The gap is in detecting zero-day phishing and sophisticated social engineering. An ICES platform with AI-driven inspection and M-SOAR can replace the SEG without losing coverage for advanced attacks, while reducing vendor overlap and operational complexity.