Phishing adapts to enterprise workflows, not just employee mistakes

At a glance

What this is: This analysis shows that modern phishing succeeds by matching organisational routines, with link obfuscation and brand impersonation varying by enterprise size and industry.

Why it matters: IAM and security teams need to treat phishing as a governance and behaviour problem across human, NHI, and workflow layers, because the lure is now tuned to normal access patterns rather than only user mistakes.

By the numbers:

• Phishing represents 58% of ~800K observed attacks across 4,600+ orgs.
• Approximately one in five phishing attacks, 21.6%, use redirect links.
• In the hospitality industry, nearly one in four phishing attacks, 24.1%, feature brand impersonation.

👉 Read Abnormal AI's analysis of phishing tactics, link shorteners, and brand impersonation

Context

Phishing is not just an email problem. It is a trust-exploitation problem that uses normal business workflows, familiar brands, and expected communication patterns to get a click, a credential, or a session token. In identity programmes, that matters because the attacker is targeting the points where human behaviour, access workflows, and downstream account takeover intersect.

This analysis is especially relevant for IAM teams because it shows how phishing tactics adapt to the defensive environment. Redirect chains, link shorteners, file-sharing lures, and brand impersonation are all designed to look ordinary, which means traditional awareness training and static filtering will miss the lures that users encounter most often.

Key questions

Q: How should security teams reduce phishing risk when attacks blend into normal work?

A: Treat phishing as a workflow and trust problem, not only an email-filtering problem. Focus on the platforms, brands, and document-sharing patterns employees already use every day, then harden the highest-trust paths with stronger inspection and verification. Training should reflect real organisational behaviour, not generic warning signs. The goal is to make ordinary-looking lures easier to question before engagement.

Q: Why do link shorteners make phishing harder to stop in enterprise environments?

A: Link shorteners hide the final destination behind a trusted-looking intermediate URL, which weakens reputation checks and slows inspection. They are especially effective where organisations already block obvious malicious domains, because attackers can rely on a mainstream shortening service or trusted redirect infrastructure. Defenders need URL expansion and destination resolution before the link reaches the user.

Q: What do security teams get wrong about file-sharing phishing?

A: They often assume a shared document notification is suspicious only when the message looks obviously fake. In practice, the lure works because collaboration is routine, especially in finance, construction, and other document-heavy sectors. The right control is to compare the request against expected collaboration behaviour, not just sender identity or branding.

Q: How can organisations tell if their phishing controls are keeping up?

A: Look at whether detections and training reflect the tactics attackers now use, including redirects, shorteners, file-sharing lures, and brand impersonation. If your controls mostly catch obvious bad URLs and generic scams, they are behind. A stronger programme tracks how lures align with each business unit's normal workflows and trusted external brands.

Technical breakdown

Redirect chains and link shorteners obscure the real destination

Redirect-based phishing inserts one or more intermediate URLs between the email link and the final malicious destination. That adds friction for inspection tools because each hop can hide the true endpoint from link scanners and users alike. Link shorteners intensify that effect by turning a suspicious long URL into a generic trusted-looking domain, often with no account creation or abuse gating. In enterprise environments, shorteners become more attractive where basic reputation controls already catch obvious redirects, so attackers need an additional layer of obfuscation. t[.]co is particularly effective because it borrows trust from a mainstream platform rather than looking like a disposable attacker domain.

Practical implication: inspect destination chains, not just the first URL, and tune controls to resolve shortened links before delivery.

File-sharing phishing exploits routine document workflows

File-sharing phishing works because it rides on a normal enterprise action: receiving a shared document, signature request, or collaboration notification. The attacker impersonates a colleague or a platform such as SharePoint, Dropbox, Google Drive, or Docusign, then uses that familiar workflow to deliver a malicious link. The tactic becomes especially effective in sectors where document exchange is constant, such as financial services and construction. In those environments, shared files are not exceptional events, so the lure has to look like part of business as usual. This is less about spoofing one message and more about embedding the lure inside an accepted process.

Practical implication: baseline document-sharing behaviour by department and alert on shared-file prompts that do not match expected collaboration patterns.

Brand impersonation succeeds where trusted platforms are part of daily work

Brand impersonation borrows credibility from services employees already expect to see. Hospitality is a strong target because workers routinely interact with booking systems, payment gateways, review sites, and loyalty platforms, creating many chances for a convincing fake notification. The same logic applies wherever branded third-party services are deeply embedded in operations: the more normal the external platform, the less suspicious the phishing lure appears. Attackers are not simply spoofing logos. They are exploiting the business relationship between the user and the brand, which turns recognition itself into a security weakness.

Practical implication: map the highest-trust external brands in each business unit and harden those notification paths with stronger verification.

