EAB’s email security masterclass shows the SEG is not enough

At a glance

What this is: This is a webinar-based case study about EAB's email security changes and its claim that the new approach blocked thousands of phishing and BEC attacks.

Why it matters: It matters because partner ecosystems create identity and email trust problems that sit across human IAM, NHI-style delegated access, and fraud-resistant governance.

By the numbers:

• EAB collaborates with over 2,500 institutions to drive transformative change through data-driven insights.

👉 Watch Abnormal AI's webinar on EAB's email security changes

Context

Email security becomes an identity problem when attacker-controlled messages target people, partner relationships, and delegated trust at the same time. In EAB's case, the question is not only whether spam is filtered, but whether a security programme can protect a broad partner ecosystem from phishing and business email compromise without creating operational drag.

That matters to IAM teams because email remains the control plane for resets, approvals, vendor communications, and exception handling. When legacy segmentation or inbox-layer filtering fails to keep pace with attack volume, the organisation ends up treating fraud, identity abuse, and workflow friction as separate problems even though they arrive through the same channel.

Key questions

Q: How should security teams reduce business email compromise risk in partner-heavy environments?

A: They should treat email as an identity and workflow risk, not only a content-filtering problem. The highest-value controls are verification for sensitive requests, out-of-band confirmation for exceptions, and tighter ownership of partner-initiated changes. That approach reduces the chance that a convincing message can trigger a real business action.

Q: Why do legacy email gateways struggle with modern phishing campaigns?

A: Legacy gateways often depend on signatures, reputation, and static policy checks, which are weak against impersonation, compromised senders, and context-driven social engineering. Attackers increasingly use legitimate-looking messages and trusted relationships, so the control gap is in behavioural interpretation and workflow protection rather than simple message blocking.

Q: What should organisations review when email can change identity or payment state?

A: They should review every workflow where a message can trigger access changes, account resets, payment updates, or vendor modifications. Those processes need stronger approval, clear ownership, and a second verification path. If the email trail is the only control, the organisation is effectively trusting the attacker's impersonation test.

Q: How do teams know if email security is actually protecting the business?

A: They should measure whether suspicious messages are being stopped before they reach decision-makers and whether risky workflows still depend on inbox trust. If phishing still reaches the people who can approve changes, or if partner requests bypass verification, the programme is reducing noise but not materially lowering business compromise risk.

Background and context

Why legacy SEG filtering breaks under modern phishing pressure

A secure email gateway, or SEG, primarily inspects messages at the perimeter using signatures, reputation, and policy rules. That model struggles when attackers use compromised accounts, social engineering, or low-and-slow campaigns that look legitimate enough to pass basic checks. Modern phishing and business email compromise often depend on context rather than obvious malware, so the control failure is usually detection depth, not simple message volume. In a partner ecosystem, the problem expands because trusted senders and delegated communication patterns make abuse harder to separate from normal business traffic.

Practical implication: measure email controls against abuse patterns and trusted-domain impersonation, not just spam block rates.

How business email compromise turns trust relationships into an attack path

BEC is less about malware and more about convincing a person or process to approve a fraudulent action. Attackers exploit organisational trust chains, such as vendor payment changes, executive impersonation, and partner notifications, because those workflows often bypass technical controls once a message looks plausible. In education ecosystems, where one organisation may communicate with many institutions, the blast radius is broader than a single mailbox. The governance issue is that email controls and identity controls are often managed separately, even though the attacker is aiming at both human decision-making and workflow authorisation.

Practical implication: add approval verification and out-of-band confirmation to any email-driven workflow that can move money, data, or access.

What ecosystem-scale email risk means for identity governance

When one security team is responsible for protecting both its own staff and a large partner network, email security stops being a mailbox problem and becomes a trust-governance problem. The control question shifts to whether the organisation can distinguish normal delegated communication from abuse across many external relationships. That is especially relevant where access resets, account changes, or sensitive requests originate in email. The technical lesson is that visibility, policy, and user workflow need to align across the whole communication chain, not just the internal tenant.

Practical implication: map which email-triggered processes can change identity state or business state, then harden those workflows first.

