TL;DR: Attackers are compromising supplier accounts, abusing real collaboration links, and exploiting overlapping email tools to hide malicious messages until invoices, credentials, or tokens are stolen, according to Abnormal AI. The governance problem is no longer just detection quality, but whether identity and incident workflows can keep pace with trust abuse, duplicate alerts, and DORA-driven response deadlines.
At a glance
What this is: This is an analysis of five 2025 email security trends showing how trust abuse, phishing, alert overlap, and compliance pressure are combining to weaken detection and response.
Why it matters: It matters because email remains a shared control plane for human identity, supplier access, and fraud workflows, so weak signal handling can quickly turn into credential theft, payment fraud, or delayed incident reporting.
By the numbers:
- Under DORA, banks must notify regulators within 24 hours of a material cyber incident.
👉 Read Abnormal AI's analysis of 2025 email security trends and BEC risk
Context
Email security is now as much an identity governance problem as it is a filtering problem. When attackers use legitimate supplier accounts, cloud collaboration links, and crowded alert pipelines, the issue is not only whether a message is malicious, but whether the organisation can still trust the identity and context attached to it.
For IAM, PAM, and NHI programmes, the practical question is how far identity assurance extends into message handling, invoice changes, and collaboration-driven access. The article shows that sender reputation alone is no longer enough, and that response speed now matters as much as detection quality.
Key questions
Q: How should security teams reduce business email compromise from trusted supplier accounts?
A: Security teams should baseline supplier communication patterns, including reply timing, billing cycles, and account-change behaviour, so deviations can be challenged before payment is approved. The key is to treat a real account with unusual intent as higher risk than a spoofed message that is easy to flag. Behavioural context is the control that closes the gap.
Q: Why do collaboration-platform phishing lures bypass traditional email gateways?
A: They bypass gateways because the link often points to a legitimate cloud service, even though the content behind it is malicious. The message may look safe at the URL layer while still collecting credentials or session tokens. Security teams need identity-aware inspection of new tenants, external invites, and unusual login paths.
Q: What do email security teams get wrong about duplicate alerts?
A: They often treat duplicate alerts as a sign of better coverage, when they actually create correlation debt and slow containment. If analysts must reconcile multiple low-context verdicts before acting, malicious mail can age in inboxes. The better test is whether one high-context record can replace several noisy ones.
Q: Who is accountable when email-driven fraud or delayed incident reporting occurs?
A: Accountability sits across security operations, identity governance, and compliance because the failure is both operational and evidentiary. If the programme cannot produce a complete incident timeline quickly enough for a DORA-style deadline, the issue is not just investigation speed. It is an evidence management failure that leadership must own.
Technical breakdown
Supplier account compromise and business email compromise
Modern BEC often starts with a legitimate supplier mailbox rather than a spoofed domain. Attackers reuse real conversation threads, observe billing rhythms, and wait for a change request to look normal. That defeats controls built around sender reputation, because the message is authentic at the transport layer even when the intent is fraudulent. Behavioural context becomes the deciding signal: reply cadence, timing, destination changes, and relationship history together create a more reliable trust model than domain checks alone.
Practical implication: baseline normal supplier communication patterns so invoice or banking-detail changes can be challenged before payment processing continues.
Collaboration-link phishing and session token theft
Phishing now frequently hides behind legitimate cloud platforms such as Teams or Google Drive. The link itself often passes gateway checks because the destination is genuine, while the payload is a fake login page that captures credentials and session tokens. Once the attacker has a valid token, they can move from email compromise into lateral phishing, HR fraud, or other internal abuse without needing to repeat the initial lure. The control failure is not link inspection alone, but identity-aware scrutiny of the collaboration flow.
Practical implication: inspect new tenant invitations, external collaboration requests, and unusual login flows as identity events, not just URL events.
Email tool sprawl and incident response latency
Overlapping secure email gateways, plugins, header rules, and API filters create duplicate verdicts that analysts must reconcile manually. Each layer may be useful in isolation, but together they can slow triage enough for malicious mail to age in inboxes. This is a data-handling and orchestration problem as much as a detection problem. The more tools that rewrite or duplicate email signals, the more likely the SOC is to spend effort on correlation instead of containment, which raises operational risk and weakens evidence quality for investigations and audit.
Practical implication: inventory every email control, remove redundant low-fidelity layers, and keep one high-context record path for investigation and reporting.
NHI Mgmt Group analysis
Email security has become an identity trust problem, not just a content-filtering problem. The article shows that the most dangerous messages often come from valid accounts, valid platforms, and valid workflows. That combination breaks the old assumption that legitimacy of transport or brand implies legitimacy of intent. Practitioners should treat supplier mail, collaboration invites, and payment-change requests as governed identity events, not just inbox content.
