Email-borne malware still drives most attacks and ransomware loss

At a glance

What this is: This analysis argues that email remains the most reliable entry point for malware and ransomware because modern attacks now bypass static detection and exploit trust, behaviour, and connected cloud workflows.

Why it matters: It matters because IAM, PAM, and lifecycle teams must treat the inbox as an identity-adjacent control plane where human judgment, account compromise, and downstream access abuse intersect.

By the numbers:

• 68% of all malware attacks in 2024 originated via email.
• 35% of companies hit by ransomware report lasting customer trust loss.

👉 Read Abnormal AI's analysis of email-borne malware, ransomware, and behavioural AI

Context

Email remains the most common way attackers get a foothold, not because mail systems are uniquely weak, but because they sit at the intersection of trust, routine work, and identity. The primary keyword here is email-borne malware, and the article's central claim is that modern malware now outpaces static email controls by exploiting human behaviour and connected business systems.

For IAM and security leaders, the governance problem is not simply malicious content in the inbox. A single compromised mailbox can become an identity event that spills into cloud collaboration tools, finance workflows, and downstream approvals, which means email security cannot be treated as a separate silo from identity governance and access control.

Key questions

Q: How should security teams handle a compromised mailbox in an identity programme?

A: Treat it as an identity and access event, not only a mail hygiene issue. Revoke active sessions, review delegated permissions, check downstream SaaS access, and inspect any workflows the mailbox can trigger. The goal is to stop the identity from being reused as a launch point into collaboration, finance, or support systems.

Q: Why do email-borne attacks still work against modern security controls?

A: They work because many controls still depend on static indicators such as links, files, and repeated payload patterns. Modern attacks mutate content, delay execution, and exploit human trust in familiar senders, so defenders need behavioural detection that understands identity context and workflow risk, not just message content.

Q: What breaks when teams rely on secure email gateways alone?

A: Teams miss in-memory malware, delayed redirects, and trusted conversation hijacking that never looks malicious at delivery time. A gateway can filter obvious threats, but it cannot fully govern what happens after a user acts on the message or when the compromised account starts using connected systems.

Q: Who is accountable when a phishing email turns into ransomware?

A: Accountability usually spans email security, identity governance, and incident response because the attack crosses those boundaries quickly. The security team must show how the mailbox was protected, how access was contained, and how downstream privileges were reviewed once the account was compromised.

Technical breakdown

Why static email controls miss modern malware

Secure email gateways and sandboxes were built to inspect files, links, and other static indicators before delivery. Modern malware increasingly avoids those clues by running in memory, delaying redirects, or changing its code structure on the fly with AI assistance. That shifts detection from pattern matching to behaviour analysis, because the malicious step often happens only after the message has already passed the mailbox boundary and the user has interacted with it.

Practical implication: shift from indicator-based filtering to behavioural detection that can evaluate message intent, sender anomalies, and post-delivery actions.

How email compromise turns into lateral movement

The inbox is often the first trusted system an attacker needs, but it is rarely the last. Once a user clicks, downloads, or authenticates through a fake portal, the attacker can reuse that trust to move into collaboration tools, shared drives, or cloud services connected to the account. The technical issue is not just phishing, it is identity reuse across integrated SaaS environments where one compromised session can expose multiple adjacent systems.

Practical implication: scope mailbox compromise as an identity incident and review downstream access paths immediately.

Why AI-generated malware changes the detection problem

AI-driven malware can generate endless code variants and mimic tone, timing, and context well enough to defeat controls tuned for repetition. That matters because defenders often rely on known hashes, recurring templates, and stable sender behaviour to trigger alerts. When the payload and the message both vary continuously, defenders need models that learn normal communication patterns and spot deviations in identity, behaviour, and workflow context rather than only content signatures.

Practical implication: tune detection for behavioural anomalies across people, messages, and access patterns rather than signature reuse.

Threat narrative

Attacker objective: The attacker aims to convert a single mailbox compromise into broader access, operational disruption, and financial or reputational damage across the business.

1. Entry begins when a targeted email convinces the recipient to click a link, open an attachment, or act on a trusted-looking request.
2. Escalation occurs when the attacker uses that trust to harvest credentials or pivot into connected cloud and collaboration tools through the compromised inbox.
3. Impact follows when the malware moves laterally, disrupts operations, and amplifies ransomware or exfiltration across the wider enterprise.

Breaches seen in the wild

• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Email security is now an identity governance problem, not just a content filtering problem. The article shows that attackers do not need to beat every technical control when they can exploit the trust chain around mailbox access, approvals, and follow-on collaboration. That means the security boundary is the identity and the workflow attached to it, not the message alone. Practitioners should treat mailbox compromise as a governance event that can trigger downstream access review and containment.

