How a mid-market distributor broke free from Cisco IronPort—without a risky email security cutover 

Email security failures rarely show up as a single dramatic breach. More often, they surface as death by a thousand cuts: phishing emails slipping through, account takeovers that take days to clean up, business tools getting blocked “just in case,” and a security team stretched to the breaking point. 

That was exactly the position a mid-market, employee-owned U.S. distributor found itself in last year. 

They were doing many things right: 

• Microsoft 365 for email 
• A long-standing secure email gateway (SEG) from Cisco IronPort 
• A lean but capable security team 
• A CIO focused on modernization and responsible AI adoption 

Yet despite all of this, phishing emails kept getting through—and the real cost didn’t show up on an invoice. 

The hidden bill no one budgets for 

At first, the incidents were easy to rationalize. “We stopped most of it.” “We cleaned it up.” But every phish that gets through creates downstream work: triage, user questions, credential resets, mailbox searches, and the inevitable leadership question—how did that get through again? 

For this distributor, that drag compounded quickly because the team was lean. When your security function is small, every account takeover isn’t just risk—it’s lost time and momentum. Over months, “cleanup” became a recurring tax on the business. 

When security starts breaking the business 

The turning point wasn’t an exotic malware outbreak. It was a normal business reality colliding with an old security model. 

Attackers began using Canva—a trusted, widely used business application—as part of their phishing attempts. Not only was the application legitimate, but it was used by internal teams for everyday content and training workflows. Threat actors understood that defenders would hesitate to block something that the business relied on. 

The incumbent gateway’s answer was essentially all or nothing: block emails from the service or accept the risk. And leadership’s response was that blocking those messages would disrupt enablement of human resources (HR) and internal teams. So, they decided to allow Canva—and the phishing problem continued. 

That’s the trap many legacy SEGs create. When the system can’t reliably distinguish legitimate use from malicious abuse, security teams get pushed toward blunt controls that become business problems. 

The constraint: “We can’t just rip and replace email” 

Even after the organization agreed it needed to improve email security outcomes, a traditional rip-and-replace approach wasn’t realistic. 

They were a Cisco shop. Cisco IronPort had been in place for years. And it was tied to a long-term agreement. As with many organizations, email security sat at the intersection of infrastructure and security, so early discussions focused on maintaining stability and minimizing disruption.  

When the security team engaged a hands-on security engineer and his director, the evaluation shifted to results. The goal was understanding what was getting through, how quickly it could be stopped, and how protection could be improved without changing mail flow. Still, nobody wanted a high-risk email migration. 

They needed a path that could: 

• Improve protection quickly 
• Keep Microsoft 365 as the center of operations 
• Avoid MX record changes and the re-architecture of mail flow  
• Minimize disruption to supply chain and ERP-driven processes 

The pivot: Proofpoint Core Email Protection API behind Microsoft 365 

This is where Proofpoint changed the equation. 

Instead of forcing a front-of-mail flow cutover, Proofpoint Core Email Protection API could be deployed behind Microsoft 365. This provided post-delivery detection and response without requiring a change to the MX records. For a customer with contractual and operational constraints, that architecture mattered as much as the detection itself. 

The proof of concept (POC) validated three things quickly: 

1. Proofpoint was catching phishing that Cisco IronPort was missing. 
2. They could retire Cisco IronPort, but on their own timeline. 
3. Deployment could be done without breaking the business. 

That third point was critical. The team had some understandable concerns about disrupting business email patterns—especially the odd-but-legitimate behaviors that are often seen in distribution environments. But the POC demonstrated that the solution could run cleanly alongside Microsoft 365, improving outcomes without a risky “big bang weekend.” 

From “block everything” to “protect what matters” 

The trusted-app phishing scenario related to Canva became a litmus test. 

With Proofpoint, the conversation wasn’t “do we shut down the tool?” It became “how do we let the business keep using the tool while reducing the risk of abuse?” That shift—away from blanket blocking and toward intelligent detection—was exactly what leadership wanted: less compromise, less disruption. 

And because Proofpoint’s solution didn’t demand weeks of manual tuning to prove value, the security team could move faster and with more confidence. 

“We can’t just protect email—we have to protect data” 

Halfway through the POC, a second theme surfaced: data loss. 

Their CIO was pushing modernization and responsible adoption of new tools (including generative AI). Their security leader brought a regulated-industry mindset around information protection. They weren’t only worried about malicious actors—they were worried about everyday mistakes that turn into incidents. These include misdirected emails, sensitive attachments sent to the wrong recipient, and “quick sends” under pressure. 

This is where Proofpoint Adaptive Email DLP became a major factor. Because it came alongside Core API, they could evaluate it during the same POC and see how it fit operationally. What resonated wasn’t a promise of a massive rules-based DLP program—it was the practicality of starting with protections that reduce risky sends without overwhelming the security team or the help desk. 

For an employee-owned company, user experience wasn’t a side note. Leadership felt responsible for keeping employees productive and informed—not confused by sudden blocks and exceptions. Adaptive Email DLP supported that goal by adding guardrails while reinforcing good behavior. 

Just as importantly, it created a runway. Once the customer solved the immediate phishing and takeover headache, they had the confidence to explore broader Proofpoint data protection capabilities next. 

Why this matters now 

Modern breaches keep proving the same point: the human layer is the primary battleground. Verizon’s 2025 DBIR executive summary notes that the “human element” remains involved in around 60% of breaches. If your email defenses are letting social engineering through—especially credential-theft and account-takeover paths—you end up paying repeatedly in response time and business disruption. 

The broader market has also offered reminders about the risks of relying solely on legacy email gateway infrastructure. In late 2025, Cisco Talos reported active targeting of Cisco email security products by a China-linked threat actor. This reinforced the fact that email security isn’t just about what gets through, but also what becomes a target. 

The outcome: fewer incidents, less disruption, and a foundation for what’s next 

By December 2025, the distributor moved forward with Proofpoint Core Email Protection API and Adaptive Email DLP. 

From their perspective, the win wasn’t a single feature. It was a change in operating mode: 

• Catch more of what the legacy gateway missed 
• Reduce account takeover cleanup churn 
• Avoid disrupting Microsoft 365 mail flow and business operations 
• Add data protection guardrails that users could live with 
• Build confidence to expand into broader data protection initiatives 

In hindsight, the lesson was blunt: sticking with “good enough” had been the expensive path. They had already paid the difference—in remediation hours, disruption, and security debt. 

What to take from this story if you’re still on a legacy SEG 

If you’re on Microsoft 365 and still relying on Cisco IronPort (or another legacy SEG) as your primary defense, ask yourself: how much are you already paying for what it’s missing? 

It’s not so much about renewal dollars—it’s about the hidden cleanup tax. This includes: 

• Incident response hours and repeated credential resets 
• User disruption and help desk load 
• Blunt controls that break workflows 
• Opportunity cost for a small security team 

This customer proved that you can modernize your environment without ripping everything out. Deploying Proofpoint behind Microsoft 365 can help you close post-delivery gaps without changing MX records—and Adaptive Email DLP can help you start protecting data in a way that’s practical for lean teams. 

Ready to see how this could work in your environment? 

If phishing threats are still getting through, if account takeovers are consuming your time, or if data loss risk is rising, it’s worth a conversation. 

Contact Proofpoint Sales to explore how Core Email Protection API and Adaptive Email DLP can help you modernize quickly and avoid the hidden costs of legacy email security.