StrongestLayer Research Finds Trusted Platforms Like DocuSign and Google Calendar Are Now the Primary Email Attack Surface

77% of attacks impersonated business-critical brands such as DocuSign, Microsoft, and Google—platforms most organizations cannot afford to block

CHICAGO, Jan. 8, 2026 /PRNewswire/ -- StrongestLayer today released a new threat intelligence report, What Your Email Security Can't See, analyzing 2,042 advanced email attacks that successfully bypassed Microsoft Defender E3/E5 and market-leading secure email gateways before being detected by StrongestLayer. The findings highlight a fundamental shift in attacker behavior, where adversaries increasingly hide behind business-critical platforms such as DocuSign, Microsoft, and Google Calendar—services organizations cannot block without disrupting operations.

Rather than relying on malware or obvious phishing techniques, today's attackers exploit trust, authentication gaps, and operational dependency. The report provides rare visibility into the techniques that define modern email threats by examining only attacks that incumbent security controls missed.

"Email security has reached an inflection point," said Alan LeFort, CEO and co-founder, StrongestLayer. "The controls enterprises depend on were designed to detect patterns and known bad signals. But attackers are now exploiting trusted brands and legitimate infrastructure; areas those systems were never built to reason about."

Key findings from the report include:

• 77% of attacks impersonated business-critical brands such as DocuSign, Microsoft, and Google—platforms most organizations cannot afford to block
  
  
• 77% of attacks failed SPF, DKIM, or DMARC authentication yet still reached inboxes, exposing a widespread enforcement gap
  
  
• 17 attacks passed all authentication checks, demonstrating that SPF, DKIM, and DMARC validate infrastructure, not attacker intent
  
  
• 100% of threats bypassed incumbent email security, including Microsoft E3/E5 and leading secure email gateways
  
  
• Approximately 45% of attacks showed indicators of AI assistance, a figure projected to rise to 75–95% within the next 18 months

Trusted brands are the new attack surface

The report shows attackers are no longer trying to look legitimate—they are hiding behind platforms that already are. DocuSign alone accounted for more than one-fifth of all attacks analyzed, particularly targeting legal, financial, and healthcare organizations where document-signing workflows are deeply embedded in daily operations.

Google Calendar attacks represent an especially concerning trend. Because calendar invitations are delivered via calendar APIs rather than email, these attacks bypass secure email gateways entirely, creating a blind spot for most security teams.

The authentication challenge

Email authentication is widely promoted as the solution to impersonation attacks, yet the data tells a more complex story. Most organizations maintain permissive DMARC policies to avoid blocking legitimate but misconfigured senders. Attackers knowingly exploit this reality, delivering messages that fail authentication but are still allowed through.

At the same time, a smaller but critical set of attacks passed SPF, DKIM, and DMARC checks by abusing legitimate infrastructure, including compromised accounts and platform features such as Microsoft 365 Direct Send. In these cases, authentication worked exactly as designed—confirming origin, not intent.

AI pushes email security toward a breaking point

StrongestLayer's analysis shows AI-assisted phishing has fundamentally changed the economics of detection. Traditional phishing campaigns reuse templates with high similarity, allowing pattern-based systems to work. AI-generated attacks, however, share as little as 12–18% similarity across variants, rendering pattern matching mathematically ineffective—a phenomenon the report calls the Pattern-Matching Cliff.

As AI-generated attacks become the default, organizations relying solely on pattern-based detection face a rapidly narrowing window to adapt.

Why legacy email security architectures fail

The attacks in this report share a common trait: they don't look malicious in isolation. Legacy systems operate as "prosecutor-only" architectures, searching for evidence of guilt such as malicious links or known-bad indicators. What they lack is the ability to prove legitimacy—whether a DocuSign notification aligns with real business activity or a calendar invite reflects an authentic workflow.

Defending against trust-exploitation attacks requires a dual-evidence approach that evaluates both threat signals and business legitimacy signals, enabling confident decisions without the false-positive burden that plagues traditional tools.

Methodology

The report analyzes 2,042 confirmed email threats detected between September and November 2025 across enterprise environments ranging from 1,000 to 20,000 mailboxes. All threats analyzed had already bypassed Microsoft Defender E3/E5 and/or third-party secure email gateways. Detection used a dual-evidence architecture combining threat indicators with business legitimacy signals and LLM-based reasoning.

About StrongestLayer

Founded in 2024, StrongestLayer is pioneering LLM-native cybersecurity solutions designed for the AI era. The company's platform combines advanced threat detection with personalized human risk training to protect organizations against both traditional and AI-powered email attacks. Headquartered in San Francisco, StrongestLayer is backed by Sorenson Capital, Recall Capital, and leading cybersecurity industry veterans. Learn more at www.strongestlayer.com.

View original content:https://www.prnewswire.com/news-releases/strongestlayer-research-finds-trusted-platforms-like-docusign-and-google-calendar-are-now-the-primary-email-attack-surface-302656436.html

SOURCE StrongestLayer