In luxury retail, image is everything—quite literally. For one high-end fashion house, customer relationships live and breathe through the ability to share images. More than 80% of their workforce are personal shoppers whose primary tool is sharing product photos with clients through email to drive sales. Personal shoppers send curated product photos to clients looking for the perfect suit, purse, or couture gown. Clients reply with images of what caught their eye online or in-store. It’s how a conversation becomes a sale.
But when this retailer’s existing email security solution began blocking images altogether, the very foundation of their business model cracked. Overnight, the personal shopping experience that had set them apart was disrupted. And when their supply chain operations faltered, their IT leadership had to face a harsh reality: taking cost-saving shortcuts in security had opened the door to a costly breach.
This is the story of how they turned to Proofpoint—first through deploying API email protection to deliver a fast, tactical win, and later by adopting the full Proofpoint Core Email Protection platform and beyond. It’s a story that every security leader should keep in mind—it illustrates how the true cost of low-cost email security can be devastating.
The cost of choosing bundles over better protection
A year before the breach, the retailer’s new chief security officer (CSO) had tried to bring in Proofpoint. He knew the platform’s strengths from his previous role. But despite his advocacy, he faced resistance from the chief information officer (CIO) and finance leaders, who were under pressure to cut costs.
Cisco—the incumbent—offered an attractive bundle through its Enterprise Agreement. On paper, it looked like a deal too good to pass up. “Proofpoint is too expensive,” the CIO argued. “Cisco is already in place. Why change what’s working?”
It’s a familiar conversation in boardrooms everywhere: bundle discounts from generalist vendors can be hard to ignore. But those discounts often come at a hidden cost, leaving organizations under-protected against today’s threats.
When a supplier breach becomes a business breach
The turning point came when a trusted third-party supplier account was compromised. Attackers used it to phish the retailer’s employees with a .png image lure that linked to a Microsoft 365 phishing page. Several accounts were compromised before the incident was contained.
Cisco ESA (Email Security Appliance) missed it entirely. When the retailer pressed Cisco for answers, the response was chilling: Cisco’s system simply didn’t detect these types of threats. The recommended fix? Strip all PNGs and JPEGs from inbound email.
For a retailer whose lifeblood is visual communication, this fix was worse than the problem.
- Personal shopper disruption. 80% of the retailer’s workforce are personal shoppers. Stripping images broke their workflow. Sales teams had to pivot to WhatsApp and other consumer apps, which was risky, inefficient, and unprofessional.
- Supply chain disruption. The retailer’s shipping and receiving system relied on image-based bills of lading. When those were stripped, stores couldn’t reconcile incoming inventory, creating chaos in logistics.
- Brand disruption. For a luxury brand, client trust is paramount. Shuffling communications to unsecured channels and missing shipments wasn’t just inconvenient—it threatened their reputation.
What had been sold internally as a cost-saving move quickly became a nightmare that cost far more than a Proofpoint investment ever would.
The broader truth: legacy email gateways can’t keep up
This retailer’s experience underscores a broader trend. Legacy secure email gateway (SEG) vendors, including Cisco ESA, have fallen behind.
While Cisco branded their solution as the Email Security Appliance (ESA), its roots trace back to IronPort, a company Cisco acquired in 2007. IronPort’s technology was rebranded under the ESA name and folded into the Cisco portfolio, but the core detection and filtering architecture remains largely the same.
That’s the problem. What was cutting edge nearly two decades ago simply doesn’t stand up to today’s threats. Attackers now use sophisticated payloads hidden in images, PDFs, and cloud-shared files—techniques IronPort-era filtering engines were never designed to detect. Cisco ESA, despite the new name, is still the same legacy IronPort gateway at its core.
In fact, this retailer’s experience highlights the risk of relying on outdated technology. ESA could block spam and basic malware, but when it came to weaponized images and supplier compromise, it fell short. As we’ve discussed in our blog “Time to move on: why legacy email gateways don’t stop today’s threats,” these solutions weren’t built for the advanced, human-targeted attacks that dominate today’s landscape.
And the data backs it up. According to the 2024 FBI Internet Crime Complaint Center (IC3) report, business email compromise (BEC) scams alone caused $2.8 billion in losses, much of it through compromised suppliers. Legacy email gateways simply don’t have the layered intelligence to prevent these attacks.
