Email attack bypasses expose the gap in legacy SEG controls

At a glance

What this is: This is a webinar recap about how Choice Hotels says advanced email attacks bypassed legacy SEG tools and how remediation improved after changing approaches.

Why it matters: It matters because email compromise still intersects with identity governance, privileged workflows, and downstream account abuse across human and non-human access paths.

By the numbers:

• Choice Hotels protects data for 50 million members, guests, and employees against advanced email attacks.

👉 Watch Abnormal AI's webinar on how Choice Hotels reduced advanced email attack risk

Context

Choice Hotels is describing a familiar security problem in large environments: legacy email controls can miss attacks that do not rely on obvious malicious payloads. In practice, BEC and vendor email compromise often succeed by abusing trust, timing, and business context rather than technical exploitation alone.

For IAM teams, the real issue is not only email filtering but how identity-adjacent workflows absorb fraudulent requests after an inbox is compromised. When an attacker can impersonate a trusted sender or vendor, the next failure is often human approval, delegated access, or downstream account action rather than the message itself.

Key questions

Q: How should teams reduce the risk of BEC when email is still a core business channel?

A: Teams should assume email will remain an attack surface and move the highest-risk actions out of email trust alone. The practical response is to add secondary verification for payment changes, access requests, and supplier instructions, while training service desks and approvers to treat legitimacy as a separate question from delivery.

Q: Why do legacy email gateways fail against modern impersonation attacks?

A: Legacy gateways are strongest against known malicious content, but impersonation attacks often use clean language, legitimate infrastructure, and human timing. That means the message can look harmless while the request is fraudulent, so organisations need behavioural detection and workflow controls, not just content filtering.

Q: What should security teams do when vendor email compromise becomes a finance or access issue?

A: They should treat vendor email compromise as a governance problem across procurement, finance, and IAM. The key is to require independent confirmation for bank changes, routing updates, and privileged requests, because the original email is not a sufficient basis for trust.

Q: How do organisations know if their email controls are actually reducing risk?

A: Look for fewer successful impersonation-driven actions, not just fewer spam messages. If users still approve fraudulent payment, credential, or routing requests after the inbox is protected, the control set is not reaching the real decision point.

Background and context

Why legacy SEG controls miss behaviour-led email attacks

Secure email gateways are strongest when the threat is visible in the message body, attachment, or known indicators of compromise. They are weaker when the attack is socially engineered, newly crafted, or delivered through legitimate-looking sender infrastructure. Behavioural email security shifts detection toward sender intent, conversation anomalies, and relationship context instead of static signatures alone. That matters because BEC often does not look like malware at all. It looks like a routine request that arrives at the wrong moment and asks for the wrong action. The control failure is not simply detection volume, but the mismatch between legacy email inspection and modern impersonation tactics.

Practical implication: teams should test email security against business-email and vendor-impersonation scenarios, not just malware filtering.

How BEC becomes an identity and access problem after inbox compromise

Once an attacker can influence a trusted mailbox, the attack frequently moves from email delivery into identity abuse. They may request invoice changes, redirect payments, reset credentials, or trigger access changes through help desks and service workflows. In that chain, the inbox becomes a control plane for human approval. This is why email security and IAM cannot be separated operationally. The compromise is no longer just message-level. It becomes delegated trust abuse across authentication, verification, and approval paths, especially where support teams rely on email as proof of legitimacy.

Practical implication: restrict high-risk identity actions from being authorised by email alone.

Vendor email compromise exposes third-party trust and workflow weakness

Vendor email compromise is especially dangerous because it exploits the trust organisations place in external business relationships. The attacker does not need to breach the target directly if they can hijack or convincingly imitate a supplier, then alter payment instructions, file exchange processes, or contract-related communications. This creates a governance gap between supplier assurance and transactional verification. In identity terms, the issue is delegated trust without strong transaction binding. A mailbox, once trusted, can influence downstream systems even when the original sender is not authenticated strongly enough for the risk involved.

Practical implication: require secondary verification for vendor-driven changes to payments, routing, or privileged requests.

