Email security leaders still need multi-vendor defense against BEC

At a glance

What this is: This is a vendor news post about Abnormal AI’s second consecutive year as a Gartner Magic Quadrant leader for email security, with the key finding that email-enabled social engineering remains hard to detect consistently.

Why it matters: It matters because email is still an identity attack surface, and IAM, PAM, and NHI teams all depend on strong detection of impersonation, account takeover, and abused credentials.

By the numbers:

• Among 14 vendors evaluated, Abnormal was placed furthest right on the Vision axis.
• Abnormal now protects more than 25% of the Fortune 500.
• Abnormal earned a 99% "Would Recommend" rating.

👉 Read Abnormal AI's analysis of Gartner's 2025 Email Security ranking

Context

Email security has become an identity problem as much as a messaging problem. Business email compromise, credential phishing, and account takeover succeed when attackers can blend into normal user behaviour and exploit trust relationships that existing controls do not inspect closely enough.

Abnormal AI’s announcement is a market signal, but the practitioner question is broader: how do teams detect socially engineered identity abuse when the attack path starts in the inbox and extends into cloud applications? That question matters across human identity, privileged access, and the service accounts that receive or execute follow-on actions.

Key questions

Q: How should security teams detect business email compromise before it turns into account takeover?

A: Focus on identity behaviour, not only message content. Combine sender history, reply-chain anomalies, unusual language patterns, and cloud context so the control can distinguish normal communication from impersonation. The best detections feed IAM and SOC workflows together, because the real risk is often the downstream abuse of a trusted account, not the email itself.

Q: Why do email attacks remain effective even when organisations use phishing filters?

A: Filters often see the message, but not the full identity context behind it. Attackers exploit trusted relationships, legitimate-looking threads, and human decision-making, which makes the abuse harder to classify from content alone. Behavioural and contextual controls matter because they can reveal when a mailbox is being used in a way that does not match normal communication.

Q: How can organisations govern autonomous email-remediation tools safely?

A: Define exactly which actions the automation can take, what evidence it must log, and when humans must review or override it. Autonomous response works best for repeatable containment tasks, but it should never be allowed to expand mailbox authority or change user access without explicit policy boundaries and auditability.

Q: What is the difference between content-based email filtering and identity-aware detection?

A: Content-based filtering looks for malicious links, attachments, or known patterns inside a message. Identity-aware detection also evaluates who is sending, how they normally behave, and whether the communication pattern fits the organisation’s baseline. That broader view is better for spotting BEC, impersonation, and account takeover attempts that do not rely on obvious malware.

Technical breakdown

Identity and context signals in email detection

Modern email security is increasingly behaviour-centric. Instead of relying only on content inspection or static rules, systems correlate identity history, communication patterns, sender reputation, and context signals to baseline what normal looks like for a user or mailbox. That allows anomaly detection to flag deviations such as unusual reply chains, first-time contacts, or suspicious language that fits a social engineering pattern. Natural language processing helps surface semantic intent, while behavioural models reduce dependence on a single malicious indicator. The strength of this approach is not that it blocks every phish, but that it raises confidence when multiple weak signals align into a credible account compromise pattern.

Practical implication: security teams should tune detection around identity baselines, not just attachment and URL scanning.

API-based deployment and mail flow constraints

An API-based email security model integrates with cloud mail platforms without forcing mail routing changes. That matters because many organisations are reluctant to re-engineer message flow, and complex configuration often delays deployment or creates blind spots. API access lets a platform inspect mail, enrich it with behavioural context, and act on suspicious messages or accounts after delivery, which supports faster rollout across Microsoft 365 and Google Workspace. The trade-off is that API integration must be tightly governed, because the platform itself becomes a high-trust connector with visibility into sensitive communication patterns and metadata.

Practical implication: treat the email-security API as a privileged integration and review its access scope, logging, and offboarding path.

Autonomous remediation for socially engineered abuse

The article’s reference to autonomous protection points to a broader shift in email defence. Some systems can now detect suspicious activity, remediate malicious messages, and initiate training workflows without waiting for manual triage. In practice, that changes the operational model from alert-first response to machine-assisted containment. The risk is governance drift if automation acts too broadly or without clear policy boundaries, but the value is faster interruption of BEC and account takeover campaigns that often move too quickly for human review. For identity teams, the key is not whether automation exists, but whether the action scope is constrained and auditable.

Practical implication: define approval boundaries for automated mailbox actions before enabling autonomous remediation.

Threat narrative

Attacker objective: The attacker wants to gain trusted access to a mailbox or related identity path so they can impersonate the user and drive fraud or lateral abuse from inside the organisation.

