Subscribe to the Non-Human & AI Identity Journal

Conversational phishing

A social engineering tactic that begins with a benign or topical exchange and gradually moves the target toward clicking a link, sharing credentials, or opening a file. The attack gains power from trust built in the conversation, not from a malicious attachment alone.

Expanded Definition

Conversational phishing is a social engineering technique that uses an apparently routine exchange to lower suspicion before steering the target toward a harmful action. In NHI and AI-agent environments, the tactic is especially effective because the conversation can unfold across chat, email, collaboration tools, or agent-to-human workflows, where trust is built incrementally rather than triggered by a single obvious lure.

This term overlaps with classic phishing, but the distinguishing feature is progression. The attacker may ask harmless questions first, reference a shared project, or impersonate a familiar workflow before requesting a link click, credential handoff, file approval, or OAuth consent. That makes the technique relevant to both human identity and machine identity abuse, including service accounts and delegated tokens. Guidance across vendors is still evolving, but the control objective is consistent with the NIST Cybersecurity Framework 2.0: verify requests, constrain trust, and reduce the blast radius of any single conversation.

The most common misapplication is treating it as ordinary spam, which occurs when teams focus on message content alone and ignore the relationship-building sequence that precedes the payload.

Examples and Use Cases

Implementing defences against conversational phishing rigorously often introduces friction in day-to-day collaboration, requiring organisations to weigh user convenience against stronger verification and approval steps.

  • A threat actor enters a support chat, asks about a routine account issue, then sends a link that leads to a fake login or consent screen.
  • A malicious actor impersonates a vendor or teammate in a messaging app, gradually requesting “temporary” access to a shared workspace, token, or API key.
  • An attacker targets an AI assistant workflow, as seen in the CoPhish OAuth Token Theft via Copilot Studio case, where conversational framing is used to obtain authorisation rather than force a direct exploit.
  • Security teams train employees to validate requests through a separate channel before approving file shares, workflow changes, or credential resets.
  • In high-risk environments, responders compare the exchange pattern against guidance in NIST Cybersecurity Framework 2.0 functions such as Protect and Detect, then escalate if the request deviates from expected process.

Why It Matters in NHI Security

Conversational phishing matters in NHI security because the target is often not just a person, but the privileges, tokens, and delegated access that the person can reach. NHI Mgmt Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which means a single successful conversation can become an entry point into automated systems, integrations, and agent workflows. The risk is amplified when secrets are handled casually or when approval paths are weak, because an attacker only needs one believable back-and-forth to obtain a reusable credential or consent grant.

That is why governance must cover how chat-based requests are validated, how agent actions are approved, and how access is revoked after suspicious interaction. The issue is not limited to classic email phishing; it also appears in collaboration platforms, help desks, and AI agent interfaces where trust is inferred from tone and context. Organisational response improves when teams tie this behaviour to broader identity controls, including Ultimate Guide to NHIs guidance on visibility and secret governance, and to the NIST CSF emphasis on access control and monitoring.

Organisations typically encounter account misuse only after an unexpected approval, token grant, or data exfiltration, at which point conversational phishing becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Covers secret handling and token exposure patterns that conversational phishing often tries to obtain.
OWASP Agentic AI Top 10 A1 Agent prompt and workflow manipulation often starts as conversational phishing.
NIST CSF 2.0 PR.AC-1 Identity verification and access governance are central when a conversation seeks privileged action.
NIST Zero Trust (SP 800-207) SC-23 Zero Trust requires continuous verification, which limits trust built by conversation alone.
NIST AI RMF AI risk management addresses manipulation of human-AI interactions and downstream harm.

Assess conversational abuse paths and add controls for user confirmation, logging, and escalation.