Frequently Asked Questions

Email Gateway Security & Validation Best Practices

What is the principle of security validation as defined by Cymulate?

Security validation is a fundamental principle in cybersecurity aimed at ensuring that systems, applications, and processes are secure and operate as intended. Cymulate defines it as the ongoing process of testing and validating security controls to ensure they are effective against real-world threats. [Source]

Why is email gateway security validation important?

Email is the most frequently used attack vector for exploiting security weaknesses. Validating email gateway security is crucial because it helps organizations defend against phishing, malware distribution, business email compromise, and scareware tactics. Continuous validation ensures that email security controls are properly configured to detect and prevent evolving threats. [Source]

What recent threats highlight the need for email gateway validation?

In early 2024, the Monika Link vulnerability (CVE-2024-21413, CVSS 9.8 Critical) was discovered in Microsoft Outlook. This vulnerability allowed attackers to bypass security protocols and execute remote code, emphasizing the need for frequent validation of email gateways to defend against such evolving threats. [Source]

How often should organizations validate their secure email gateway?

Cymulate recommends running email gateway validation tests weekly or whenever a change is made to the email gateway. This frequency helps ensure that security controls are effective against the latest malicious links and payloads. [Source]

What are Cymulate's best practices for validating email gateway security?

Cymulate's best practices include testing for malicious links, malicious attachments, executable payloads, dummy code execution, true file type detection, and file attachment policy enforcement. These tests should use the latest threat intelligence and cover a wide range of file types and attack scenarios. [Source]

How does Cymulate test for malicious links in email gateways?

Cymulate recommends sending test emails with links to known malicious sites to validate whether the email gateway can detect and block access. The blacklist of malicious websites should be updated regularly with the latest threat intelligence. [Source]

What file types should be tested for executable payloads in email gateway validation?

Testing should include common executable file types such as exe, com, scr, pif, vbs, vbe, js, jse, wsf, hta, bat, cmd, lnk, cpl, and msi. These file types are often exploited by threat actors and should be blocked by the email gateway. [Source]

What is true file type detection and why is it important?

True file type detection examines the actual contents of a file to identify its real format, rather than relying solely on the file extension. This is important because threat actors often disguise malicious files with misleading extensions to bypass security controls. [Source]

How should file attachment policies be validated in email gateways?

Security teams should send emails with a wide range of file types (up to 200 different types) to validate that the email gateway's file type policy is configured correctly. This ensures that dangerous file types, such as .dll and .exe, are blocked as intended. [Source]

What is the recommended approach for testing dummy code execution in email gateways?

Cymulate suggests using dummy files with code execution capabilities (but not actual malware) to simulate the possibility of real malicious code execution. This helps prove whether executable code can be inserted into the organization via email. [Source]

Where can I learn more about Cymulate's email gateway validation solution?

You can find more information on Cymulate's email gateway validation solution by visiting the Email Gateway Validation page or by scheduling a demo at Cymulate's demo page.

What are some notable cyberattacks that started with phishing emails?

Major attacks that began with phishing emails include the 2023 T-Mobile breach, 2022 U.S. Department of Labor incident, 2021 Colonial Pipeline attack, 2020 SolarWinds breach, and others. These incidents highlight the importance of robust email gateway validation. [Source]

How does Cymulate help organizations improve cyber resilience through email gateway validation?

Cymulate enables continuous validation of email gateway controls to ensure they are operating as intended and can block the latest malicious links and payloads. This proactive approach significantly improves an organization's cyber resilience. [Source]

What is the role of threat intelligence in email gateway validation?

Threat intelligence provides up-to-date information on malicious links, attachments, and tactics used by attackers. Cymulate recommends updating test scenarios with the latest threat intelligence to ensure validation tests are relevant and effective. [Source]

How does Cymulate's Exposure Validation platform support email gateway testing?

Cymulate Exposure Validation makes advanced security testing fast and easy, allowing security teams to build custom attack chains and validate email gateway controls in one place. [Learn More]

Where can I find more resources on security validation best practices?

You can find additional resources, including whitepapers, demos, and blog posts, in the Cymulate Resource Hub.

Does Cymulate provide information on best practices for email gateway security validation?

Yes, Cymulate provides detailed information on security validation best practices for email gateway controls in their blog post: Security Validation Best Practices: Email Gateways.

How can I schedule a demo of Cymulate's email gateway assessment?

You can schedule a personalized demo of Cymulate's email gateway assessment by visiting Cymulate's demo page.

What is the recommended frequency for running email gateway validation tests?

Cymulate recommends running validation tests weekly or whenever changes are made to the email gateway to ensure ongoing protection against evolving threats. [Source]

How does Cymulate help organizations stay ahead of emerging email-based threats?

Cymulate continuously updates its threat intelligence and validation scenarios, enabling organizations to test their defenses against the latest email-based attack techniques and payloads. [Source]

What is the impact of not validating email gateway security controls regularly?

