TL;DR: Nearly 77% of email attacks contain a phishing link, according to Abnormal Security, reinforcing that phishing remains the primary delivery path for account compromise, credential theft, and downstream fraud. The control gap is not awareness alone but whether email, identity, and response workflows can detect and contain bait before users act.
At a glance
What this is: This is a webinar on phishing trends and why email attacks still succeed despite existing defenses.
Why it matters: It matters because phishing is still the most common path from email to identity compromise, affecting human access, downstream NHI misuse, and response readiness.
By the numbers:
- Nearly 77% of all email attacks contain a phishing link.
👉 Watch Abnormal AI's webinar on phishing attacks and email security
Context
Phishing remains an identity problem before it becomes an email problem. The article frames a familiar attack path with fresh urgency: attackers keep using phishing links because they still work against human judgement, inbox filtering, and weak downstream verification.
For identity teams, the issue is not limited to user training. A phishing click can lead to credential theft, session abuse, or delegated access that later affects NHI accounts, privileged workflows, and incident response. That makes phishing a cross-programme governance issue, not just a security awareness topic.
Key questions
Q: How should security teams reduce the risk of phishing links in email attacks?
A: Combine email filtering with identity controls that limit damage after a click. The most effective approach includes strong MFA, conditional access, fast message reporting, suspicious login detection, and automated token revocation. If a phishing link gets through, the programme should still prevent easy reuse of the compromised identity.
Q: Why do phishing attacks remain effective even with secure email gateways?
A: Because gateways inspect messages, not human decisions or downstream identity behaviour. Attackers exploit urgency, trusted brands, and business context, then move from the email channel into login, consent, or session abuse. A filter can reduce volume, but it cannot fully eliminate user interaction with a convincing lure.
Q: What do security teams get wrong about phishing awareness training?
A: They often treat training as a replacement for technical containment. Awareness can reduce clicks, but it does not stop every mistake, especially under pressure or when attackers use convincing workflow-based lures. Training should be measured by lower incident impact, faster reporting, and fewer successful follow-on actions.
Q: Who is accountable when a phishing click leads to account compromise?
A: Accountability is shared across security, identity, and business owners because the failure usually spans message handling, authentication policy, and response speed. Strong programmes assign clear ownership for detection, containment, and user remediation so a click does not become a prolonged compromise.
Background and context
Why phishing links still bypass traditional email security
Phishing links succeed when defenders treat email as a content-filtering problem rather than an identity and execution problem. Modern campaigns use lookalike domains, redirect chains, short-lived infrastructure, and message timing that evades static rules. Even when an email gateway flags part of the attack, the user may still interact with the final destination outside the original message context. The core failure is that the control stack often sees the message but not the full intent chain behind it.
Practical implication: security teams need detection and response that follow the user action chain, not just the inbox event.
Why awareness training helps but cannot be the only control
Security awareness training reduces exposure, but it cannot be the sole barrier because phishing relies on momentary human error under workload pressure. The most effective attacks exploit urgency, authority cues, and routine business context, which means training must be reinforced by technical controls that limit blast radius after a click. In practice, the best programmes pair user education with stronger authentication, verified payment or approval workflows, and rapid reporting paths for suspicious messages.
Practical implication: treat awareness as one layer and measure whether downstream controls absorb user mistakes.
How phishing links become identity compromise
A phishing link is usually a stepping stone to credential capture, token theft, session hijack, or malicious consent grant. Once the attacker has a valid identity artefact, the problem shifts from email defence to access governance, because the attacker can act as a legitimate user or service participant. This is why phishing frequently reaches beyond the mailbox into SSO, SaaS apps, cloud consoles, and NHI-adjacent workflows. The technical lesson is that identity proof and session trust are the real targets.
Practical implication: monitor for unusual consent, login, and session behaviour after suspicious email activity.
NHI Mgmt Group analysis
Phishing is still an identity governance failure, not just an email hygiene issue. The article's 77% figure reinforces that links remain the dominant delivery mechanism because the enterprise still relies on human judgement at the point of click. That means identity assurance, reporting speed, and post-click containment matter as much as inbox filtering. Practitioners should treat phishing as a lifecycle risk that spans identity, access, and response.
