Email security and BEC threats remain a live CISO concern

At a glance

What this is: Abnormal AI’s Vision 2023 conference frames email and BEC as continuing identity-driven attack problems with on-demand sessions for security leaders.

Why it matters: It matters because email, Microsoft 365, and business email compromise sit at the intersection of human identity, access trust, and security operations.

By the numbers:

• The Vision 2023 virtual conference was designed to help security leaders learn how the future of cybercrime and cybersecurity is changing.

👉 Read Abnormal AI's Vision 2023 sessions on email security and BEC

Context

Email security problems persist because the channel was built for communication, not for resisting impersonation, trust abuse, or account takeover. That makes business email compromise a human identity and access problem as much as a messaging problem, especially in Microsoft 365 environments where trust decisions happen at speed.

This conference is a reminder that defenders still need to treat email as a living attack surface rather than a solved control plane. The practical question for IAM, PAM, and security teams is how identity signals, user behaviour, and tenant protections combine to reduce the chance that a message becomes a compromise path.

Key questions

Q: How should security teams reduce business email compromise risk in Microsoft 365?

A: Security teams should combine conditional access, mailbox governance, OAuth consent restriction, and workflow verification for high-risk actions. The key is to prevent a trusted inbox from becoming a trusted instruction channel. If an email can trigger payment, access, or delegation changes, the approval path needs a second identity check.

Q: Why do email attacks remain effective even when organisations use MFA?

A: MFA protects the login step, but many email attacks exploit the trust placed in a compromised or impersonated mailbox after authentication. Once an attacker is inside, they can abuse forwarding, delegation, and social trust. Identity assurance has to extend beyond sign-in to message-driven business actions.

Q: What do teams get wrong about BEC prevention?

A: Teams often focus on user awareness alone and underestimate the control value of mailbox, consent, and workflow governance. Training helps, but it does not stop a compromised account from sending convincing instructions. The real gap is usually the absence of policy checks at the point of action.

Q: How do you know if email identity controls are actually working?

A: Look for reduced unauthorized forwarding, fewer risky delegation grants, lower rates of unexpected OAuth consent, and faster containment when suspicious business requests appear. Effective controls change behaviour before an attacker can convert email access into a financial or access-management event.

Background and context

Why business email compromise still works against identity controls

Business email compromise succeeds when attackers exploit the gap between authentication and trust. A valid inbox, a familiar sender pattern, or a compromised account can be enough to trigger payment fraud, data access, or malicious forwarding. The control failure is rarely just weak passwords. It is usually a mismatch between who is authenticated, what the user believes, and what the mail platform is allowed to execute on the user’s behalf. Practical implication: tune mail and identity controls to detect anomalous sender, delegation, and forwarding behaviour, not just login events.

Practical implication: tune mail and identity controls to detect anomalous sender, delegation, and forwarding behaviour, not just login events.

Microsoft 365 protection depends on identity-aware policy enforcement

Microsoft 365 is frequently targeted because it concentrates identity, collaboration, and access pathways in one environment. That creates a broad blast radius when an account is compromised, especially if mailbox rules, OAuth grants, delegated access, or weak conditional access settings are left unchecked. The technical issue is not only access to email, but the ability to persist, conceal activity, and expand into adjacent services through the same identity. Practical implication: review mailbox delegation, OAuth consent, and session controls as part of one identity governance surface.

Practical implication: review mailbox delegation, OAuth consent, and session controls as part of one identity governance surface.

CISO concerns in email security are now governance concerns

Modern email threat defence is no longer limited to spam filtering or phishing awareness. CISOs now have to consider how people, platforms, and privileged workflows interact when a message becomes a business action. That means email security touches IAM policy, privileged access review, user verification, and incident response. The point is not to treat every email as malicious. The point is to make sure the organisation can distinguish legitimate business requests from identity-based deception quickly enough to prevent misuse. Practical implication: align email threat detection with approval, payment, and access-change workflows.

Practical implication: align email threat detection with approval, payment, and access-change workflows.

NHI Mgmt Group analysis

Email remains one of the easiest identity trust boundaries to abuse. Business email compromise works because organisations still assume inbox identity is equivalent to business intent. That assumption breaks the moment attackers can impersonate, redirect, or inherit trust inside an email workflow. The result is not just a phishing problem, but a failure of identity assurance at the point where human approval is converted into business action.

