Acquisitions increase business email compromise risk because oversight fragments while systems are changing, and attackers exploit the gap between inherited exposure and unified control. Legacy authentication, unreviewed inboxes, and delayed policy enforcement create a temporary trust window. In that window, identity controls are inconsistent enough for impersonation, mailbox abuse, and fraud to succeed.
Why This Matters for Security Teams
Acquisitions do not just add users and mailboxes. They add a second identity plane, inherited policy exceptions, and a period where neither side has full visibility into who can send, delegate, or reset access. That is exactly the condition business email compromise depends on: a trusted communication channel with inconsistent controls. NIST’s Cybersecurity Framework 2.0 treats identity governance and continuous monitoring as core security functions, but merger activity often delays both.
The practical risk is not limited to phishing. Attackers look for mailbox forwarding rules, stale service accounts, unmanaged domains, and legacy authentication paths that survive long enough to be abused. NHIMG’s 52 NHI Breaches Report shows how quickly credential exposure becomes operational compromise when oversight is fragmented. In practice, many security teams encounter BEC not through a clean takeover plan, but after an acquisition leaves a half-integrated email environment exposed to routine fraud.
How It Works in Practice
The first failure is usually identity sprawl. Two tenant environments, two help desks, and two sets of exception processes mean attackers only need one weak path to impersonate finance, legal, or executive staff. Acquired accounts may still rely on basic auth, older MFA enrollment, or weak recovery controls while central policies are being harmonized. That creates a temporary trust window where a convincing message can move money, redirect invoices, or request credential resets.
Security teams should think in terms of control convergence, not just mailbox migration. Current guidance suggests focusing on the controls that remove attacker leverage fastest:
- Disable legacy authentication and verify conditional access coverage across both environments.
- Review inbox delegation, forwarding rules, and external sharing before full tenant merge.
- Inventory privileged mailboxes, finance aliases, and service accounts that can initiate payment or reset workflows.
- Confirm that domain protections, DMARC enforcement, and sender validation are aligned after acquisition.
- Monitor for unusual consent grants, OAuth app abuse, and impossible travel during the transition period.
For teams managing a broader identity estate, NHIMG’s Top 10 NHI Issues is a useful reminder that the same exposure pattern often appears in non-human accounts too: inherited access persists longer than expected, and attackers target whichever identity is least governed. The security lesson is to collapse uncertainty quickly by enforcing one control standard, one review path, and one incident response threshold. These controls tend to break down when acquisitions rely on phased coexistence for too long because mail routing, identity sync, and exception handling create exploitable gaps.
Common Variations and Edge Cases
Tighter email and identity controls often increase operational overhead, requiring organisations to balance fraud reduction against deal velocity and user disruption. That tradeoff is real, especially in regulated industries or cross-border acquisitions where tenant consolidation cannot happen immediately.
Best practice is evolving, but current guidance suggests treating high-risk groups first: executives, treasury, accounts payable, HR, and IT admins. Those roles are disproportionately valuable to attackers because they can approve payments, approve resets, or broaden access. When acquisitions include subsidiaries with different identity providers, the cleanest approach is usually temporary isolation plus aggressive policy normalization rather than broad trust extension.
There are also edge cases where standard BEC controls miss the real problem. If the acquired company uses outsourced IT, federated mail routing, or shared support inboxes, attackers may target the provider relationship instead of the tenant itself. For a broader view of why identity exposure persists across environments, NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now explains how fragmented ownership undermines timely control enforcement. In mergers, the weakest link is often not the new domain, but the old exception that no one has fully retired.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Acquisitions create inconsistent access control across mail and identity systems. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Inherited credentials and stale access are common post-acquisition abuse paths. |
| NIST AI RMF | Risk governance must account for transition-driven identity and fraud exposure. |
Use AI RMF governance to define ownership, monitoring, and escalation during integration.
Related resources from NHI Mgmt Group
- How should security teams reduce business email compromise without drowning analysts in false positives?
- Why does business email compromise look different in large enterprises?
- How should security teams respond when AI makes business email compromise harder to spot?
- Why do compromised email accounts still create business email compromise risk?
