TL;DR: A luxury retailer’s image-heavy sales workflow was disrupted when a legacy email gateway blocked photos while still missing a supplier-compromise phishing campaign that used PNG lures and Microsoft 365 credential theft, according to Proofpoint. The case shows that blunt filtering and mailbox-era controls can break revenue-critical communication while leaving human-targeted attack paths open.
At a glance
What this is: This is a vendor case study showing how legacy email security broke an image-dependent retail workflow while failing to stop a supplier-driven phishing attack.
Why it matters: It matters because security teams must align email controls with real business workflows, third-party trust paths, and identity protection against credential theft.
By the numbers:
- 80% of the retailer’s workforce are personal shoppers, l shoppers whose primary tool is sharing product photos with clients through email.
- The 2024 FBI Internet Crime Complaint Center report recorded $2.8 billion in losses from business email compromise scams, much of it through compromised suppliers.
👉 Read Proofpoint’s analysis of image-based phishing, supplier compromise, and email security gaps
Context
Legacy email security often optimises for blunt blocking rather than business-aware detection, and that creates a governance problem when email is part of revenue generation. In this case, the workflow depended on image sharing, so controls that stripped images broke operations while still failing to stop phishing. The identity angle is clear: supplier trust and Microsoft 365 account access were the abuse path, not just the email payload.
For IAM and security teams, the lesson is not that email should be more permissive. It is that access, authentication, and content controls must be designed together so that protection does not force users into shadow channels or remove the very signals attackers exploit. In image-driven customer communications, the starting position is atypical only in industry specifics, not in the underlying control failure.
Key questions
Q: How should security teams stop image-based phishing without breaking business workflows?
A: Security teams should classify which groups depend on image-rich communication, then apply content-aware inspection rather than blanket stripping. The goal is to block malicious payloads and credential lures while preserving legitimate business use. When workflows are disrupted, users move to shadow channels, which creates a second security problem.
Q: Why do trusted supplier accounts increase phishing risk?
A: Trusted supplier accounts bypass the scepticism users apply to unknown senders, so attackers can deliver lures that appear routine. If the message reaches a login page or shared workflow, the trust relationship becomes an identity-abuse path. Supplier risk therefore needs both third-party controls and identity monitoring.
Q: What breaks when email security relies on blanket file blocking?
A: Blanket file blocking can stop legitimate business communication, especially in workflows that depend on images, PDFs, or branded attachments. When that happens, staff often switch to consumer apps or informal channels to get work done. The security team then loses visibility and increases operational risk.
Q: Who is accountable when phishing leads to account compromise?
A: Accountability is shared, but security leadership owns the control environment that made impersonation succeed. Email authentication, browser trust configuration, access scoping, and incident reporting are governance responsibilities, not just end-user habits. If phishing can repeatedly turn into compromise, the control model is failing at the organisational level.
Technical breakdown
Supplier-compromise phishing through image lures
Attackers do not need a novel exploit when they can hijack a trusted third-party account and use it to deliver a convincing lure. In this case, the malicious content arrived as a .png image that linked to a Microsoft 365 phishing page. The technical issue is not the image format itself, but the fact that legacy filters often treat common file types as low-risk and fail to inspect the embedded path to credential capture. That is a content-analysis failure paired with trust abuse across the supply chain.
Practical implication: email security must inspect image-based lures and vendor-originated messages for authentication abuse, not just file type signatures.
Why blanket image stripping breaks security governance
Stripping all images from inbound mail looks conservative, but it is a control that ignores business context. When visual content is part of customer engagement, logistics reconciliation, or transaction handling, the control turns into operational denial of service. Governance fails when security tools enforce one-size-fits-all policy without exception handling, content classification, or business process mapping. The result is users migrating to consumer apps or unsanctioned channels, which increases exposure rather than reducing it.
Practical implication: classify email workflows by business criticality before enforcing destructive content controls.
Identity protection is the real control boundary
The compromise succeeded because attackers moved from a supplier account into employee authentication flow, which is fundamentally an identity problem. Microsoft 365 phishing pages target credentials, and once users submit them, the control boundary shifts from email filtering to account protection, session management, and anomaly detection. That is why email security cannot be evaluated in isolation from identity governance. If mailbox access is the prize, the defensive focus must include credential theft detection, risky sign-in response, and rapid account containment.
Practical implication: connect email security alerts to identity response so compromised accounts are isolated before reuse spreads.
Threat narrative
Attacker objective: The attacker objective was to steal Microsoft 365 credentials through trusted supplier mail and use that access to compromise employee accounts.
- Entry occurred when attackers compromised a trusted third-party supplier account and used it to send a phishing message to retailer employees.
- Credential access followed when the .png lure redirected users to a Microsoft 365 phishing page designed to harvest login details.
- Impact emerged as several accounts were compromised and business operations were disrupted while the legacy gateway failed to detect the campaign.
NHI Mgmt Group analysis
Legacy email security becomes a governance failure when it forces business users to choose between protection and productivity. The retailer’s image-heavy workflow shows that email controls cannot be judged only by detection rates. If the control breaks the business process, users will route around it, and the security programme loses visibility. The practical conclusion is that email policy must be aligned to business workflow classification, not just threat filtering.