Microsoft 365 becomes a high-value identity concentration point when governance is shallow. Email, delegation, forwarding rules, OAuth consent, and adjacent collaboration permissions often sit under separate operational owners even though they form one attack surface. When those controls are managed in isolation, attackers can move from message access to persistence and broader account abuse without needing novel exploits. Practitioners should treat the tenant as a unified identity system, not a collection of separate features.

Conference content like this signals that email security is now an IAM discipline, not a mail filter discipline. The strongest controls are the ones that connect identity proof, user behaviour, and privilege management to high-risk workflows such as payments and account changes. That makes the governance question broader than detection alone. Teams need to understand how identity signals map to real business trust decisions.

The named concept here is email identity trust debt. It describes the accumulated mismatch between the trust users place in email and the controls organisations have actually deployed to verify that trust. The debt grows when delegation, forwarding, OAuth consent, and mailbox rules are left untreated. Practitioners should regard BEC resilience as a measure of how much trust has been left unearned.

Security leaders should read this as a reminder that human identity remains the first compromise layer in many enterprise incidents. Even when the attack chain later touches cloud services or SaaS permissions, the earliest failure is often a human trust decision made under pressure. That is why email security, identity governance, and fraud prevention now overlap more than most programmes acknowledge. The implication is to govern the decision path, not just the inbox.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility and 47% with only partial visibility, according to The State of Non-Human Identity Security.
• The lesson for practitioners is to treat delegated access and consented trust paths as a governance problem, then use Top 10 NHI Issues to prioritise the controls that reduce hidden identity exposure.

What this signals

Email risk is increasingly a governance problem because the same identity can be used to authenticate, persuade, and authorise. Teams that still separate mail security from IAM will miss the control points where BEC becomes a business event rather than a message event. The practical signal is whether your organisation can verify trust at the point of action, not just at login.

Email identity trust debt: this is the accumulated exposure created when forwarding, delegation, consent, and approval pathways are left ungoverned. It grows quietly inside collaboration suites and shows up only when an attacker can turn a message into an authorised instruction. The organisations best prepared for this class of threat are the ones that already map email actions to identity controls.

The broader market signal is that security leaders are being asked to connect people, permissions, and workflows more tightly than before. As identity governance matures, email security will be judged less by catch rates and more by whether it prevents bad business actions from being completed. That is the standard programmes should prepare for.

For practitioners

• Review mailbox delegation and forwarding rules Audit who can redirect mail, create hidden forwarding paths, or act on behalf of executives and finance users. Prioritise accounts that can trigger payment, vendor, or access-change workflows. Use these reviews as part of your Microsoft 365 identity governance cycle, not as a one-off email security exercise.
• Tie email alerts to business approval workflows Link suspicious message detection to controls around payments, password resets, and privileged approvals so that a risky email cannot become an approved action without additional verification. This is especially important for shared inboxes and executive support functions.
• Harden OAuth consent and session policy settings Restrict risky app consent, review long-lived sessions, and check for persistence paths that allow an attacker to remain active after the first mailbox compromise. Treat consented access as an identity governance issue, not just a cloud configuration issue.
• Use user behaviour signals for high-risk email actions Look for changes in payment requests, sender patterns, mailbox rule creation, and impossible travel events around the same user identity. Behavioural context helps separate normal executive activity from compromise-driven action when inbox trust is being abused.

Key takeaways

• Email compromise remains effective because trust, not just authentication, is the real target.
• Microsoft 365 concentrates identity and workflow risk, so delegation and consent need governance, not just monitoring.
• The practical response is to connect mail security with IAM controls around approvals, access changes, and persistence paths.

Key terms

• Business Email Compromise: Business email compromise is a social engineering attack where an attacker uses a real or convincingly impersonated email identity to manipulate money, data, or access. The technique succeeds when trust in the sender outweighs verification of the request, making the mail channel a business control surface.
• Mailbox Delegation: Mailbox delegation is the ability for one identity to read, send, or manage another user’s email. In practice, it is a privileged access path that can create hidden persistence or misuse if it is not reviewed, limited, and monitored like any other access grant.
• OAuth Consent: OAuth consent is the approval a user or admin gives for an application to access data or act on their behalf. In email and collaboration environments, it can become a durable trust path if permissions are broad, unreviewed, or difficult to revoke.
• Email Identity Trust Debt: Email identity trust debt is the accumulation of ungoverned trust paths inside mail and collaboration systems, such as forwarding rules, delegated access, and consented apps. It describes the gap between how much trust users place in email and how little assurance the organisation actually enforces.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Vision 2023 virtual conference on email security and cybercrime trends. Read the original.