TL;DR: Recurring criminal tradecraft across BEC, supply chain, phishing, account takeover, subscription bombing, and indirect prompt injection shows how attackers keep blending human-targeted deception with credential theft and AI misuse to bypass controls, according to Proofpoint’s monthly stop-list. The pattern is operational, not theoretical: identity and access governance fail fastest where trust is implicit and verification is weak.
At a glance
What this is: This is Proofpoint’s Cybersecurity Stop of the Month roundup, which surveys recurring attacker tactics across phishing, account takeover, supply chain abuse, and AI-related deception.
Why it matters: It matters because the same identity weaknesses keep reappearing across human identity, NHI, and AI-assisted attack paths, so IAM and security teams need controls that account for abuse patterns rather than isolated campaigns.
👉 Read Proofpoint's monthly cybersecurity stop-list on phishing, account takeover, and AI abuse
Context
Phishing, account takeover, and supply chain abuse continue to work because they exploit trust shortcuts in identity and access workflows. When users, tokens, and delegated access are accepted too quickly, attackers do not need novel malware to get traction.
The article is a monthly recap rather than a deep technical case study, but it still points to a real governance gap: identity controls are often tuned to known account events while modern abuse chains combine social engineering, token theft, and AI-assisted deception. That intersection matters for IAM, PAM, fraud prevention, and NHI governance alike.
Key questions
Q: What breaks when phishing is allowed to reach identity workflows?
A: Phishing becomes more damaging when it can trigger credential resets, payment changes, or privileged approvals without a second trust check. The failure is not just user deception. It is the absence of a control boundary between message handling and identity action, which allows a single malicious interaction to become authenticated activity.
Q: Why do supply chain attacks so often turn into identity incidents?
A: Because attackers are not only changing code, they are harvesting the non-human identities that code runs beside. API keys, cloud credentials, SSH keys, and registry tokens give direct access to infrastructure and publishing systems, so a compromised package becomes an identity compromise with wider blast radius.
Q: How should security teams reduce indirect prompt injection risk in AI systems?
A: Security teams should limit what AI systems can read, separate untrusted content from privileged actions, and apply least privilege to every connected agent. The strongest posture combines content filtering, allowlisted sources, short-lived sessions, and explicit approval for sensitive actions. If any one of those layers is missing, the attack path remains open.
Q: Who is accountable when account takeover or BEC leads to loss?
A: Accountability usually spans security, identity, fraud, and business operations because the failure often occurs at the boundary between communication trust and authorisation. Organisations should assign ownership for verification, approval, and revocation controls so that no single team can assume the other has closed the gap.
Technical breakdown
BEC and account takeover still succeed through trust collapse
Business email compromise and account takeover campaigns work when messaging, authentication, and approval workflows are treated as separate problems. Attackers exploit user trust, then move into identity controls by redirecting payments, resetting credentials, or hijacking cloud accounts. The technical issue is not only phishing volume, but the speed with which a trusted sender or session becomes an authenticated action path. Practical implication: close the loop between email security, identity verification, and privileged workflow approval.
Practical implication: Link suspicious-mail detection to identity verification and high-risk approval controls before a message can trigger payment or access changes.
Supply chain compromise becomes an identity problem once tokens are reused
Supply chain attacks often begin with a compromised vendor, package, or trusted integration, then turn into identity abuse when credentials, API keys, or OAuth grants are discovered in the resulting environment. Once an attacker has valid secrets, they can blend into normal application traffic and avoid simple perimeter detection. In NHI terms, the real failure is unmanaged delegated trust. Practical implication: treat third-party access, service credentials, and app-to-app grants as lifecycle-controlled identities, not static conveniences.
Practical implication: Inventory third-party grants and secrets together so delegated access can be revoked as soon as trust is broken.
Indirect prompt injection creates a new control layer for AI assistants
Indirect prompt injection is a technique where malicious content in external data, documents, or web pages tries to steer an AI assistant’s output or tool use. The risk is not just bad answers, but unsafe action selection if the model can call tools, retrieve data, or forward instructions without strong policy boundaries. This makes AI assistants a governance issue, not just a content-quality issue. Practical implication: isolate tool permission from prompt content and constrain what the agent can do with retrieved instructions.
Practical implication: Separate model input from tool authority so untrusted content cannot directly shape actions or data access.
Threat narrative
Attacker objective: The attacker wants to convert a single trust failure into repeatable access, financial gain, or data theft without triggering immediate suspicion.
- Entry begins with phishing, impersonation, malicious attachments, or injected content that reaches a user or AI-assisted workflow through a trusted channel.
- Credential access follows when the victim discloses passwords, tokens, MFA codes, OAuth grants, or delegated access that can be reused without immediate detection.
- Impact occurs when the attacker uses that trust to move money, steal data, compromise accounts, or manipulate downstream decisions at scale.
NHI Mgmt Group analysis
Identity abuse is the common thread running through these monthly threat themes. Whether the entry point is phishing, vendor impersonation, account takeover, or AI-assisted deception, the attacker’s objective is usually the same: turn trust into usable access. That makes this roundup more than a list of incidents. It is evidence that IAM, PAM, and verification controls need to be designed as a connected system, not isolated checkpoints.