Behavioural context is the named concept this trend now depends on. The control boundary is no longer the message header alone, but the relationship between sender history, timing, conversation state, and downstream action. That is why reputation-based defences miss real compromise when attackers work inside trusted threads. The implication is that trust scoring must follow behaviour, not domain identity.
Alert duplication is now a governance issue because it erodes response capacity. When multiple tools generate overlapping, low-context signals, analysts spend more time proving that two alerts describe the same event than stopping the event itself. This weakens human identity operations, email response, and incident evidence collection at the same time. Practitioners should recognise that operational drag is a control failure, not a staffing problem.
DORA-style reporting deadlines expose the weakness of manual evidence gathering. A 24-hour notification clock changes the economics of investigation. If logs must be exported across several consoles before a report can begin, the programme is already behind. The implication for identity and security teams is that audit-ready evidence has to be assembled continuously, not reconstructed after the fact.
Email security now connects human identity, supplier trust, and machine-assisted triage in one workflow. That cross-domain linkage is why this topic matters to IAM and NHI teams as much as to SOC teams. The same message that initiates a fraudulent payment can also seed credential theft, token abuse, and analyst overload. Practitioners should align inbox governance, access governance, and response governance instead of treating them as separate problems.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials.
- NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding reduce the trust gaps that email-driven compromise exploits.
What this signals
Behavioural trust now matters more than message authenticity. As supplier compromise and collaboration-link phishing become more common, email programmes need to score interaction patterns, not just sender reputation. That shifts the control objective from filtering bad mail to identifying when a legitimate identity is behaving like an adversary, which is exactly where inbox governance meets identity governance.
The 23.7% of organisations that still share secrets through insecure methods such as email or messaging applications already sit on a fragile boundary, according to our 2024 Non-Human Identity Security Report. That figure matters here because phishing and trust abuse succeed fastest where credentials, approvals, and payment workflows still live in the inbox.
Signal for practitioners: build one evidence path from message receipt to containment, because alert volume is only a problem when it delays action. Where email controls duplicate each other, the right next move is consolidation, not another point product, and the right metric is minutes saved before the first containment decision.
For practitioners
- Baseline supplier behaviour for payment-change requests Track normal reply timing, thread continuity, time zone patterns, and banking-detail changes for supplier accounts. Escalate any deviation into a review workflow before payment is released, especially when a request lands outside the supplier's usual operating window.
- Treat collaboration links as identity events Detonate external Teams or Google Drive invitations in sandboxing workflows and warn users when a message arrives from a new tenant, multiple recipients, or outside business hours. Do not rely on domain reputation when the link points to a trusted platform.
- Consolidate overlapping email controls Inventory every control that modifies, inspects, or archives email, then keep the layer with the highest fidelity and retire redundant filters that create duplicate alerts. Preserve one audit trail for detection, triage, and incident response.
- Pre-build audit-ready incident evidence Automate the capture of raw headers, verdicts, user actions, and case notes into a single format so legal, SOC, and compliance teams can assemble a regulator-ready timeline without manual exports.
Key takeaways
- Supplier-account abuse and collaboration-link phishing are succeeding because they inherit legitimate trust, not because they are technically sophisticated.
- Manual correlation across overlapping email tools creates the delay that attackers and regulators both exploit.
- Email security programmes now need behavioural trust, evidence automation, and identity-aware triage to keep pace with fraud and compliance demands.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Email trust abuse hinges on weak access and identity assurance. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Behaviour-based trust fits continuous verification for message-triggered access. |
| NIST SP 800-63 | Session token theft and phishing undermine digital identity assurance. |
Apply identity-aware access checks to email-driven workflows and challenge unusual supplier changes.
Key terms
- Business Email Compromise: Business email compromise is fraud that uses trusted email relationships to induce payment changes, credential theft, or other harmful action. The attacker often relies on a real account or convincing thread context, which makes behavioural detection more effective than sender reputation alone.
- Collaboration-Link Phishing: Collaboration-link phishing uses legitimate cloud sharing or messaging platforms to deliver a fake login page or malicious prompt. The link can pass gateway checks because the destination is real, so the control problem shifts to validating the identity and context behind the invitation.
- Alert Correlation Debt: Alert correlation debt is the operational drag created when multiple tools produce overlapping security signals that must be reconciled manually. It slows triage, increases analyst fatigue, and can let malicious activity age in inboxes before containment begins.
- Behavioural Trust: Behavioural trust is the practice of judging message legitimacy by observed patterns such as timing, conversation history, and action sequence rather than by domain reputation alone. It is especially important when attackers operate through real accounts and authentic platforms.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: Key Insights on 2025 email security trends. Read the original.
Published by the NHIMG editorial team on 2025-08-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
