A secure email gateway (SEG) is the standard first line of defense, and a good one stops the overwhelming majority of malicious and bulk email before it reaches the inbox. But no gateway catches everything — and the reason isn't a particular vendor's shortcoming. It's structural: a gateway makes its decision when the message is delivered, and some attacks are built specifically to defeat a delivery-time check.
How a gateway decides — and where that leaves a gap
Gateways scan a message once, as it arrives, against what is known at that moment: reputation, signatures, blocklists, and increasingly behavioural and AI models. That works well for known and high-volume threats. The gap opens for anything that is unknown at delivery, changes after delivery, or never passes through the gateway at all.
The four blind spots every gateway shares
- Zero-day pages. A brand-new phishing site isn't on any list and hasn't been seen before, so there's nothing to match against when the message is scanned — which is exactly when most damage is done.
- Time-of-click weaponisation. Attackers send a link that points to a clean or empty page, pass the gateway's inspection, then swap the destination to a phishing page after delivery. The gateway's verdict is already stale by the time anyone clicks.
- QR codes and links from outside email. A QR code hides its destination from text-based scanning, and a huge share of phishing now arrives by SMS, chat apps, ads and search results — none of which travel through the email gateway.
- Tailored business email compromise. A short, text-only message impersonating an executive or supplier carries no attachment or malicious link for a gateway to detect.
Closing the gap: a check at the point of click
The gap is at the moment of click, so that's where it has to be closed. Client-side protection — running in the browser and as an email add-in — can judge the actual page or message when a person opens it, not just when it was delivered. That catches the zero-day page, the link that weaponised after delivery, and the link that arrived from outside email entirely.
Where SafeToOpen fits
SafeToOpen is that client-side layer: real-time, zero-day detection in the browser and inbox, running alongside your gateway — the last line of defense at the point of click.
How it works →Defense in depth
None of this means replacing your gateway — keep it doing the heavy lifting at delivery. It means adding a layer that covers what delivery-time scanning structurally can't, so the phishing that gets through is caught before the click costs anything.
FAQ
Why does phishing get past my secure email gateway?
Because a gateway decides at delivery, against what's known then. Zero-day pages, links that weaponise after delivery, QR codes, and links arriving by SMS, chat or ads aren't catchable at that moment — so they reach users.
What is a secure email gateway's biggest blind spot?
The moment of click. A gateway scans a message once at delivery; it can't re-check a link when the user actually clicks it, which is when a delivered-clean link may already have turned malicious.
Can a gateway catch links that weaponise after delivery?
Generally no. Once a message has passed inspection and been delivered, a gateway isn't re-evaluating its links. A client-side check at click time is needed to catch that.
How do you close the gap?
Add a client-side layer that analyses the actual page or message at the point of click — in the browser and inbox — alongside the gateway. That catches the zero-day and post-delivery threats the gateway structurally can't.