Abnormal Security Migration: Mail Flow Architecture

Mail Flow Architecture

This page exists to map the real control points in the enterprise mail path before any migration decisions are made. Do not treat Abnormal as a drop-in replacement for ESA without first documenting where ESA currently enforces policy, where mail routing occurs, and where telemetry is generated.

Current-State Questions

Answer these first:

Is Cisco ESA currently inline for inbound mail, outbound mail, or both?
Does ESA terminate SMTP directly from the internet, or sit behind another gateway or provider?
Where are MX records currently pointed?
What downstream path exists after ESA: M365, Exchange hybrid, relay hosts, journaling, or archive systems?
Which teams own DNS, M365 tenant config, transport rules, and user-facing phishing workflows?

Current-State Control Points

Control Point	What to Capture
MX and ingress routing	Internet-facing entry point, MX dependencies, failover path, third-party relays
ESA policy enforcement	Spam, malware, URL filtering, content filters, DLP, encryption, quarantine, message tracking
Mail delivery target	Exchange Online, hybrid Exchange, shared mail relays, SaaS routing, internal appliances
User remediation workflow	Quarantine review, help desk escalation, release workflow, phishing reporting path
Logging and SIEM feed	Syslog, API, export jobs, dashboards, retention, ownership

Control Point

What to Capture

MX and ingress routing

Internet-facing entry point, MX dependencies, failover path, third-party relays

ESA policy enforcement

Spam, malware, URL filtering, content filters, DLP, encryption, quarantine, message tracking

Mail delivery target

Exchange Online, hybrid Exchange, shared mail relays, SaaS routing, internal appliances

User remediation workflow

Quarantine review, help desk escalation, release workflow, phishing reporting path

Logging and SIEM feed

Syslog, API, export jobs, dashboards, retention, ownership

Target-State Thinking

Abnormal changes the operating model:

ESA is an inline SMTP security gateway.
Abnormal is primarily an API-centric SaaS detection and response platform integrated with Microsoft 365.

That means the migration is not just a product swap. It is a control-plane redesign.

You need to document which protections move to:

M365 native controls
Abnormal behavioral detections
Sentinel analytics and response
operational process changes for analysts and end users

Architecture Deliverables

Minimum deliverables for this page family:

current mail flow diagram
future mail flow diagram
list of enforcement points lost, retained, or replaced
logging path before and after migration
rollback path if Abnormal enablement causes detection or workflow gaps