Proofpoint API: a quick win that made all the difference
Faced with mounting operational disruption, the retailer needed an immediate fix. They couldn’t afford to wait for a lengthy migration project.
That’s where Proofpoint’s API-based deployment came in. Within days, the retailer regained the ability to send and receive images securely—without exposing themselves to hidden threats. By integrating directly with Microsoft 365, Proofpoint delivered:
- Immediate relief. Image communications were restored, enabling personal shoppers to get back to selling.
- Stronger detection. Malicious images and attachments were scanned and stopped, without blunt-force blocking.
- Minimal disruption. A simple, fast deployment meant that no complex rerouting or infrastructure changes were required, delivering instant value.
Most importantly, Proofpoint’s AI detection stack provided the protection that Cisco lacked so that the customer could start blocking all inbound messages that had malicious images. Our image analysis tools identified the malicious content hidden inside the .png file, meanwhile our machine learning models detected suspicious patterns in the message. Proofpoint real-time URL scanning blocked phishing links before they could be clicked. Together, these controls caught what ESA (IronPort) missed and safeguarded the retailer from further compromise.
For the CSO, this was the proof the business needed. The same platform that solved their urgent, immediate issues could also serve as the foundation for a long-term, comprehensive strategy.
The long game: comprehensive protection with Proofpoint SEG
With the API deployment delivering quick wins, the retailer is now moving toward a full Proofpoint SEG rollout. Unlike Cisco and newer API-only vendors, Proofpoint provides both types of protection:
- API for rapid deployment and cloud-native augmentations
- SEG for full pre-delivery blocking, layered controls, and granular policy enforcement
This dual approach ensures that threats are blocked before they ever reach the inbox—not detected and removed after exposure, as with some API-only solutions. As the account manager put it, “Why risk having a malicious file land in the inbox at all, even if it’s removed seconds later? Prevention beats reaction every time.”
Beyond email: a broader security bundle that saves more than money
Another factor in the retailer’s decision: Proofpoint’s ability to consolidate protections under one roof. Rather than patching together point solutions or depending on a generalist vendor’s weak bundle, Proofpoint delivers a comprehensive email and workspace platform designed for today’s threats.
Gartner’s January 2025 report, Critical Capabilities for Email Security Platforms, notes that organizations increasingly need solutions that integrate core email protection, outbound security, impersonation defense, and platform integration into a unified approach.
Proofpoint addresses all of these requirements while also extending coverage to collaboration and application-generated communications with these solutions:
- Core Email Protection – Industry-leading SEG and API-based controls
- Impersonation Protection and Email Fraud Defense (EFD) – Stopping BEC and spoofing attacks
- Supplier Threat Protection – Defending against third-party compromises
- DMARC Authentication – Securing your brand against lookalike domains
- Secure Email Relay – Ensuring that application-generated emails—such as order confirmations, receipts, and logistics updates—are delivered reliably and securely
- Proofpoint Prime – A comprehensive platform that streamlines vendor management, reduces operational overhead, and delivers better value than point solutions
Instead of having to choose between “cheap but risky” or “expensive but secure,” the retailer found a balance: Proofpoint’s integrated solutions deliver both cost efficiency and advanced protection.
Lessons for every security leader
The retailer’s experience is a powerful reminder:
- Don’t let cost drive the conversation. Security that fails when it matters most isn’t security at all.
- Understand your business workflows. For this retailer, image sharing wasn’t a nice-to-have—it was business-critical. Stripping images broke revenue streams.
- Plan for quick wins and long-term resilience. Proofpoint API delivered fast relief, while Proofpoint SEG will provide layered, proactive defense for the future.
- Look for an integrated platform solution. Bundled solutions are often considered to be a way to save on costs. But they don’t necessarily work well together. Proofpoint Core Email Protection and Prime deliver comprehensive security in an integrated platform so you can save costs while also getting quality protection.
Don’t wait for a breach to learn the lesson
This retailer spent months dealing with operational disruption, remediation costs, and reputational risk—all because they chose a bundle that looked cheaper. In reality, it was anything but.
Your organization doesn’t need to go through the same pain to learn the same lesson. Proofpoint makes migration from Cisco ESA (IronPort) and other legacy email gateways straightforward—whether you want a quick API win, a full SEG deployment, or both.
Don’t wait for a costly wake-up call. Talk to our team today to see how Proofpoint can protect your people, your business, and your brand.
