Email threats are bypassing legacy controls through human trust

At a glance

What this is: This is an Abnormal AI threat outlook showing how email attacks now use multi-step social engineering, personalization, and generative AI to evade legacy detection.

Why it matters: It matters because IAM, PAM, and identity governance teams need controls that can detect workflow abuse, not just bad links or obvious phishing indicators, across human and non-human access paths.

By the numbers:

• Multi-stage QR code phishing attacks leverage a variety of pretexts, and at one point fraudulent multi-factor authentication expiration notices and shared document notifications accounted for nearly 50% of all QR code attacks detected by Abnormal.

👉 Read Abnormal AI's outlook on emerging email attack patterns and payroll fraud

Context

Email remains the easiest way to reach identity, because it is where people approve, verify, and move business processes forward. This article shows that attackers are no longer relying on crude phishing alone. They are conditioning targets through staged interactions, forged vendor correspondence, and AI-written messages that look like routine work.

The identity governance problem is broader than mail security. QR-code lures push users outside normal protections, thread-spoofed invoices abuse approval pathways, and payroll fraud turns routine HR processes into a trust channel. For IAM and security teams, the signal is that legitimacy can now be simulated well enough to bypass both human judgment and traditional email defenses.

Key questions

Q: How should security teams defend against multi-stage QR code phishing?

A: Security teams should detect the sequence, not just the destination. Multi-stage QR phishing often begins with a benign-looking email, moves the user to a phone scan, then lands on a branded verification or login page. Controls need to inspect workflow context, newly registered domains, and unusual identity prefill behavior, not only URL reputation.

Q: Why do email-based vendor payment scams still work in mature organisations?

A: They work because they imitate normal business process, not because they are technically sophisticated. When a fake invoice or bank-change request arrives inside a believable thread, people follow the workflow they already trust. Mature organisations fail when payment approval relies on the thread itself instead of separate verification.

Q: What do security teams get wrong about AI-generated payroll fraud?

A: They focus on malicious content and miss process abuse. AI-generated payroll fraud often contains no links, no malware, and no obvious errors, so content filters have little to flag. The real control gap is allowing compensation changes to be initiated or confirmed through email alone.

Q: How can organisations reduce the risk of phishing in business workflows?

A: Separate notification from authorization. Email can alert people that something needs attention, but sensitive actions such as bank-detail changes, identity updates, and credential verification should require a different authenticated channel. That keeps trust from being transferred automatically from the message to the transaction.

Technical breakdown

Multi-stage QR code phishing bypasses link-scanning controls

Multi-stage QR phishing adds steps before the credential harvest. Instead of sending a direct malicious link, the attacker uses a legitimate-looking interaction, then shifts the target onto a phone camera scan, then into a verification page, and finally into a branded login screen. That sequence matters because many secure email gateways inspect URLs and attachments, but not the behavioral path that leads a user to trust the workflow. Personalization such as prefilled email addresses increases perceived legitimacy and reduces resistance.

Practical implication: security teams need detections that evaluate interaction sequence and destination context, not just URL reputation.

Thread-spoofed vendor impersonation abuses trusted business workflows

Thread-spoofing works by manufacturing continuity. The attacker inserts a fake conversation chain that makes a payment or banking request look like it belongs inside an existing vendor relationship. The fraud depends less on technical compromise than on process credibility, especially when the message uses a compromised account or a look-alike domain to reinforce authenticity. Attachments such as invoices and tax forms extend the pretext into the same paperwork people expect during normal accounts payable activity.

Generative AI makes payroll fraud scale faster and look normal

Payroll fraud has always depended on impersonation, but generative AI removes the rough edges that used to expose it. Attackers can research the right role, draft a tone-matched email, and shape the request around a routine process such as direct deposit changes. Because these messages often contain no links or malware, static detection has little to inspect. The real risk is that the request sits inside a legitimate business process and arrives with the right tone, timing, and terminology.

Practical implication: HR and payroll teams should treat identity-change requests as sensitive transactions requiring confirmation beyond email alone.

Threat narrative

Attacker objective: The attacker wants to turn ordinary email-driven business processes into a trusted channel for credential theft, payment diversion, or payroll redirection.

1. Entry begins with a legitimate-looking email thread, QR-code workflow, or compromised sender identity that places the attacker inside a normal business conversation.
2. Escalation occurs when the target is moved into a verified-looking page, payment request, or payroll change process that harvests credentials or authorizes fraudulent action.
3. Impact is achieved when stolen credentials, diverted funds, or altered payroll details are used to complete the fraud without triggering legacy indicators.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Email has become an identity workflow abuse surface, not just a phishing channel. The article shows attackers exploiting the exact places where identity decisions are made: credential entry, vendor approval, and payroll change handling. That means the security problem is not simply message filtering. It is the misuse of legitimate business processes as trust accelerators, which weakens both human IAM and the operational controls that sit around it.

