MFA protects the login step, but many email attacks exploit the trust placed in a compromised or impersonated mailbox after authentication. Once an attacker is inside, they can abuse forwarding, delegation, and social trust. Identity assurance has to extend beyond sign-in to message-driven business actions.
Why This Matters for Security Teams
MFA blocks one doorway, but email compromise usually succeeds by turning a trusted mailbox into an execution channel. Attackers do not need to defeat the second factor if they can operate after sign-in through inbox rules, delegation, reply chains, and vendor or finance workflows that already trust the sender. That is why email attacks remain effective even in organisations with strong authentication. Guidance from the CISA cyber threat advisories consistently shows that initial access is only the starting point.
The deeper problem is that identity assurance for email is often treated as a login control instead of a message trust problem. Once an attacker gains access, the mailbox can be used to request payment changes, reset passwords, approve documents, or impersonate internal roles. NHIMG research on The 52 NHI breaches Report shows how compromise often persists through trusted automation and overlooked access paths rather than obvious sign-in failures. In practice, many security teams discover the real impact only after an internal mailbox has already been used to authorize a business action.
How It Works in Practice
Email attacks succeed because the mailbox is both an identity and a workflow control point. MFA verifies that a user, or an attacker with stolen session access, reached the inbox, but it does not verify whether the message is authentic, whether the request is expected, or whether the action is safe. That gap lets adversaries exploit human trust and business process trust at the same time. The threat pattern appears across phishing, business email compromise, OAuth consent abuse, forwarding-rule abuse, and delegated access misuse.
Once inside, attackers often avoid noisy actions. They create hidden forwarding rules, search for invoices or wire templates, harvest tokens from linked systems, and wait for a relevant thread before intervening. This is why standards such as MITRE ATLAS adversarial AI threat matrix and real-world incident reporting are useful: they reinforce that post-authentication behaviour is where many attacks mature. For identity and secret-sprawl context, NHIMG’s The State of Secrets in AppSec highlights how often organisations overestimate their control maturity while remediating exposed credentials slowly.
- Enforce conditional access, but do not stop there.
- Monitor mailbox forwarding, delegation, OAuth grants, and inbox rule creation.
- Require step-up verification for payment, supplier, HR, and password-reset actions.
- Use message authentication controls, but treat them as one layer, not the full answer.
- Correlate email activity with impossible travel, device posture, and unusual sender-recipient patterns.
These controls tend to break down in organisations with heavy exception handling, shared mailboxes, and high-trust finance or executive workflows because legitimate operational shortcuts can look identical to attacker tradecraft.
Common Variations and Edge Cases
Tighter email controls often increase friction for legitimate business operations, so organisations must balance user experience against the cost of compromise. That tradeoff becomes sharper in executive support, customer service, and procurement functions where speed matters and message-based authorisation is common. Current guidance suggests that MFA should be paired with stronger transaction verification, but there is no universal standard for how much friction is acceptable in every workflow.
Some attacks bypass the inbox entirely by abusing third-party integrations, stale sessions, or delegated admin access. Others use compromised accounts to send well-crafted internal messages that pass authentication checks and still persuade recipients to act. NHIMG’s Microsoft Midnight Blizzard breach illustrates how trusted communication paths can be weaponized even when perimeter assumptions hold. For emerging adversary behaviour, the Anthropic report on AI-orchestrated cyber espionage is a reminder that convincing, scalable social engineering is becoming easier to automate.
In practice, MFA remains necessary, but it is not sufficient for email security because the attacker’s real objective is often to weaponize trust after authentication, not to break authentication itself.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers over-trusted identity paths and post-auth compromise in email ecosystems. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and auth controls must extend beyond sign-in to business actions. |
| NIST AI RMF | Risk management must account for trust abuse and human impact after authentication. |
Evaluate email risk by downstream harm, then govern monitoring, escalation, and response accordingly.
Related resources from NHI Mgmt Group
- Why do phishing attacks remain effective even with secure email gateways?
- Why do socially engineered attacks remain effective even when email filtering is in place?
- Why do business email compromise attacks succeed even in well-run organisations?
- Why do poisoned tenant attacks work even when email authentication passes?