NHI Mgmt Group analysis

Legacy email security fails when attacks are built around trust, not payloads. The article reinforces a common control gap: signature-era SEG thinking assumes malicious content is the primary problem. BEC and vendor email compromise instead weaponise legitimate-looking communication, so the weakest point becomes human and workflow trust. For security leaders, that means email protection has to be judged by abuse resistance, not inbox throughput.

Email compromise is an identity problem once the attacker can trigger business action. The moment a fraudulent message can change payment instructions, reset access, or influence approvals, the incident has crossed from messaging into IAM and governance. That is why email controls, help desk verification, and approval workflows need to be treated as one trust chain, not separate silos. Practitioners should evaluate the controls that sit between inbox trust and action execution.

Choice Hotels illustrates that operational relief is part of the security value proposition. The stated reduction in attacks and the ability to reallocate team time point to a broader programme issue: legacy tools often consume effort without reducing decision noise. When security teams spend less time triaging false confidence from older layers, they can put attention into the controls that matter most for fraud, impersonation, and downstream account abuse. The practical question is where your team is still paying for visibility that does not change outcomes.

Behaviour-led email defence should be treated as a governance layer, not a mail filter. A named concept here is identity-adjacent email trust, meaning the point where mailbox legitimacy becomes authority to act in other systems. That trust boundary is where many attacks now land. If the governance model still assumes email is only a communications channel, the programme will miss the abuse path that matters most. Practitioners should map email-triggered business actions and harden the verification points around them.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Another finding: Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
• Forward pivot: Organisations can use the NHI Lifecycle Management Guide to harden third-party access reviews, offboarding, and entitlement cleanup before email abuse turns into account abuse.

What this signals

The signal for practitioners is that email compromise increasingly behaves like an identity governance failure with a mailbox attached. If a trusted message can still drive a privileged business action, the organisation has not separated communication trust from execution trust.

Identity-adjacent email trust: this is the boundary where mailbox legitimacy becomes authority to change payments, credentials, or supplier data. Once that boundary is weak, email security metrics may improve while fraud and access abuse continue. Teams should watch for that mismatch.

Hospitality organisations and distributed franchises should expect attackers to keep targeting the handoff between inbox verification and business approval. Stronger controls will come from binding high-risk actions to independent checks and workflow policy, not from adding another filtering layer.

For practitioners

• Map inbox-to-action workflows Identify the business actions that can be triggered by email, including payment changes, access resets, supplier updates, and urgent approvals. Then place stronger verification at the point where a message becomes an operational request.
• Separate message trust from action trust Do not allow a trusted mailbox to serve as sufficient evidence for high-risk decisions. Build an independent verification step for any request that can affect funds, credentials, or privileged workflow status.
• Test controls against BEC and vendor impersonation Run phishing and impersonation scenarios that mimic real business requests, not just malware delivery. Measure whether users, service desks, and approvers can distinguish a believable request from an authorised one.
• Review third-party change pathways Examine every supplier-facing process that accepts email as input, especially invoice routing and bank detail changes. Require a second channel before those requests reach finance or access administration.

Key takeaways

• This webinar shows that legacy email controls can miss attacks that succeed through trust abuse rather than malicious payloads.
• The operational impact is broader than phishing, because inbox compromise can push directly into finance, supplier, and access workflows.
• The control question is whether your organisation verifies the action separately from the email, not whether the email looked legitimate.

Key terms

• Business Email Compromise: Business Email Compromise is a fraud pattern where attackers use trusted-looking email to influence payments, credentials, or operational decisions. The compromise is often social and procedural rather than technical, which makes verification workflow design as important as inbox filtering.
• Vendor Email Compromise: Vendor Email Compromise is a form of impersonation or mailbox takeover that targets third-party business relationships. It exploits the trust organisations place in supplier communications, especially where invoice changes, routing updates, or privileged requests can be initiated by email.
• Identity-adjacent trust: Identity-adjacent trust is the point where a communication channel is treated as evidence that someone or something is authorised to act. In practice, it is the dangerous overlap between inbox legitimacy and execution authority across finance, support, and access workflows.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: How Choice Hotels Utilizes Innovative Security Solutions to Protect its Email Ecosystem. Read the original.