Email Security

Securing Email Is More Than Just Phishing Protection: Abhishek Agrawal, Material Security CEO

“Email is not just a great way to deliver attacks, but it’s actually the target of attacks as well. That very, very simple point is still not being applied,” Abhishek Agrawal, CEO of Material Security, tells Expert Insights.

Abhishek Agrawal

Abhishek Agrawal, CEO and co-founder of Material Security, wants to push email security away from just phishing detection, and toward also protecting the data that email inboxes can unlock within an organization.

Material Security, based out of San Francisco, California, launched in 2017. In 2022 the company raised $100 million in Series C funding, which valued the company at $1.1 billion USD. Material Security offers an email protection platform used by teams of all sizes, from 200 users to over 200,000.

Material Security sits within a highly competitive email security market. Major players like Proofpoint dominate the enterprise Secure Email Gateway (SEG) space, and numerous startups like Abnormal and IRONSCALES offer API-based solutions that plug directly into M365 and Google Workspace. These tools are focused on stopping advanced phishing attacks that are often very difficult to detect, without blocking legitimate emails; Gartner has named this technology Integrated Cloud Email Security Solutions (ICES).

In 2017, Material’s co-founders, Abhishek Agrawal, Ryan Noon, and Chris Park, identified a gap in the email security market around the protection of content already inside the email inbox. During the 2016 US election, over 150,000 emails were stolen from high profile Democrat and Republican candidates then leaked online.

The Material Security Platform

“We literally got started after the election hacks in 2016,” Agrawal told Expert Insights at the RSAC 2024. “Attacks were targeting the content inside personal email mailboxes where gateways were powerless.” The Material team asked themselves, “How is it that there are these extremely high value email accounts with lots of sensitive content within them, and there is nothing you can buy in the industry to protect it?”

“The core insight of Material has always been that email is not just a great way to deliver attacks, but it’s actually the target of attacks as well. This very, very simple point isn’t being applied. Everybody has framed the problem as: how do I stop bad emails from being delivered to the mailbox? But 10 years of email sitting in an inbox is a huge target. It’s a content security problem, not just an email security problem.”

Material is an API-based email security platform that scans email content for sensitive data in real-time to identify content that could be a risk if the inbox was compromised. This includes sensitive documents, such as tax returns, invoices, and passwords – but also one-time passcodes, password reset links, and account verification codes.

The platform enforces an additional multi-factor authentication push for users accessing this sensitive content. This prevents attackers from compromising this data, even if they are able to break into the email account itself. Material also offers inbound email scanning for BEC, phishing, and malware detection, designed to strengthen the controls offered natively by M365 and Google Workspace. The company is currently used by teams of all sizes, with clients including Mars, MassMutual, and Lyft.

The principles of the system can be applied to many enterprise use-cases. For example, employees often want to share email content to their personal inboxes, where IT admins have no control over who can access the data. With Material, email content can be redacted, unless an access request is completed via MFA. This also creates an audit trail, which gives security teams much more clarity into which email messages are being accessed and by whom.

Skating To Where The Puck Is Going

The Material team are ambitious and are gunning to be the go-to email security partner for Microsoft 365 and Google Workspace users. One challenge they have had is their positioning in the space; they are not a SEG, they are not a pure play ICES. In some cases, they are actually being used alongside these tools. But they are competing with other email security tools in a conversation dominated by phishing – with a platform that covers far more than just that single use case.

“In the early days when we used to say the phrase ‘email security’, people were like: ‘Okay cool, you detect phishing.’ And actually, it’s all these other things as well! So, there’s an aspect of educating the market,” Agrawal says. “But we raised what we did and built the team we have built because we want to take this to market in a big way.”

On the future of the email threat landscape, Agrawal is skeptical of the impact AI will have on generated AI phishing threats. “Lack of grammar was not stopping people from writing phishing emails before,” he says. “It is true that the scale can be larger, but personally I don’t think that will change the threat landscape as much as some vendors would have you believe. Good controls should work regardless of how an attack is generated.”

“What I do think we should be screaming from the hills is: “Worry about the content inside your mailboxes and the cloud more broadly. The long-term view is that email is just one part of a productivity suite. In the past it used to be an appliance on its own, now it’s just one application that’s part of M365 or Google Workspace.”

M365 and Google Workspace are two of the most heavily used business apps globally. They are often the most important apps used in an organization, used by almost every employee, and are very commonly used to provision user access to all kinds of third-party apps and services, making them the keys to vast amounts of enterprise data.

“This is where Material is headed in the future,” Agrawal says. “Email security is one part of a bigger problem, which is productivity suite security. M365 and Google Workspace are not just another SaaS app. They are critical infrastructure for their organization, in the same way their cloud workloads or endpoints are critical infrastructure.”

“Who is the Crowdstrike for M365? There isn’t one. There are email security, DLP, CASB, and SSPM vendors, but no one is consolidating all of these use cases. That’s what we want to do in the future. It’s a very broad vision and we’re not going to get there overnight, but that’s the path we’re on.”