Accountability is shared across identity operations, email administrators, and the business owner of the mailbox. If the account was not offboarded, not protected with the right authentication, or not monitored for anomalous use, the gap is a governance failure as much as a security one.
Why This Matters for Security Teams
A compromised mailbox is rarely just an email problem. It can become a fraud engine for invoice diversion, payroll redirection, vendor impersonation, and internal trust abuse. Accountability is usually split because mailbox access sits at the intersection of identity lifecycle, email platform administration, and business process ownership. That is why NHI Management Group treats mailboxes as operational identities, not just user convenience accounts, especially when attackers chain them into broader abuse patterns like those seen in 52 NHI Breaches Analysis.
The failure mode is predictable: a mailbox remains active after offboarding, still accepts legacy authentication, or lacks alerting for anomalous forwarding, rule creation, and reply-chain abuse. Once an attacker controls the mailbox, they inherit the sender reputation, the business context, and often the implicit authority to request payment or reset access elsewhere. Guidance from Anthropic — first AI-orchestrated cyber espionage campaign report reinforces a broader point: once a trusted account is hijacked, abuse moves quickly through legitimate channels. In practice, many security teams discover mailbox fraud only after funds have moved or a customer has already been deceived.
How It Works in Practice
Accountability is assigned across controls, but operational ownership should be explicit. Identity teams own lifecycle hygiene: provisioning, offboarding, authentication strength, and session revocation. Email administrators own mailbox security controls, message traceability, forwarding restrictions, and rule monitoring. The business owner owns the process risk, including who is authorised to request payments, change banking details, or approve sensitive actions. When any one of those layers fails, the organisation is exposed.
For detection and prevention, current guidance suggests treating the mailbox as a high-value identity. That means disabling stale accounts quickly, enforcing phishing-resistant MFA where possible, reviewing delegated access, and monitoring for suspicious persistence such as inbox rules, OAuth grants, and external forwarding. In identity terms, the mailbox behaves like a credentialed service endpoint, which is why NHI governance applies. The Ultimate Guide to NHIs — Why NHI Security Matters Now frames this shift well: once an identity can send, receive, and trigger workflows, it becomes part of the trust fabric. Technical controls should be backed by business rules such as dual approval for payment changes and independent verification for high-risk requests.
- Map every shared, functional, and executive mailbox to a named business owner.
- Remove access immediately at termination and verify no legacy sessions remain.
- Alert on forwarding rule creation, impersonation patterns, and login anomalies.
- Tie risky actions to out-of-band verification, not email-only approval chains.
These controls tend to break down in federated email environments where identity data, mail routing, and fraud review are split across different teams and no one owns the full response path.
Common Variations and Edge Cases
Tighter mailbox controls often increase administrative overhead, requiring organisations to balance fraud reduction against workflow friction and delayed business operations. The accountability model also changes with mailbox type. Shared mailboxes can blur individual responsibility, while executive inboxes create higher fraud impact because of their authority and visibility. Service mailboxes tied to ticketing or finance workflows may be even more dangerous because automated rules can propagate fraudulent messages into other systems.
There is no universal standard for this yet, but current practice is to treat the business owner as accountable for process misuse, the identity team as accountable for access hygiene, and the email/security team as accountable for monitoring and containment. Where compensation, procurement, or banking data is involved, organisations should add explicit control owners and documented response playbooks. For threat context, the LLMjacking: How Attackers Hijack AI Using Compromised NHIs research shows how quickly compromised identities can be turned into abuse channels, and the same lesson applies to mailboxes used for fraud. The practical limit is environments where email is deeply intertwined with legacy ERP or finance systems, because compromise then spans identity, process, and transaction layers at once.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Mailbox fraud often starts with weak identity lifecycle and access hygiene. |
| NIST CSF 2.0 | PR.AC-1 | Fraud prevention depends on controlling and reviewing account access. |
| NIST CSF 2.0 | DE.CM-1 | Anomalous mailbox behaviour must be monitored to detect fraud early. |
Assign owners, remove stale access fast, and treat mailboxes as governed NHIs.
Related resources from NHI Mgmt Group
- Who is accountable when a compromised business account is used for ad fraud or SSO pivoting?
- Who is accountable when compromised cloud identities are used for fraud?
- Who is accountable when account takeover fraud causes downstream losses?
- Who is accountable when a supplier account is used in a breach?