Security awareness training works only when it is paired with enforceable control boundaries. Users can be taught to spot bait, but they cannot be trained out of every business-context deception. The programme gap appears when a single click can still authorize login, consent, or session reuse. Practitioners should measure whether training reduces harm or simply shifts attacker tactics to harder-to-detect lures.
Phishing becomes more dangerous when it reaches NHI-adjacent workflows. Human credentials often sit upstream of service accounts, delegated OAuth apps, and admin approvals, so a successful phish can become a machine identity problem after the initial compromise. That is why identity teams need visibility across the full delegation chain, not just human inboxes. Practitioners should map where a human compromise can create non-human access.
Identity blast radius is the right concept for phishing resilience. The real question is not whether a user may click, but how far that click can travel before controls stop it. Email security, conditional access, least privilege, and anomaly detection all matter because they reduce the number of identities and systems reachable from one compromised session. Practitioners should optimize for containment, not false confidence in prevention alone.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
- That gap makes phishing-driven identity compromise more dangerous because a stolen human session can quickly expose shared or delegated non-human access paths, as discussed in 52 NHI Breaches Analysis.
What this signals
Identity programmes should assume phishing is a normal operating condition, not an exceptional event. The practical response is to build controls that reduce the value of a stolen click, because inbox defences alone will not keep pace with attacker adaptation. That means faster containment, tighter identity policy, and better linkage between email telemetry and access decisions.
Identity blast radius: the next maturity step is understanding how far one compromised user can travel across SaaS, cloud, and delegated access. When a phishing event can trigger both human account abuse and NHI exposure, segmentation becomes an identity design issue, not just a network one.
Teams should also track whether suspicious-message workflows actually shorten time to containment. A mature programme does not just count training completions; it measures whether reports lead to action before session reuse, mailbox forwarding, or delegated consent turns a click into a broader incident.
For practitioners
- Strengthen post-click containment Require step-up verification for risky logins, block session replay where possible, and trigger rapid token revocation when suspicious link activity is detected.
- Tighten identity-linked alerting Correlate phishing detections with new logins, consent grants, MFA fatigue events, and unusual mailbox forwarding so the response starts before lateral movement completes.
- Reduce blast radius from compromised users Limit where standard user accounts can authorize SaaS consent, administer sensitive apps, or trigger privileged workflows, and keep those paths separate from everyday email use.
- Measure whether training changes outcomes Track reporting speed, click-to-containment time, and repeat susceptibility by user group so awareness content is judged by incident reduction rather than attendance.
Key takeaways
- Phishing remains the most common route from email to identity compromise, so inbox controls alone are not enough.
- The real risk is the downstream identity artefact, not the message itself, because that is what attackers reuse for access and fraud.
- Practitioners should focus on post-click containment, access governance, and measurable reporting speed rather than awareness training alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT | Awareness training is directly relevant to phishing resilience. |
| NIST SP 800-63 | Phishing often targets authentication and session trust. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Phishing response depends on limiting session and access blast radius. |
Pair user training with reporting and response controls that reduce click impact.
Key terms
- Phishing Link: A phishing link is a malicious or deceptive URL designed to induce a user to reveal credentials, approve access, or run an unsafe action. In practice, the link is only the delivery mechanism. The real risk is the identity compromise that follows when the user interacts with the destination.
- Identity Blast Radius: Identity blast radius is the amount of access, data, and downstream systems an attacker can reach after compromising a single identity. It is a useful way to judge how much damage a clicked message or stolen session can cause. Lowering blast radius is a governance and architecture problem.
- Post-Click Containment: Post-click containment is the set of controls that limit harm after a user interacts with a malicious message. It includes session revocation, login anomaly detection, privilege restriction, and rapid reporting workflows. The goal is to stop a mistaken click from becoming persistent access.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: phishing attacks, email security gaps, and prevention priorities. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
