M&A email risk exposes security gaps across acquired tenants

At a glance

What this is: This is Abnormal AI's analysis of why M&A periods create hidden email security exposure across acquired tenants, with the key finding that visibility and control gaps often exist before integration begins.

Why it matters: It matters because acquired environments can carry legacy authentication, unmanaged access, and compromise that extend risk into IAM, NHI oversight, and human account governance during the transition.

By the numbers:

• The FBI reported over $2.7B in 2024 losses from BEC alone.
• A healthcare organization found that 14% of accounts in an acquired entity lacked MFA and used legacy auth methods attackers could exploit.
• A Fortune 500 manufacturer's pre-close read-only scan revealed 18 compromised inboxes in the target before the deal closed.

👉 Read Abnormal AI's analysis of M&A email risk across acquired tenants

Context

M&A creates a security governance gap because acquired tenants, identities, and mail controls do not become uniform on day one. The primary keyword here is M&A email security, and the practical challenge is that inheritance happens faster than standardisation.

When oversight is split across legacy teams, authentication methods, and email gateways, attackers gain a window to exploit weak accounts, risky OAuth connections, and inconsistent policy baselines. That makes the transition period an identity and access management problem, not just a mail filtering issue.

Key questions

Q: How should security teams assess acquired email tenants before integration?

A: Security teams should baseline acquired tenants in read-only mode before close, inventorying users, privileged accounts, OAuth apps, and legacy authentication paths. The goal is to identify inherited exposure before integration work hides it. A pre-close view is the safest point to find weak controls because it reveals what the target already contains, not what post-merger cleanup assumes it contains.

Q: Why do acquisitions increase business email compromise risk?

A: Acquisitions increase business email compromise risk because oversight fragments while systems are changing, and attackers exploit the gap between inherited exposure and unified control. Legacy authentication, unreviewed inboxes, and delayed policy enforcement create a temporary trust window. In that window, identity controls are inconsistent enough for impersonation, mailbox abuse, and fraud to succeed.

Q: What breaks when inherited accounts still use legacy authentication?

A: What breaks is the assumption that all acquired identities already meet the acquiring organisation's baseline. Legacy authentication gives attackers an easier path into mailboxes and admin workflows, especially when MFA is absent or inconsistent. That creates a direct path from inherited account weakness to compromise, which can survive long enough to affect deal value.

Q: Who is accountable for email security during an acquisition?

A: Accountability should sit jointly with the security, IAM, and integration leads, because the control failure is cross-functional. Deal teams own timing, IAM owns account assurance, and security owns risk validation. If those responsibilities are not explicit, risky inboxes, overlapping gateways, and compromised accounts can remain unaddressed until after integration.

Technical breakdown

Why acquired tenants become a visibility problem

Every acquisition adds another identity and email control plane, often with different policies, tenant configurations, and administrative practices. Until those environments are inventoried, defenders do not know which inboxes use legacy authentication, which privileged accounts lack MFA, or which connected apps have access to sensitive mailboxes. In practical terms, visibility is the prerequisite for any credible risk decision during a deal transition.

Practical implication: establish read-only access to target tenants before close so you can inventory accounts, apps, and risky configurations without changing mail flow.

How email security controls fracture across integration phases

Traditional security stacks often assume a single operating model, but M&A introduces overlapping mail gateways, exceptions, and delayed policy migration. That creates a period where some users are protected by modern controls while others remain on legacy rules or unmanaged settings. Behavioural detection and API-based monitoring reduce that drift because they observe mail activity without requiring routing changes or manual rule rewrites.

Practical implication: prioritise unified policy visibility across Microsoft 365 and Google Workspace before consolidating gateways or migrating rules.

Why business email compromise risk spikes during deal integration

Business email compromise thrives when communication channels change faster than governance does. During M&A, attackers can exploit weak inbox protection, inconsistent admin controls, and the temporary confusion that follows tenant migration or entity separation. The real risk is not just phishing volume, but the organisational lag between acquisition, control harmonisation, and confirmed enforcement.

Practical implication: treat the acquisition window as a high-risk operational period and baseline compromised inbox exposure before integration work begins.

Threat narrative

Attacker objective: The attacker aims to exploit the integration window to gain mailbox access, impersonate trusted users, and redirect money or sensitive business communications.

