They fail when the lure tells the recipient to leave the protected click path and navigate manually to the destination. At that point, the control no longer mediates the browser request, and the attacker can present a credential-harvesting page outside the normal inspection flow. Manual navigation prompts should therefore be treated as a control-evasion indicator.
Why This Matters for Security Teams
Link-rewriting and sandboxing are designed to keep the user inside a mediated click path, where the mail security stack can inspect the destination, block known-bad content, and apply policy before the browser reaches the page. That model weakens as soon as an email tells the recipient to stop clicking and instead type, search, or copy a URL manually. The control is then bypassed by user behaviour, not broken by malware, which makes detection and response slower.
This is a common failure mode in credential harvesting because the attacker only needs the user to leave the protected path once. The same pattern shows up in broader phishing tradecraft documented by CISA cyber threat advisories, where social engineering turns defensive controls into background noise. NHI Management Group’s The 52 NHI breaches Report and Top 10 NHI Issues both reinforce the larger lesson: attackers often succeed by moving the victim outside the point where security tooling still has visibility.
In practice, many security teams encounter this only after a user has already typed credentials into an attacker-controlled page rather than through intentional control testing.
How It Works in Practice
Link-rewriting and sandboxing still matter, but they are only effective when the destination is reached through the inspected link. Once the lure instructs manual navigation, the mail gateway no longer mediates the request, the sandbox never sees the real page load, and the browser visits whatever the user types. That is why this tactic is so effective against brand impersonation, OAuth consent phishing, and lookalike login portals.
Operationally, teams should treat “go to this site manually” language as a control-evasion signal, not a harmless convenience. The best response is layered:
- Train users to avoid copying URLs from suspicious messages and to verify destinations through trusted bookmarks or internal portals.
- Use URL and domain monitoring to detect newly registered lookalikes that match active campaigns.
- Enforce phishing-resistant authentication where possible so harvested passwords alone are not enough.
- Instrument email telemetry for instructions that shift the user outside the protected click flow.
Threat intelligence can help prioritise recurring lure patterns, especially where attackers mix email delivery with broader identity abuse. The Anthropic report on AI-orchestrated cyber espionage is a reminder that automated adversaries can scale social engineering quickly, while the LLMjacking research shows how stolen identities can be used to amplify downstream abuse once initial access is gained. These controls tend to break down in high-volume mailbox environments because users are moving quickly and security teams cannot manually review every lure.
Common Variations and Edge Cases
Tighter mail filtering often increases false positives and user friction, so organisations have to balance blocking more lures against keeping business email usable. Best practice is evolving here, because there is no universal standard for how aggressively to intercept manual-navigation prompts versus legitimate instructions from vendors or partners.
One edge case is the “safe” document or support flow that asks the recipient to open a portal in a browser, then sign in separately. That can look normal to a user while still bypassing link-rewriting if the attacker controls the destination name or search results. Another is mobile email, where copy-paste behaviour and app switching reduce visibility and make sandbox assumptions weaker.
Security teams should also consider brand impersonation pages that do not immediately ask for a password. Attackers may first collect email addresses, MFA codes, or recovery answers, then pivot to a second-stage login page. Current guidance suggests treating any email that pushes the user outside the protected path as suspicious, even if the initial message contains no link at all. The DeepSeek breach case underscores how quickly exposed identity material can become operational risk once attackers establish a foothold.
Where help desks, contractors, and executive assistants rely on fast manual workflows, these controls are most likely to fail because the attacker can hide inside routine exception handling.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Manual navigation bypasses mediated link inspection and exposes identity workflows. |
| OWASP Agentic AI Top 10 | LLM-07 | Social engineering can steer users outside controlled paths, similar to agent prompt injection. |
| NIST AI RMF | Email lure handling is a governance and risk issue for deceptive AI-enabled attacks. |
Detect instructions that alter the approved execution path and block unsafe destination changes at runtime.
Related resources from NHI Mgmt Group
- Why do rules-based email controls fail against modern phishing and vendor impersonation?
- Why do traditional email security tools miss payload-less BEC attacks?
- Why do AI-driven attacks change the value of PAM and IAM controls?
- How should security teams evaluate identity controls against AI-driven attacks?