Failing to validate email gateway security controls regularly can leave organizations vulnerable to phishing, malware, and other email-borne threats, as attackers continuously evolve their tactics to bypass outdated defenses. [Source]

Features & Capabilities

What features does Cymulate offer for security validation?

Cymulate offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, an extensive threat library, and an intuitive interface. [Platform Features]

Does Cymulate integrate with other security technologies?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit the Partnerships and Integrations page.

How does Cymulate use AI in its platform?

Cymulate uses machine learning to deliver actionable insights for prioritizing remediation efforts, optimize security controls, and provide advanced exposure prioritization. [Platform Features]

What is Cymulate's threat library and how is it maintained?

Cymulate provides an advanced library of over 100,000 attack actions aligned to MITRE ATT&CK, updated daily with the latest threat intelligence to ensure organizations can test against emerging threats. [Platform Features]

How easy is Cymulate to implement and use?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, and the platform is praised for its intuitive, user-friendly interface. [Customer Feedback]

What educational resources does Cymulate provide?

Cymulate offers a Resource Hub with whitepapers, product info, and thought leadership, a blog covering the latest threats and research, webinars, and a glossary of cybersecurity terms. [Resource Hub]

Pain Points & Use Cases

What core problems does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear risk prioritization, and resource constraints by automating continuous threat validation, exposure prioritization, and operational efficiency improvements. [About Us]

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, Red Teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. [CISO Use Case]

How does Cymulate address fragmented security tools?

Cymulate integrates exposure data and automates validation to provide a unified view of the security posture, reducing gaps caused by disconnected tools. [Solution]

What measurable outcomes have customers achieved with Cymulate?

Customers have reported up to an 81% reduction in cyber risk (Hertz Israel, four months), a 52% reduction in critical exposures, a 60% increase in team efficiency, and a 20-point improvement in threat prevention. [Case Study]

How does Cymulate help with resource constraints in security teams?

Cymulate automates manual processes, improves operational efficiency, and enables teams to focus on strategic initiatives rather than repetitive tasks. [Solution]

How does Cymulate support vulnerability management teams?

Cymulate automates in-house validation between penetration tests and prioritizes vulnerabilities based on exploitability, business context, and threat intelligence. [Vulnerability Management]

Security, Compliance & Company Information

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. [Security at Cymulate]

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), hosts data in secure AWS data centers, and follows a strict Secure Development Lifecycle (SDLC) with regular vulnerability scanning and third-party penetration testing. [Security at Cymulate]

Is Cymulate GDPR compliant?

Yes, Cymulate incorporates data protection by design and has a dedicated privacy and security team, including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO), ensuring GDPR compliance. [Security at Cymulate]

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. [About Us]

Where can I find Cymulate's latest news, events, and research?

You can stay updated with Cymulate's latest news, events, and research through the blog, newsroom, and events page.

Pricing & Plans

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, you can schedule a demo with the Cymulate team.

Support & Implementation

What support options does Cymulate offer?

Cymulate provides email support, real-time chat support, a knowledge base with technical articles and videos, webinars, e-books, and an AI chatbot for quick answers. [Support]

How long does it take to implement Cymulate?

Cymulate is designed for rapid, agentless deployment, allowing organizations to start running simulations almost immediately after setup. [Customer Feedback]

New: 2026 Gartner® Market Guide for Adversarial Exposure Validation
Learn More
Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Research: The Security Tradeoffs Behind AI Tooling
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Security Validation Best Practices: Email Gateways

By: Brian Moran, VP of Product Marketing

Last Updated: February 15, 2026

cymulate blog article

As a continuation of our blog series on security validation, we look at the Cymulate best practices for validating email-based threats against your secure email gateway. But first, let’s recall the principle of security validation as defined by Cymulate. 

The Principle of Security Validation 

Security Validation is a fundamental principle in cybersecurity aimed at ensuring that systems, applications, and processes are secure and operate as intended.

If you missed the first blog in this series, check out Cymulate Best Practices for Security Validation

Email is the most frequently used delivery method of attack for exploiting security weaknesses, making email gateways one of the most critical components and first line of defense for defending against threat tactics like phishing, malware distribution, business email compromise, and scareware tactics aimed at deceiving users. 

Threat actors commonly use email to trap victims into clicking on a malicious link or downloading an executable payload to gain initial access to a network. Threat actors continuously refine these methods, making them increasingly difficult to detect. This underscores the importance of ongoing vigilance and validation that email gateway security controls are properly configured to detect and prevent such attacks. 

Recent Threat: Microsoft Outlook RCE (Remote Code Execution) Vulnerability 

Early in 2024, a significant vulnerability affecting email security for Microsoft Outlook was discovered and dubbed the Monika Link bug.  

Successful exploitation of this vulnerability would allow a threat actor to craft a malicious link that bypasses the MS Office Protected View Protocol and opens the preview pane in editing mode rather than protected mode. This gives the threat actor elevated privileges, including read, write, and delete functionality which could lead to the leaking of local NTLM credential information and remote code execution (RCE). 

Over the past decade we have seen some of the most notorious cyber attacks that began with phishing emails.  