1. Entry begins with a credential phishing message or other email-enabled social engineering lure that reaches a trusted user mailbox.
2. Escalation occurs when the victim clicks, shares credentials, or exposes the attacker to authenticated cloud sessions and downstream application access.
3. Impact follows with business email compromise, account takeover, or fraudulent internal requests that exploit the compromised identity relationship.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Email security is now an identity governance problem, not just a content-filtering problem. The article reinforces that modern attacks succeed by abusing trust in people, mailboxes, and connected cloud accounts. That means the control question is no longer only whether a message is malicious, but whether identity and behavioural context are strong enough to distinguish legitimate communication from impersonation. Practitioners should treat email telemetry as part of identity risk management, not a separate security silo.

Behavioural AI changes detection economics, but it does not remove governance responsibility. When a platform baseline is built on normal user activity, it can identify deviations that traditional rule sets miss. The governance issue is that identity-based detection becomes a policy decision about what signals are trusted, how false positives are handled, and how aggressively automation may respond. Security teams should interpret behavioural AI as an identity control layer that still requires scope, logging, and review.

Named concept: identity-to-inbox attack path. This is the route from a compromised or impersonated identity in email into broader cloud and business process abuse. It matters because the inbox is often the first trusted execution point for social engineering, and once that trust is breached, the attacker can pivot into approvals, payments, or shared application access. Practitioners should map email security controls to the downstream identity path, not just the message itself.

Abnormal’s Gartner placement signals continuing demand for cross-signal detection, not single-point mail filtering. Gartner’s note about the difficulty of consistently quantifying detection efficacy shows why organisations keep seeking layered protection. The market is moving toward identity-aware defence because mail alone does not explain risk in isolation. Security leaders should expect email security to be evaluated on its ability to connect user behaviour, cloud context, and actionability.

Autonomous remediation is becoming operationally relevant, but only if the scope is bounded. The ability to remediate malicious mail and train users in real time is useful when campaigns move faster than analysts can triage. The governance test is whether those actions are constrained to known-safe playbooks and fully observable afterwards. Teams should demand evidence that automation accelerates containment without creating opaque mailbox authority.

From our research:

• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• A separate finding from the same research shows that when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
• For a broader view of how secret exposure changes governance priorities, see The State of Secrets in AppSec.

What this signals

Identity-to-inbox attack path: security teams should treat email compromise as the first stage of a broader identity abuse chain, where a trusted mailbox becomes the launch point for fraud, access misuse, or connected application compromise. The practical signal is not just message volume, but whether behavioural baselines can expose abnormal trust transitions before users act on them.

The article also signals a shift in control design toward layered detection. Organisations that still separate email security from IAM will miss the point, because the inbox is often where identity misuse first becomes observable and where response can still interrupt the chain.

As AI-assisted social engineering scales, teams will need tighter linkage between mail telemetry, account risk scoring, and connected-app response. That is where controls such as the NIST Cybersecurity Framework 2.0 become operational rather than abstract, especially in identify, protect, detect, and respond planning.

For practitioners

• Map email security to identity risk workflows Link phishing, BEC, and account takeover detections to IAM and SOC escalation paths so mailbox abuse becomes an identity incident, not just a message alert.
• Treat the email-security API as privileged access Review scope, token handling, audit logging, and offboarding for the integration with Microsoft 365 or Google Workspace, because that connector can inspect sensitive communications and act on mail.
• Baseline normal communication behaviour Use sender patterns, reply-chain history, and context signals to define what legitimate activity looks like before enabling automated blocking or remediation.
• Constrain autonomous remediation playbooks Limit automated message quarantine, user training triggers, and account response actions to approved scenarios with clear audit trails and rollback steps.

Key takeaways

• Email security now functions as an identity control plane because attackers use trusted communication to reach accounts, approvals, and cloud workflows.
• Behavioural AI improves detection of BEC and account takeover by correlating identity, context, and communication patterns that static filters miss.
• Practitioners should govern email security APIs and autonomous remediation as privileged integrations with clear scope, logging, and review boundaries.

Key terms

• Email-enabled social engineering: A deceptive attack delivered through email that manipulates a person into revealing access, taking an action, or trusting a fraudulent request. In identity terms, it is often the first step in a broader compromise chain that can lead to account takeover, approval abuse, or downstream fraud.
• Behavioural baselining: The practice of learning what normal activity looks like for a user, mailbox, or account so deviations can be flagged as suspicious. It works best when identity, context, and communication patterns are combined, because attackers often try to imitate legitimate activity rather than trigger simple malware rules.
• Autonomous remediation: A response model where a security system can quarantine messages, trigger training, or initiate other containment actions without waiting for a human analyst. It reduces response time, but it also requires strict policy boundaries, auditability, and clear limits on what the system is allowed to change.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Abnormal AI named a leader in the 2025 Gartner Magic Quadrant for Email Security. Read the original.