NHI Mgmt Group analysis

Phishing has become a workflow abuse problem, not a user-error problem. The article shows attackers adapting to the environment rather than forcing obvious mistakes. That shifts the security question from "can users spot bad email" to "which business routines make a malicious prompt look legitimate." Practitioners should treat phishing as an identity and behaviour control issue across human access, collaboration platforms, and the systems that propagate trust.

Redirect obfuscation is now a control-evasion pattern, not just a lure style. The rise of redirects and link shorteners shows that attackers are tuning for the inspection stack they expect to face. This is a policy and detection design issue for security teams because the first click is no longer the only decision point. The implication is that defenders need to reason about link resolution, not just message classification.

Brand impersonation works best where external platforms are operationally normal. Hospitality's 24.1% rate is a reminder that repeated exposure to branded services lowers suspicion and increases clickability. That pattern is not industry-specific noise. It is a governance signal that trust in external platforms has become part of the attack surface, which makes brand-context awareness a core control concern for identity and security teams.

Static awareness training is misaligned with adaptive phishing behaviour. Training that focuses on obvious bad links and generic red flags will miss the tactics that actually dominate in enterprise traffic. The meaningful control gap is not training volume but training realism, because employees need to recognise lures that imitate routine work, not cartoonish fraud. Practitioners should rework awareness content around the workflows attackers are already exploiting.

With 43% of security professionals concerned about AI systems learning sensitive patterns from codebases, defensive models must account for machine-assisted mimicry across the attack path. That concern does not prove phishing is AI-driven, but it does show why pattern imitation is becoming easier across both human and machine contexts. The field should plan for attacks that borrow legitimacy from normal behaviour at scale, because the boundary between social engineering and identity abuse is getting thinner.

From our research:

• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• In the same research, the average estimated time to remediate a leaked secret is 27 days, even though 75% of organisations express strong confidence in their secrets management capabilities.
• For the governance angle, see Top 10 NHI Issues for how fragmentation, over-privilege, and lifecycle gaps compound across identity programmes.

What this signals

Brand-context phishing will keep rising wherever external platforms are embedded in routine work. The practical signal for identity teams is not just more email noise, but more trust being shifted into collaboration and payment workflows that look normal by design. Organisations that manage many credential surfaces should use the Ultimate Guide to NHIs , Key Challenges and Risks to map where trust is being inherited rather than verified.

This is where the control model starts to converge across human IAM, NHI governance, and workflow security. Attackers exploit the same organisational habit repeatedly: trusting a familiar identity signal because it arrives through a familiar channel. That is why detection logic should be tuned to context, not just content, and why identity teams should treat external trust anchors as part of the attack surface.

Static awareness training will age badly unless it is tied to real organisational traffic patterns. Teams that want a stronger baseline should compare phishing telemetry against the behaviours documented in 52 NHI Breaches Analysis and use those patterns to inform both detection rules and user guidance.

For practitioners

• Instrument redirect resolution before delivery Expand secure email and browser controls so shortened and multi-hop links are expanded and inspected before the user sees them. Pay special attention to t[.]co and other trusted redirect services that can mask a malicious destination.
• Baseline document-sharing norms by business unit Measure what normal file-sharing traffic looks like in finance, construction, hospitality, and other high-collaboration teams, then flag prompts that break those patterns even when the sender or platform appears legitimate.
• Rebuild awareness content around real lures Replace generic phishing examples with scenarios that mirror shared-document notifications, branded login prompts, and collaboration requests that employees already expect in their daily workflow.
• Strengthen verification on high-trust brands Identify the external platforms most likely to be impersonated in each department and add stronger checks for login prompts, payment requests, and shared-file messages tied to those brands.

Key takeaways

• The main risk is not that users are careless, but that phishing now mimics the workflows and brands people already trust.
• The evidence shows attackers adapting by size and industry, with redirects, shorteners, file-sharing lures, and impersonation tuned to specific environments.
• Practitioners need controls that inspect context, behaviour, and destination chains, not just message content and generic awareness training.

Key terms

• Redirect Chain: A redirect chain is a sequence of intermediate URLs that forwards a user from one link to another before reaching the final destination. Attackers use it to hide the true endpoint from scanners and users, increasing the chance that a malicious page survives initial inspection.
• Link Shortener: A link shortener compresses a long URL into a compact, often generic-looking address. In phishing, it helps attackers disguise the destination, reduce suspicion, and sometimes bypass simple reputation-based blocking because the visible link gives away little about the final site.
• Brand Impersonation: Brand impersonation is the use of a trusted company name, logo, or interface pattern to make a malicious message look legitimate. In phishing, the attacker is not just copying visuals. They are borrowing an existing trust relationship so the recipient is more likely to click or sign in.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: phishing tactics that adapt to enterprise workflows. Read the original.