NHI Mgmt Group analysis

Legacy email security is increasingly a trust-management problem, not a filtering problem. EAB's case shows that the real issue is not whether the gateway can catch obvious spam, but whether the programme can absorb phishing and BEC attempts across a partner ecosystem without relying on message appearance alone. Once identity-related workflows and external trust relationships become the target, inbox inspection is only one control layer. Practitioners should treat email as part of identity governance, not as a separate security silo.

Ecosystem-scale communication creates identity blast radius even when the attacks arrive by email. EAB's 2,500+ institution partner network shows how one compromise path can affect many downstream organisations when trust is distributed across vendors, partners, and internal staff. The same pattern appears in NHI governance when delegated access is shared across boundaries and no one owns the full lifecycle. Practitioners need to evaluate whether their own partner workflows concentrate trust in a way attackers can reuse.

Phishing and BEC expose the gap between human decision controls and technical email controls. A mailbox filter can reduce noise, but it cannot verify that a payment change, password reset, or vendor request is legitimate. That gap becomes more visible in organisations where executive, IT, and partner communications are tightly interwoven. The lesson for IAM and PAM teams is that identity processes must be designed for message-based coercion as well as credential abuse.

Streamlined security operations matter because manual email review does not scale with ecosystem complexity. EAB's claim that it freed time for executives and IT teams points to an operational truth: if every suspicious message requires human triage, the programme becomes brittle. In a high-volume partner environment, security effectiveness depends on controls that reduce false positives while preserving high-confidence review for genuine exceptions. Practitioners should optimise for decision quality, not just alert volume.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap is why practitioners should also review NHI Lifecycle Management Guide for offboarding, rotation, and visibility controls.

What this signals

Partner ecosystems turn email into a governance surface. When thousands of external institutions depend on one organisation's communication patterns, the practical challenge is not only filtering malicious messages but controlling which email-triggered actions can alter identity or business state. Practitioners should assume that any trusted communication channel can be repurposed unless lifecycle, approval, and verification controls are linked end to end.

The broader signal is that human IAM, partner access, and NHI-style delegated trust now intersect in the same operational workflows. That means security teams need a single view of who can request, approve, and execute sensitive changes, especially where email is the handoff mechanism. The organisations that separate email security from identity governance will continue to miss the real blast radius.

Identity blast radius: a single compromised communication path can affect many downstream users, institutions, or processes when trust is reused across a partner ecosystem. In this case, that concept matters more than the mail gateway brand because the governance problem is the reuse of trust, not the format of the message.

For practitioners

• Map identity-changing workflows that start in email Identify every process where an email can trigger password resets, vendor updates, payment changes, access changes, or exception approvals. Require stronger verification on those flows than on ordinary correspondence.
• Add out-of-band checks for high-risk requests Use a second channel for any request that can move money, alter privileges, or modify partner data. Make the verification step mandatory for executive impersonation, vendor compromise, and unusual timing.
• Review SEG performance against abuse tactics Test whether the current email stack can block impersonation, compromised-account abuse, and low-and-slow BEC rather than only bulk spam. Tune detections around behaviour and trusted-sender misuse.
• Align partner trust rules with identity governance Document which external organisations can initiate sensitive requests and who owns the approval path. Tie those rules to identity lifecycle, access review, and PAM processes instead of leaving them in email procedures alone.

Key takeaways

• EAB's case shows that phishing and BEC are governance problems as much as email problems, because attackers aim at the decisions behind the message.
• The scale matters: a partner ecosystem with over 2,500 institutions creates an identity and trust surface that inbox filtering alone cannot safely defend.
• Teams should harden any email-driven workflow that can change access, payment, or partner state, because that is where a convincing message becomes a real incident.

Key terms

• Business Email Compromise: A fraud pattern where an attacker uses convincing email to trick a person or process into approving a harmful action. The goal is usually payment diversion, data exposure, or privilege change, and the attack succeeds by abusing trust rather than exploiting software vulnerability.
• Secure Email Gateway: An email security control that filters, inspects, and blocks malicious messages before they reach users. It is useful against bulk spam and known threat signatures, but it can struggle when attackers rely on impersonation, compromised accounts, or socially engineered requests that look legitimate.
• Partner Ecosystem Trust: The shared confidence organisations place in external institutions, vendors, or collaborators to communicate and act safely. In practice, it expands the attack surface because attackers can exploit the weakest link in the chain of delegated communication and approvals.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: EAB Teaches a Masterclass in Email Security. Read the original.