Attackers have found a consistent way to bypass SEG filters and get to the inbox. We've written about it a lot lately, in large part because we continue to see tons of examples of it. See blogs about The Static Expressway, the Google Docs Exploit, the Flex On 'Em attack, the PhishGun Attack, the Flipping Out Attack and many, many more.
How does it work? Simple. Hackers leverage sites that are already on static allow lists. They embed phishing content with these services. Because the service itself is on the allow list, it can sail right through to the inbox.
Oftentimes, like in this email that bypassed Mimecast, the email itself looks quite convincing and professional. On the surface, this looks like a standard RFP.
The problem is the RFP link. It's a link to an Adobe Spark custom page.
The Adobe Sparks page in question has since been taken down due to various ToS violation reports.
Until a fix is created, these sorts of attacks will continue to proliferate against SEGs.