Supply chain compromise is increasingly an NHI problem before it becomes a malware problem. The moment a vendor account, API key, or delegated application grant is abused, the event leaves the realm of simple perimeter security and enters identity governance. Practitioners should read these campaigns as warnings about unmanaged service trust, stale access, and overextended delegation paths. The practitioner conclusion is to govern third-party access as lifecycle-bound identity.
Trust shortcut accumulation: this is the underlying failure mode across BEC, account takeover, and AI prompt abuse. Each shortcut, from auto-approval to weak verification to permissive agent tools, lowers the attacker’s cost of conversion from message to action. The field needs stronger coupling between identity proof, authorization, and runtime decision points. The practitioner conclusion is to remove any implicit assumption that a trusted input is also a trusted instruction.
AI assistants expand the attack surface because they can turn untrusted content into executable intent. Indirect prompt injection is especially relevant where assistants can search, retrieve, or invoke tools on behalf of users. That creates a governance overlap between AI security and NHI control, because the assistant’s permissions become the real security boundary. The practitioner conclusion is to align AI tool access with least privilege and explicit policy enforcement.
Monthly threat recaps are becoming a useful control signal for identity programmes. The repetition of the same abuse patterns across channels suggests that control maturity should be measured by how quickly teams can detect and revoke trust, not by how many isolated detections they operate. That is a governance problem as much as a detection problem. The practitioner conclusion is to use recurring attack themes to test whether identity workflows fail closed.
What this signals
Monthly threat recaps like this one show that identity control failures rarely arrive as isolated events. They accumulate across email, cloud, third-party, and AI-assisted workflows, which means programme owners need a single view of trust removal, not separate reaction plans for each channel.
Trust shortcut accumulation: this is the pattern to watch in mixed identity environments. When users, vendors, and AI tools can each convert low-friction input into privileged action, the organisation has created a compound governance risk that traditional point controls will not fully catch.
The practical signal for security leaders is whether approval, revocation, and verification are converging fast enough to absorb repeated abuse patterns. If not, the programme is defending symptoms rather than the trust model itself.
For practitioners
- Tighten approval paths for high-risk identity events Require step-up verification for password resets, payment changes, OAuth grant approval, and any workflow that converts a message into a privileged action. Pair email and collaboration security alerts with identity controls so suspicious intent can be blocked before action completion.
- Treat delegated access as lifecycle-managed identity Inventory vendor accounts, service credentials, API keys, and application grants together, then define clear ownership, expiry, and revocation rules. If trust in a third party changes, access should be removed immediately rather than left to routine review.
- Constrain AI assistant tool permissions Separate untrusted content ingestion from tool execution, and only allow assistants to call approved tools within narrow policy boundaries. Review where indirect prompt injection could steer search, retrieval, or automation paths in ways users would not authorise directly.
- Use recurring campaign patterns to test identity resilience Map repeated attack themes such as BEC, subscription bombing, and account takeover to control failures in your environment, then test whether detection, approval, and revocation processes actually stop the same pattern twice. The goal is faster trust removal, not just better alerting.
Key takeaways
- The month’s recurring abuse patterns show that attackers still win by turning trust into action, not by inventing new exploitation classes.
- Identity and secret governance remain a pressure point, especially where delegated access, vendor trust, and AI tool permissions overlap.
- Teams need faster trust removal, tighter verification, and clearer ownership across email, IAM, PAM, and AI workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Indirect prompt injection and tool misuse are central to the AI assistant risk discussed here. | |
| OWASP Non-Human Identity Top 10 | NHI-04 | Delegated access, API keys, and service credentials feature in the supply chain and account takeover patterns. |
| NIST CSF 2.0 | PR.AC-1 | The article centers on authentication, authorisation, and trust boundaries across workflows. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The recurring campaigns rely on credential theft and abuse to reach downstream impact. |
| NIST AI RMF | GOVERN | AI assistant abuse introduces governance obligations around tool access and accountability. |
Apply NHI lifecycle controls to vendor grants, secrets, and service accounts with clear expiry and revocation.
Key terms
- Business email compromise: A form of social engineering where an attacker impersonates a trusted person or domain to manipulate payment, change banking details, or extract sensitive information. It often succeeds without malware because the attacker targets process trust and human judgement instead of technical controls.
- Indirect Prompt Injection: Indirect prompt injection is an attack where malicious instructions are hidden inside content that an AI system reads later. The model may treat that content as context rather than as hostile input, which can influence tool use, data access, or workflow actions if controls are weak.
- Delegated Access: Delegated access is permission granted to one identity to act on behalf of another user, service, or system. In NHI environments, this usually appears in OAuth-connected apps and automation tooling. It is powerful, but it must be tightly scoped and reviewed because it can persist long after the original business need ends.
- Trust Boundary: A trust boundary is the point where one system’s authority should stop and another system’s authority should begin. For internal automation, weak trust boundaries let monitoring, remediation, and execution share privileges that should have remained separate.
What's in the full article
Proofpoint's full blog series covers the operational detail this post intentionally leaves for the source:
- Campaign-by-campaign examples of phishing, account takeover, and BEC tradecraft across the monthly series
- The specific attacker patterns Proofpoint observed in supply chain impersonation, QR code scams, and subscription bombing
- Operational detection and response details for teams that need to tune controls against recurring social engineering paths
- Scenario-level examples showing how AI-assisted deception changes message, identity, and approval workflows
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners build the control baseline needed to govern delegated access, service accounts, and related identity risks.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org