Supplier trust is now part of identity governance, not just third-party risk management. The attack path began with a compromised third-party account, then moved into employee credential capture. That sequence is an access-governance problem because trust in the sender created the path to authentication abuse. Security teams should treat supplier-originated email as an identity boundary with controls for authentication, message inspection, and account containment.
Image-based phishing exposes a control gap that many teams still underestimate: content handling and credential protection are coupled. Blocking all images may look safe, but it can also push users into shadow channels and reduce the quality of security signals. A better model is content-aware inspection paired with identity-aware response. For practitioners, the conclusion is simple: do not measure email protection by blockage alone; measure whether it preserves both business flow and account integrity.
Standing trust assumptions are the named concept this case exposes. The retailer assumed trusted supplier mail, familiar file types, and legacy gateway policy would remain safe enough to support daily operations. Attackers exploited that standing trust to reach credential theft without needing a sophisticated payload. Teams should review where their mail flow still assumes trust rather than verifying sender legitimacy, content intent, and downstream identity risk.
Legacy gateway architecture is increasingly out of step with modern human-targeted attack chains. The article shows that older filtering models can miss weaponized content while still enforcing blunt rules that break legitimate work. That is a signal that email security strategy should move toward layered detection, identity response, and workflow-aware controls. Practitioners should treat outdated gateway dependence as a resilience issue, not just a tooling preference.
What this signals
Email security decisions increasingly need to be evaluated through the lens of workflow resilience, not just malware interception. When a control blocks legitimate business activity, users will find alternate channels, and those channels often sit outside policy, logging, and identity monitoring. Teams should therefore measure whether their email stack preserves both containment and operational continuity, with supplier trust treated as an access-control problem as much as a messaging one.
Standing trust assumptions: the real failure mode here is not simply a missed phishing file, but a control model that assumes trusted senders and benign content types remain safe enough to carry business value. That assumption no longer holds in supplier-heavy workflows. Practitioners should align email policy, Microsoft 365 account response, and third-party trust review into one governance loop, with identity telemetry feeding the response path.
For organisations with customer-facing or logistics-heavy mail flows, restrictive filtering can become a hidden resilience risk. Security leaders should test whether a hard block would push staff into consumer apps, break reconciliation processes, or reduce evidence quality during incident response. That is a governance test, not just a technical test, and it should be part of email control validation alongside detection coverage.
For practitioners
- Map email controls to business-critical workflows Identify which teams rely on image-rich or attachment-heavy email flows, then classify those channels before applying blanket blocking policies. Preserve legitimate business processes while setting tighter inspection for supplier-originated messages and external links.
- Add identity response to email alerting Link phishing detections to Microsoft 365 account containment so compromised sessions, tokens, and passwords are isolated quickly. Email security should trigger identity checks, not stop at message quarantine.
- Inspect supplier-originated content for credential lures Treat trusted sender accounts as potential delivery paths for phishing pages hidden behind image files or branded documents. Use detonation, URL scanning, and message context analysis for third-party mail.
- Review shadow-channel risk after restrictive filtering Track whether users move to WhatsApp, consumer mail, or file-sharing apps after content-blocking policies remove functionality they need. Those migrations are security signals, not user workarounds to ignore.
Key takeaways
- The breach pattern here is a control mismatch: legacy email security blocked legitimate image-driven work while still missing a supplier-based phishing route into employee accounts.
- The impact is not abstract. More than 80% of the retailer’s workforce depended on image sharing, and the fallback to consumer channels created both operational and identity risk.
- The limiting control is not a harsher block rule but a workflow-aware, identity-linked email defence model that can inspect content without breaking business operations.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Supplier phishing and account compromise are access control problems. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential theft through Microsoft 365 targets authenticator management. |
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access | The article shows phishing entry followed by credential capture. |
| NIST AI RMF | MANAGE | AI-assisted email filtering and detection should be governed as operational risk. |
Track supplier-mail phishing paths against TA0001 and TA0006, then tune detections around account-harvest indicators.
Key terms
- Supplier-driven phishing: Phishing that begins with a compromised trusted third party rather than a clearly malicious sender. The attacker uses existing business trust to increase the chance that users will open the message, click a link, or submit credentials to a convincing login page.
- Workflow-aware security control: A control designed around how people actually work, not just around threat signatures. It protects the business process while still reducing risk, which usually means applying inspection, exception handling, and identity response instead of blunt blocking.
- Email identity boundary: The point where mail delivery becomes an authentication risk because a message can lead a user into exposing credentials or opening access to an account. In modern environments, the email system is not only a transport layer but also an entry point into identity compromise.
- Shadow channel: An unsanctioned communication path users adopt when approved tools are too restrictive or unreliable. Shadow channels reduce visibility, weaken policy enforcement, and often increase the likelihood that sensitive business or identity data moves outside monitored controls.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- The retailer's staged migration path from API email protection to full Core Email Protection and then broader platform coverage.
- Proofpoint's specific detection claims for malicious images, URL scanning, and message-level inspection in Microsoft 365.
- The vendor's discussion of gateway architecture, pre-delivery blocking, and how it positions API and SEG deployment models.
- The supplier threat protection, DMARC, secure email relay, and workspace controls described in the source article.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to broader security operations and lifecycle decisions.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org