Because rules only detect conditions they already know how to express. Attackers can change wording, timing, sender patterns, or delivery methods and still appear legitimate. That means a rules engine can be accurate for known threats while remaining blind to slightly changed versions of the same attack.
Why This Matters for Security Teams
Static email rules were built for patterns that stay mostly stable, but impersonation campaigns now shift wording, sender infrastructure, reply paths, and delivery timing to stay just outside those signatures. That is why a rule set can look effective in testing and still miss real-world abuse, especially when attackers reuse legitimate cloud services or compromise trusted accounts. NHI Management Group has documented how identity abuse and secret exposure repeatedly become the control plane for broader compromise in the 52 NHI Breaches Analysis and the Ultimate Guide to NHIs — Key Challenges and Risks.
The operational risk is not only phishing volume, but business email compromise that looks internally consistent enough to pass simple checks while still driving payment fraud, credential theft, or mailbox takeover. Current guidance from CISA cyber threat advisories continues to emphasize layered detection because no single rule set can keep pace with attacker variation. In practice, many security teams encounter impersonation only after a user has already replied, forwarded a message, or approved a fraudulent action.
How It Works in Practice
Static rules miss modern impersonation because they are usually built around known indicators: exact sender domains, suspicious keywords, malformed headers, or a fixed sequence of events. Attackers do not need to break those rules directly; they only need to change enough of the email to fall outside them. That includes using lookalike domains, compromised legitimate accounts, thread hijacking, clean wording generated at scale, or replies that arrive from a trusted mailbox after initial contact. The result is that the message still feels legitimate to a rules engine, even when the intent is fraudulent.
Practitioners increasingly pair email controls with identity-aware verification and behaviour-based detection. That means checking who is sending, from where, and in what context, rather than only scanning message content. For high-risk actions, teams should use Anthropic’s report on an AI-orchestrated cyber espionage campaign as a reminder that automation can scale both social engineering and post-delivery abuse. NHI Management Group’s Top 10 NHI Issues also highlights how identity trust breaks when systems rely on static assumptions instead of runtime context.
- Use rules for known patterns, but add anomaly detection for unusual send times, reply chains, and mailbox behaviour.
- Verify high-risk requests through out-of-band approval, especially for payments, payroll, and credential resets.
- Reduce trust in sender display names and focus on domain validation, authentication, and mailbox reputation.
- Treat compromised legitimate accounts as a primary threat, not an edge case.
These controls tend to break down in organisations with high-volume inbound email, legacy mail gateways, and weak identity verification for internal requests because legitimate and malicious traffic look operationally similar.
Common Variations and Edge Cases
Tighter email filtering often increases false positives and review overhead, so organisations have to balance user friction against the cost of missed impersonation. There is no universal standard for this yet, and current guidance suggests using layered controls rather than expecting one rule engine to cover every fraud path. The hardest edge cases are business email compromise, executive impersonation, and vendor invoice fraud, where the message is intentionally simple and the real deception happens in the relationship context rather than the text itself.
Rules also struggle when attackers weaponise legitimate infrastructure. A message sent from a compromised partner mailbox may pass authentication checks, and a convincing reply in an existing thread can bypass the assumptions behind classic filters. In those cases, mailbox access logs, unusual login geography, and payment workflow controls matter more than content signatures. The DeepSeek breach is a useful reminder that once trust in identity is lost, downstream abuse can spread quickly across systems and teams.
For many organisations, the real tradeoff is not detection versus non-detection, but speed versus certainty. If approvals are too rigid, users route around controls; if they are too loose, impersonation succeeds. Best practice is evolving toward contextual checks, especially where a message can trigger money movement, secret disclosure, or privileged access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Static email rules fail when identity and trust signals are spoofed or compromised. |
| NIST CSF 2.0 | DE.CM-1 | Behavioural monitoring helps detect impersonation that signatures miss. |
| NIST AI RMF | Context-aware decisioning reduces overreliance on brittle rules in dynamic threat settings. |
Add identity-centric controls so email actions depend on verified workload or user identity, not message text alone.