Behavioural deception is the named concept that best explains why legacy controls are failing. AI-generated malware does not simply increase volume, it collapses the assumptions behind signature-based email defence by making the malicious message look operationally normal. Secure email tools were designed for stable indicators, but the threat now mutates at the content, timing, and context layer. Practitioners need to understand that the control model is misaligned with the attack model.

Standing trust in connected systems creates identity blast radius. Once a mailbox is trusted by cloud collaboration tools, payment workflows, or support systems, compromise of one identity can propagate across the rest of the environment. That is an IAM and PAM issue as much as a malware issue, because access adjacency turns one mailbox into an enterprise exposure path. Practitioners should map where email identities can trigger privileged or semi-privileged actions.

The trust window is shorter than the response window in modern email attacks. The article makes clear that attackers can move from initial message to payload execution and lateral use before many organisations can manually respond. That means review-based controls alone are too slow when the attack chain is already progressing inside integrated SaaS. Practitioners should assume the first control must be preventive and behavioural, not after-the-fact triage.

Identity-aware email defence is the only durable path. Email malware now succeeds by blending message legitimacy, human expectation, and account reuse, which is why pure perimeter thinking fails. This is where identity security and message security converge: if the account is trusted, the message inherits that trust. Practitioners should align email protection with identity context, session risk, and downstream privilege exposure.

From our research:

• From our research: Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• Our research also finds that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• For a broader view of how identity failures propagate, see 52 NHI Breaches Analysis for recurring compromise patterns across real incidents.

What this signals

Behavioural email defence will increasingly sit alongside IAM controls. As mailbox compromise becomes a launch point for downstream access abuse, teams should expect tighter links between email telemetry, conditional access, and identity risk scoring. The practical change is that a suspicious message should be able to influence session policy before the user action turns into a breach.

Standing trust in collaborative workflows is becoming the new exposure surface. If a mailbox can approve payments, invite guests, or trigger resets, the real control gap is not the inbox itself but the reachable privilege behind it. The governance task is to reduce how far a compromised identity can travel inside business workflows.

Enterprise defenders should prepare for a control model that treats message legitimacy and identity legitimacy as separate tests. AI-generated malware can look credible even when the originating identity is hostile, which means programmes need both behavioural message inspection and identity-centric containment. That shift aligns with the broader move from static detection to contextual verification.

For practitioners

• Reclassify mailbox compromise as an identity incident When a user mailbox is compromised, treat it as a trigger for access containment across collaboration suites, shared drives, and connected business apps. Review delegated access, shared inbox permissions, and any workflow approvals reachable from that identity.
• Reduce downstream privilege reachable from email identities Audit which email-linked accounts can approve payments, reset credentials, invite external users, or trigger privileged workflows. Remove standing access where a mailbox can directly or indirectly authorize high-impact actions.
• Prioritise behavioural controls over static indicators Use detection that scores sender reputation, message timing, conversation context, and post-delivery actions rather than relying mainly on known hashes or suspicious links. That is the control shift needed for AI-generated variants and fileless payloads.
• Map email-to-cloud attack paths in your identity model Document how a compromised inbox can reach Microsoft 365, Google Workspace, Slack, file stores, or ticketing systems. Use those paths to decide where session monitoring, conditional access, and step-up verification should break the chain.

Key takeaways

• Email remains the most common malware entry point because attackers now exploit trust and workflow adjacency rather than only technical flaws.
• The scale of loss is material, with ransomware costs and customer trust damage extending far beyond the initial inbox compromise.
• Defenders need identity-aware, behavioural controls that limit downstream privilege and shrink the blast radius of a single compromised mailbox.

Key terms

• Email-borne malware: Malware delivered through email rather than through a direct software exploit. It often relies on trust, routine work, and user action to begin execution, then uses the mailbox as the first step into broader systems and workflows.
• Behavioral detection: A detection approach that looks for unusual patterns in identity, message timing, sender behaviour, and workflow actions instead of only checking for known malicious indicators. It is better suited to threats that mutate content or avoid static signatures.
• Identity blast radius: The amount of access and business impact that can spread from one compromised identity. In email-driven attacks, this includes connected collaboration tools, approval paths, and any privileged workflow the account can reach.
• Session containment: A response pattern that limits what an active identity session can still do after compromise is suspected. It focuses on stopping lateral use, delegated access, and downstream actions before the attacker can turn one successful login into wider impact.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: email-borne malware, ransomware, and behavioural AI detection. Read the original.