1. Entry occurs through acquired environments that still contain legacy authentication, weak inbox controls, or exposed mail tenants before integration.
2. Escalation follows when attackers abuse unprotected accounts, compromised inboxes, or risky mailbox-connected applications to expand access across the deal surface.
3. Impact lands as business email compromise, financial fraud, operational delay, or reputational damage during the integration window.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

M&A email security is an identity governance problem before it is a mail security problem. The control failure starts when acquired tenants, accounts, and connected apps are accepted as transitional rather than governed assets. That means the programme is already behind if it waits for post-close standardisation before assessing exposure. Practitioners should treat the acquisition window as an identity assurance phase, not a cleanup phase.

Pre-close visibility is the named concept this category needs: risk inheritance without control inheritance. The article shows that attackers can be present, and inboxes can already be compromised, before integration is complete. That breaks the assumption that acquisition diligence is only financial or legal. Security teams should regard the target environment as part of the attack surface from the moment access is possible.

Legacy authentication in acquired tenants is a governance gap, not a migration detail. When 14% of accounts in an acquired entity lack MFA and still rely on older authentication methods, the issue is not merely technical debt. It is a live exposure window for business email compromise and impersonation. The implication for practitioners is that transition governance must explicitly cover inherited account assurance.

Overlapping gateways and manual exceptions create control drift across the integration period. Paying for duplicated SEG coverage while new users remain unprotected is a signal that operational processes and security outcomes have diverged. That divergence is common in M&A because ownership, policy, and migration work sit in different teams. Practitioners should assume coverage gaps will persist until governance is centralised and measured.

API-based behavioural controls matter because M&A conditions change faster than manual rule management can keep up. The reported reduction in manual email rule handling shows the operational strain of trying to govern multiple acquired environments by hand. The broader lesson is that integration security needs continuous visibility and repeatable control enforcement. Practitioners should align controls to the pace of deal activity, not the pace of ticketing.

From our research:

• From our research: Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• Our research also shows that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, reinforcing that identity exposure is already a mainstream operating condition.
• For a broader breach lens, see 52 NHI Breaches Analysis for patterns that help teams connect exposure, discovery, and containment across identity programmes.

What this signals

Risk inheritance without control inheritance is the pattern security teams need to watch in every acquisition. The moment a new tenant, mailbox estate, or legacy gateway is accepted into the portfolio, the organisation has expanded its identity attack surface whether or not the controls have caught up.

The operational signal is not just compromised mailboxes, but the time it takes to normalise controls across all acquired entities. If integration still depends on manual rule migration, multiple gateways, and local exception handling, attackers benefit from the delay longer than defenders do.

Security leaders should connect acquisition diligence to identity governance, not just IT consolidation. The organisations that reduce exposure fastest will be the ones that can prove which accounts, apps, and mail routes are trusted before Day 1 of full integration.

For practitioners

• Baseline acquired tenants in read-only mode before close Inventory users, privileged accounts, OAuth-connected apps, and legacy authentication methods before integration begins so you know which identities are already exposed.
• Prioritise MFA and legacy-auth remediation in inherited accounts Treat missing MFA in acquired entities as an immediate exposure indicator, and sequence remediation before mailbox consolidation or policy migration.
• Unify reporting across tenants and gateways Create a single operational view for Microsoft 365 and Google Workspace environments so exceptions, risky inboxes, and coverage gaps do not stay hidden in separate teams.
• Validate compromised inbox exposure before integration milestones Use pre-close scans and continuous monitoring to identify already-compromised mailboxes and prevent them from moving into the integrated environment unnoticed.

Key takeaways

• M&A creates a temporary trust gap in email security where inherited accounts and tenants can remain vulnerable before governance catches up.
• The clearest warning signs are missing MFA, legacy authentication, compromised inboxes, and duplicated controls that mask real exposure.
• The strongest response is pre-close visibility, unified oversight, and rapid control standardisation across every acquired environment.

Key terms

• Acquired Tenant: A newly acquired email or identity environment that is not yet merged into the parent organisation's operating model. It often carries separate policies, authentication methods, and admin practices, which makes it an exposed transitional asset until governance, visibility, and controls are standardised.
• Business Email Compromise: A fraud pattern in which attackers use trusted email accounts or convincing impersonation to redirect payments, steal credentials, or manipulate business decisions. In acquisition settings, BEC risk rises when inherited accounts, weak authentication, and fragmented oversight make mailbox abuse easier to sustain.
• Read-only Pre-close Assessment: A pre-integration review that inspects a target environment without changing mail flow or access configuration. It gives defenders a safe way to inventory accounts, apps, and exposure before the acquisition closes, which is often the last reliable point to measure inherited risk cleanly.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: M&A email risk in acquired tenants. Read the original.