Eight to fourteen percent. That's the bypass range we've tracked across Proofpoint and Mimecast deployments in mid-market tenants during 2024 benchmark testing. It doesn't sound catastrophic until you run the math: a company receiving 500 phishing attempts per month lets four to seven spear-phishing emails land in inboxes every single month. And spear-phishing isn't bulk spam. It's crafted. Targeted. Built to work.
How the Benchmarks Were Collected
Our data draws from red-team simulation campaigns run against 47 mid-market tenants (200-2,500 employees) across Q2 and Q3 2024. Each campaign ran a controlled set of 200 test messages per tenant, split across four attack categories: display-name spoofing, lookalike domains, business email compromise (BEC) lures, and LinkedIn-contextual spear-phishing. That last category is the one that breaks rule-based engines. Reliably.
Proofpoint showed a bypass rate of 8.2% on average across the full test set. Mimecast came in at 13.7%. The delta matters less than the shared failure mode: both miss emails where the sender reputation is clean, the domain is newly registered but not yet flagged, and the message body is contextually coherent with the recipient's actual professional context. Rule engines score on signals they can see. They don't read the message the way a person does.
Worth noting: these are production-grade deployments with active tuning. Not defaults. The organizations in our sample had dedicated security staff managing gateway policies. The bypass rate isn't a configuration problem. It's an architectural one.
Why LinkedIn Context Breaks Rule-Based Engines
Here's the thing about modern spear-phishing: attackers don't need to compromise anything to gather targeting data. LinkedIn is public. A threat actor can pull an employee's current employer, job title, team structure, recent projects, and even manager name in under ten minutes. That information becomes the scaffolding for a message that reads like a legitimate internal request.
A typical LinkedIn-contextual attack chain looks like this: the attacker identifies a target's manager on LinkedIn, registers a lookalike domain (say, acme-corp-us.com versus acmecorp.com) three to four weeks before use (to age the domain past basic reputation blocklists), then crafts a message referencing the manager by name, a plausible project, and an action that fits the target's role. The message body has zero suspicious keywords. No urgency language. No typos. Just a contextually coherent request from an apparent colleague.
Proofpoint and Mimecast score this against SPF/DKIM alignment, domain reputation, and URL analysis. All pass. The message lands. In our experience, this class of attack bypasses both platforms at a rate of 22-31%, substantially higher than the 8-14% average across all attack types.
The 22-Minute Dwell Window
Twenty-two minutes. That's the median time from initial delivery to credential compromise in the cases we've analyzed where a bypass results in a click. Not hours. Not days. Twenty-two minutes.
The sequence is fast: email lands, gets noticed within a few minutes (spear-phishing is designed to demand attention), link gets clicked, credential harvesting page loads, credentials entered. By the time an alert might surface from downstream controls, the credentials are already in use. The phishing email isn't the threat. The window it creates is the threat.
Remediation after a spear-phishing credential compromise runs $38,000 to $90,000 in our benchmark data, factoring in IR hours, identity reset scope, and downstream access review. That range reflects the size variance in the mid-market segment. A 200-person company and a 2,500-person company have radically different blast radii when SSO credentials get harvested.
What Compensating Controls Actually Close the Gap
The instinct when you see bypass rates like these is to ask about gateway configuration: better policies, stricter rules, more aggressive sandboxing. We've been down that road. It narrows the gap at the cost of false positives that frustrate legitimate workflows. At some point, you're trading bypass rate for usability. That's not a win.
The controls that reliably close the gap operate at a different layer: they evaluate message content against recipient context rather than against static signatures and reputation lists.
| Control Type | Bypass Reduction | False Positive Impact |
|---|---|---|
| Tightened Proofpoint/Mimecast rules only | 2-4% | High |
| DMARC enforcement (strict) | 5-7% on lookalike domains | Low |
| Display-name anomaly alerting | 6-9% | Medium |
| LLM-based contextual inspection | 18-24% | Low |
| Combined: gateway + LLM layer | 22-27% | Low |
The LLM-based inspection column is the one worth unpacking. What contextual inspection actually does is evaluate whether the request in the email is coherent with the sender-recipient relationship as it's known or inferable. An email from someone claiming to be a CFO asking an accounts-payable contact to process an invoice isn't inherently suspicious by reputation signals. It's suspicious because the specific phrasing, the claimed urgency level, and the requested action pattern match known BEC templates. An LLM that's been trained on attack patterns reads that differently than a signature rule does.
DMARC enforcement deserves its own mention. Strict DMARC (p=reject) doesn't help against lookalike domains, but it does eliminate a meaningful subset of display-name spoofing attacks that still slip through both Proofpoint and Mimecast when sender authentication is inconsistently enforced. In our sample, 34% of mid-market tenants had DMARC in monitoring mode only. That's free bypass surface.
Practical Steps for Mid-Market Security Teams
If you're running Proofpoint or Mimecast and want to quantify your actual bypass rate before deciding on compensating controls, the methodology isn't complicated. Run a controlled simulation campaign with a clean test domain (aged at least 30 days), craft messages using publicly available LinkedIn data on your own employees (with permission), and see what lands. The number will probably be uncomfortable. That's useful information.
A few things we've found useful in our work with mid-market teams:
- Audit your DMARC posture first. Move from p=none to p=quarantine on your primary domain if you haven't. It takes an afternoon and eliminates an entire spoofing class.
- Instrument display-name anomaly detection. Both Proofpoint and Mimecast have settings for this. Most teams have it off or misconfigured. Turn it on and tune it against your actual executive roster.
- Evaluate where your 22-minute window is. If credential-based access to critical systems requires only SSO with no step-up MFA, a phishing bypass becomes a lateral movement bypass. Phishing defense and identity security are the same problem.
- Add an LLM inspection layer for high-value targets. You don't need to run it across all inbound mail to get value. Start with executive staff, finance, and anyone with privileged system access. The bypass rate reduction applies to the highest-risk subset of your users.
The 8-14% figure isn't a condemnation of Proofpoint or Mimecast. Both platforms catch an enormous volume of commodity phishing. The problem is that commodity phishing isn't what causes $38K-$90K remediation events. Targeted, contextually coherent spear-phishing does. And rule-based engines weren't designed to detect contextual coherence. They were designed to match known-bad patterns. Different tools for different threat classes.
Fact: a gateway that blocks 92% of phishing attempts is excellent at blocking phishing attempts. It still lets through the attacks that are most likely to succeed. The bypass rate and the risk rate are not the same number.
Mid-market organizations tend to assume that enterprise-grade gateway licensing buys enterprise-grade protection against all attack types. It doesn't. The gap between what rule-based engines catch and what sophisticated attackers actually deploy has been widening since 2022 as LLM tools made it cheaper to generate contextually coherent lures at scale. The 2024 benchmark data reflects that shift. Teams that still think of their gateway as the perimeter are operating on a threat model that's two years out of date.
Want to see your actual bypass rate against LinkedIn-contextual spear-phishing? Request a simulation run and we'll benchmark your current gateway configuration against our 2024 attack corpus.