  • 2023 T-Mobile 
  • 2022 U.S. Department of Labor 
  • 2021 Colonial Pipeline 
  • 2020 SolarWinds 
  • 2019 Wipro 
  • 2018 Marriott International 
  • 2017 Ukrainian Power Grid 
  • 2016 Democratic National Committee (DNC) 
  • 2015 Anthem Health Insurance 
  • 2014 Sony Pictures 

These attacks serve as a constant reminder of the need to continuously optimize email security controls and stay vigilant as users when it comes to email. 

Frequent Validation of the Secure Email Gateway 

Malicious website links and payload variants are constantly evolving as threat actors execute more and more sophisticated phishing campaigns on unsuspecting users. Organizations rely on their secure email gateway as the first line of defense in blocking these emails from their users to protect their organization from attacks.  

Frequent validation that the secure email gateway is operating as intended and blocking malicious links and payloads is required to stop the constant flow of email-borne threats. 

Cymulate Best Practices 

The Cymulate best practices for email gateway security validation include a broad range of assessments and scenarios for malicious links (like the Monika Link bug) and files attached to emails and the policies used to govern them. These include: 

Malicious links and other objectionable content are constantly moving targets, requiring frequent validation against a comprehensive blacklist of known malicious websites updated from the latest threat intelligence. 

Security teams should validate the ability of their email gateway to analyze and block malicious links in the body of an email. This involves sending a full list of test emails with links that are known to lead to malicious sites to see if the email gateway can detect and block access to these sites. 

Malicious Attachments 

Threat groups continuously morph and obfuscate malicious attachments, so just like malicious links, these tests should be run frequently using a broad range of the latest known malware, ransomware, worms, and trojans updated from the latest threat intelligence.  

Security teams should validate the ability of their email gateway to analyze and block emails containing malicious attachments with known malware signatures. These tests should send a broad range of emails containing that latest known malware, including ransomware, worms, trojans, and other exploits embedded in attachments. 

Executable Payloads (Attachments) 

Testing policy enforcement for handling emails with executable payloads in files such as exe, com, scr, and bat file types is a critical part of security validation for your email gateway.   

A full range of tests should be run to validate that common executable file types are blocked by the gateway. Those file types should include files with extensions for: exe, com, scr, pif, vbs, vbe, js, jse, wsf, hta, bat, cmd, lnk, cpl, and msi. 

Dummy Code Execution  

Simulate the possibility for real malicious code execution using dummy files with potential code execution capabilities. These files are not actually malicious, but they do show proof of concept for inserting executable code into an organization.  

True File Type Detection 

This final test is used to validate that your email gateway can detect the actual type of file that has been attached to an email regardless of the file extension. Threat actors often disguise malicious files with misleading file extensions to avoid detection by the email gateway. 

Instead of relying solely on the file extension, true file type detection examines the actual contents of the file to identify its real format. As such, we need to validate the ability of your email gateway to detect the true file type and block malicious files from being sent to users. 

File Attachment Policies

This test of policy enforcement of the email gateway simply validates which file types attached to an email will be blocked by the gateway and which file types will be passed through to the user. 

Security teams should execute tests that send emails using a full range of file types (as many as 200 different types) to validate that the file type policy is configured correctly in the email gateway. Most organizations will have specific file types (like .dll and .exe files) that should be blocked by the gateway as these file types are known to be exploited by threat actors. 

The goal of these best practices is to thoroughly test the effectiveness of an organization's email gateway and policies by simulating a wide variety of email-based threats, including malware, worms, trojans, and exploits delivered through attachments and malicious links. 

Due to the constantly changing nature of malicious sites and attachments used by different threat actors, it is highly recommended that these validation tests be run weekly or whenever a change is made to the email gateway. 

A secure email gateway is your first line of defense against this preferred method of attack delivery. Continuous validation that your email gateway controls are operating as intended and can block the latest malicious links and payloads will go a long way to improving your cyber resilience. 

For more information, visit our email gateway validation page and schedule a demo of our email gateway assessment. 

image
Brian Moran, VP of Product Marketing
With over a decade in cybersecurity product marketing managerial positions, VP of Product Marketing Brian Moran is a driven product manager and product marketer with a track record of launching new innovative products and reigniting the growth of mature portfolios.
More about Author
Table of Contents
Recent Threat: Microsoft Outlook RCE (Remote Code Execution) Vulnerability  Frequent Validation of the Secure Email Gateway  Cymulate Best Practices  Recommended Frequency: Weekly 
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
image
Data Sheet

Cymulate Vero AI

Cymulate Vero AI delivers secure, domain-specific cybersecurity AI with private infrastructure and zero customer data training.

Read More
image
Data Sheet

Cymulate Threat Studio

Cymulate Threat Studio enables teams to build and customize attack simulations to validate defenses.

Read More
image
Data Sheet

Cymulate Detection Studio

Cymulate Detection Studio automates SIEM rule validation and detection tuning against real-world attacks.

Read More

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo