They should move beyond keyword and sender matching and evaluate messages against behavioural baselines, recipient history, and request context. The key test is whether the message fits how the organisation normally communicates. If it only passes because it avoids known bad patterns, it is still a risk, not a validated trust signal.
Why This Matters for Security Teams
Phishing that mimics ordinary business communication is harder to catch because it no longer relies on obvious tells like bad grammar, urgent wire-transfer language, or mismatched domains. Attackers increasingly copy tone, timing, and internal workflows, which means a message can look legitimate while still being malicious. Guidance from the NIST Cybersecurity Framework 2.0 and The 52 NHI breaches Report both reinforce the same operational lesson: trust cannot be inferred from surface form alone. For security teams, the challenge is to validate intent, context, and behavioural consistency before users act on the message.
This matters because modern phishing often aims to trigger a legitimate business process rather than a technical exploit. A request that appears normal may still be outside the sender’s usual behaviour, the recipient’s expected workflow, or the organisation’s typical approval path. In practice, many security teams discover this only after an employee has already replied, approved, or shared a secret, rather than through intentional detection design.
How It Works in Practice
Effective detection starts with behavioural baselines, not static indicators. Security tools should score messages against known communication patterns for the sender, recipient, and business unit: usual contact frequency, language style, reply chains, file-sharing habits, and time-of-day norms. When a message asks for a payment change, credential reset, or document transfer, the system should ask whether that request fits the relationship history and the current business context.
That is why message inspection should combine multiple signals:
- Sender history and recent account activity, including first-time contacts and unusual forwarding paths
- Recipient context, such as whether the request aligns with the person’s role and prior approvals
- Conversation continuity, including whether the thread is genuine or freshly constructed
- Request type, especially when the ask involves secrets, payment instructions, or external sharing
- Language and timing anomalies, even when the message passes domain authentication checks
For teams building detection content, the practical aim is to flag messages that are plausible but inconsistent. That means integrating mail telemetry with identity, collaboration, and endpoint data so the system can distinguish a routine invoice reminder from a credential-harvesting lure. The Top 10 NHI Issues and CISA cyber threat advisories both point to the same operational requirement: detections need context-aware controls, not just blocklists. These controls tend to break down when organisations lack historical communication data for new vendors, mergers, or shared mailboxes because the baseline itself is incomplete.
Common Variations and Edge Cases
Tighter detection often increases false positives, so organisations must balance resilience against analyst workload and user friction. That tradeoff is especially visible in finance, legal, executive support, and procurement, where unusual requests can be legitimate but high risk. Current guidance suggests treating these cases as workflow validation problems, not just email filtering problems, because the real decision is whether the request matches the business process that should exist.
There is no universal standard for this yet, but best practice is evolving toward risk-based response tiers: warn on anomalies, step-up verify on sensitive requests, and require out-of-band confirmation for actions involving payments or secrets. The Ultimate Guide to NHIs — Why NHI Security Matters Now and Anthropic — first AI-orchestrated cyber espionage campaign report are useful reminders that attackers increasingly adapt quickly and automate persuasion at scale. Detection programs also need special handling for multilingual teams, highly automated shared inboxes, and externally managed vendors, where normal-looking communication can still be an adversary-controlled entry point.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is needed to spot anomalous messaging patterns and risky requests. |
| OWASP Non-Human Identity Top 10 | NHI-05 | Phishing often targets secrets and authentication artifacts used by NHIs. |
| NIST AI RMF | AI risk governance supports context-aware detection and response to deceptive messages. |
Correlate email, identity, and workflow telemetry to detect message-context anomalies in real time.
Related resources from NHI Mgmt Group
- How should security teams handle modern phishing when attackers spoof trusted roles?
- How should security teams handle phishing messages that auto-forward into business apps?
- How should security teams reduce phishing risk when attacks blend into normal work?
- How should security teams detect phishing that comes from legitimate Microsoft identity workflows?
