Lateral phishing is the use of a compromised internal account to send malicious messages to other users or partners. Because the sender is trusted, detection becomes harder and the attack can spread through familiar communication channels before controls react.
Expanded Definition
Lateral phishing is a post-compromise abuse pattern in which an attacker uses a legitimate internal account to send malicious messages to other employees, contractors, or partners. Because the message originates from a trusted sender, it often bypasses the suspicion that normally follows external phishing. In NHI security, the concept matters because the same trust relationship that protects collaboration can also accelerate spread across mailboxes, chat tools, and workflow systems. The control problem is not just message content, but the authority attached to the account and the downstream access it can reach.
Definitions vary across vendors on whether lateral phishing must begin with a fully compromised account or can include hijacked sessions, token theft, and OAuth abuse. NHI Management Group treats the term as an outcome of trust abuse, not just an email problem. That aligns with the broader identity lens used in the NIST Cybersecurity Framework 2.0, where identity, detection, and response need to work together. The most common misapplication is treating it as ordinary phishing filtering, which occurs when defenders ignore internal sender reputation and account-to-account trust paths.
Examples and Use Cases
Implementing lateral phishing defenses rigorously often introduces friction in internal communications, requiring organisations to weigh fast collaboration against tighter verification and anomaly detection.
- A compromised finance mailbox sends a payment-update link to vendors, using the sender’s known relationship to reduce suspicion.
- An attacker uses a hijacked executive account to request urgent document access from assistants and project teams.
- A stolen internal token is used to trigger automated notifications in a collaboration platform, pushing recipients toward a malicious sign-in page.
- After a service account is abused, trust-based messages are sent from a shared mailbox to spread the attack laterally across departments.
- Security teams correlate suspicious internal mail patterns with identity telemetry and offboarding failures described in the Ultimate Guide to NHIs, then map controls to NIST Cybersecurity Framework 2.0 to harden detection and response.
In practice, the term is also used for partner-facing abuse, where a trusted internal account sends a malicious file or link to external collaborators and the attack spreads beyond the original tenant.
Why It Matters in NHI Security
Lateral phishing becomes especially dangerous when compromised NHIs or human accounts have broad messaging permissions, access to distribution lists, or authority to trigger automated workflows. The risk is amplified by weak visibility into internal identities and by secrets that remain active long after compromise. NHI Management Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs. That matters because a stolen credential can turn a trusted sender into a rapid delivery mechanism for fraud, credential theft, or malware.
Governance frameworks emphasize least privilege, verification, and monitoring, but the practical lesson is simpler: internal trust must be treated as conditional. Identity-aware detection should watch for unusual recipient clusters, impossible travel, new forwarding rules, and message bursts from accounts that normally do not initiate broad outreach. Organisational response also needs fast revocation and rotation, not just mailbox cleanup. Organisations typically encounter the true cost only after a trusted account has already propagated the lure internally, at which point lateral phishing becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers improper secret and account abuse that enables trusted internal sender compromise. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access limits how far a compromised internal account can spread. |
| NIST CSF 2.0 | DE.CM-1 | Anomalous internal messaging is a detectable condition under continuous monitoring. |
Inventory, protect, and rotate NHI credentials so abused accounts cannot relay malicious messages.
