Home

See the Demo

Resources

Our Blog

Case Studies

Whitepapers

Login

Buy Now

What Proofpoint, Mimecast, and Abnormal Miss — Two Real Phishes That Prove It

TL;DR

Legacy enterprise filters still miss modern phishing attacks. We looked at two real emails that made it past Proofpoint Essentials — a fake USPTO notice and a fake voicemail — one of which even showed a “Scanned with Proofpoint Essentials” stamp.

In this post you’ll learn:

  • How attackers are bypassing “enterprise-grade” filters.

  • Why SMBs bear the brunt when vendors miss.

  • How inbox-focused AI agents like Cambrient stop what others can’t.

Why SMBs Should Care

When phishing emails slip through, the costs are real:

  • Financial loss from fraud or account takeovers.

  • Reputational damage when customers or partners are affected.

  • Lost time as IT teams scramble to triage threats.

SMBs often rely on enterprise vendors like Proofpoint, Mimecast, or Abnormal expecting them to be enough. But “scanned” doesn’t always mean safe — as these examples show.

How Legacy Filters Work

Traditional email security relies on:

  • Signatures & reputation databases (known bad senders/domains).

  • Heuristics & rules (block suspicious attachments or links).

  • Static scans (check file metadata, surface-level analysis).

Great at stopping known threats. But attackers know this, and they design phish to slip through.

The Gaps Attackers Exploit

  • Context blindness: Filters can’t tell if a “USPTO” notice makes sense for your business.

  • Signal fragmentation: Each piece of the email looks harmless on its own.

  • User trust signals: Stamps like “Scanned with Proofpoint Essentials” make people more likely to click.

Example 1 — The Fake USPTO Notice

What the victim saw: An “official” email about a trademark action with a PDF attachment and link to pay.

Why Proofpoint missed it:

  • Lookalike sending domain that seemed plausible.

  • PDF passed metadata checks, link used layered redirects.

  • No obvious malware signature — so it looked safe.

Why it worked: Legal notices trigger urgency. Employees often click without verifying.

Example 2 — The Fake Voicemail (with “Scanned by Proofpoint Essentials”)

What the victim saw: A voicemail notification email with a “Play Voicemail” button. At the bottom: “Scanned with Proofpoint Essentials.”

Why Proofpoint missed it:

  • Link resolved to a benign-looking audio file after redirects.

  • Voicemail notifications are common, raising no suspicion.

  • The Proofpoint footer created false trust.

Why it’s dangerous: Users thought, “It was scanned, so it’s safe,” then clicked through to a credential-harvesting page.

How Cambrient AI Stops These

  • Multi-signal AI Agents look at content, sender behavior, redirect chains, and business context — not just static rules.

  • Plain-English Alerts appear right in the inbox: “This voicemail link resolves through 3 unknown redirects to a credential site.”

  • Fast, Simple Setup — no MX record changes, pilots in under 5 minutes. Perfect for MSPs and SMBs.

5 Questions to Ask Your Vendor

  1. Can you show what alerts look like in my users’ inboxes?

  2. Do you analyze redirect chains and credential harvest pages?

  3. Are your alerts plain-English or just codes/logs?

  4. How long does a pilot take? Do I need to re-route mail flow?

  5. Can you share real missed threats — and how you fixed them?

The Bottom Line

Legacy vendors are missing phish that cost SMBs time and money. The fake USPTO notice and fake voicemail prove it.

Cambrient AI was built to catch what others miss — while explaining every alert in plain English and keeping setup painless.

👉 Book a demo or send us a real phishing sample at no-reply@cambrient.ai. We’ll show you exactly how we catch it — and why “scanned” doesn’t always mean safe.

API vs. SEG: Why the Future of Email Security is API-First ›