Legacy secure email gateways are failing because they look for indicators, while these attacks manufacture normality. A link scan can miss a QR workflow that begins innocently and only later leads to credential capture. A content filter can miss a thread that looks like an existing vendor conversation. The field needs to stop treating email as a static payload problem and start treating it as a sequence of identity-bearing actions.

Workflow-conditioned trust is the right named concept for this threat pattern. These attacks succeed by conditioning the target through one or more benign-looking steps before the harmful request appears. That breaks the assumption that users can reliably judge risk at the moment of the final prompt. Practitioners should read this as a governance problem in which trust is being engineered upstream, not merely requested at the end.

Generative AI is not creating new fraud primitives so much as compressing attacker effort across reconnaissance, writing, and personalization. The article shows AI helping attackers identify targets, match tone, and tailor requests to specific roles. That accelerates a threat model already familiar to IAM and fraud teams, but it raises the volume and consistency of attacks enough to overwhelm controls tuned for manual abuse patterns.

Human approval flows are being used as an attack dependency. Thread-spoofing and payroll fraud both rely on a person doing the next sensible thing inside a normal process. That is a lifecycle and governance issue, not just a security tooling issue, because the attacker wins by staying inside an authorised workflow long enough for the organisation to authorise the fraud itself. The implication is that email-based approval pathways deserve the same scrutiny as privileged access paths.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• 52 NHI breach case studies in The 52 NHI breaches Report show that exposed credentials and over-broad access routinely turn routine workflows into breach paths.
• For a broader control lens, Top 10 NHI Issues frames the governance gaps that let identity abuse persist across human, machine, and agent-driven workflows.

What this signals

Workflow-conditioned trust will become a more common failure mode as attackers continue to hide inside legitimate business processes. The practical shift for teams is to treat email, payment, and HR workflows as identity governance surfaces, not just communications systems. The more a process depends on a single message to advance, the more it should be redesigned around independent verification and approval separation.

The control question is no longer whether a message looks malicious. It is whether the organisation can prove that an apparently legitimate request still required the right identity, the right channel, and the right authority before it moved money or access.

The pattern also reinforces why identity teams need to connect fraud controls with IAM and PAM governance. A request that can redirect payroll or approve a vendor payment is an access event in all but name, and it should be monitored with the same discipline as other sensitive identity changes.

For practitioners

• Treat email as a workflow entry point Map which business processes can be advanced by email alone, including vendor payment changes, payroll updates, and credential verification. Put additional checks on any process where a single message can move money, identity, or access forward.
• Require out-of-band verification for payment changes Force vendor bank-detail changes, invoice corrections, and W-9 submissions through a separate verification step that does not rely on the original thread. That reduces the chance that a spoofed conversation chain can complete the transaction.
• Move HR and payroll updates out of email-only trust paths Use a separate authenticated workflow for direct deposit changes and employee identity updates. Email can notify staff, but it should not be the control plane for executing compensation changes.
• Add behavioral detections for staged phishing Tune detection logic to spot QR-driven sequences, newly registered look-alike domains, and prefilled identity fields that suggest the attacker is conditioning the target before the credential prompt appears.
• Review approval chains for social engineering exposure Identify where internal approvers, accounts payable staff, or HR personnel can be manipulated by a trusted-looking thread and build manual challenge steps around those decision points.

Key takeaways

• Email phishing is evolving into workflow abuse, where attackers exploit trusted business processes rather than overtly malicious links or files.
• Abnormal AI’s examples show how staged QR phishing, thread spoofing, and AI-written payroll fraud can bypass legacy controls by looking normal end to end.
• The most effective response is to separate notification from authorization and add independent verification before sensitive identity or payment actions complete.

Key terms

• Workflow-conditioned trust: A deception pattern where attackers build credibility through a sequence of normal-looking interactions before asking for a harmful action. The risk is not the final prompt alone, but the fact that earlier steps make the target more willing to comply with it.
• Thread-spoofed vendor impersonation: A social engineering technique that forges an email conversation to make a payment, banking, or document request appear to come from an existing vendor relationship. It works by borrowing the visual and conversational context of an authorised thread to bypass suspicion.
• Business email compromise: A fraud technique that uses email impersonation or account compromise to trick someone into transferring money, changing payment details, or disclosing sensitive information. It often succeeds by exploiting trusted business processes rather than malware or obvious malicious links.
• Staged phishing: A phishing method that uses multiple steps to move the victim from a benign first contact to the final credential or payment prompt. Each step reduces suspicion and can evade controls that only evaluate the last click or the final destination.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Key Insights on emerging email attack patterns and payroll fraud. Read the original.