TL;DR: Vendor email compromise attacks can pass SPF, DKIM, and DMARC while still delivering credential-harvesting lures, because the sender account, domain, and infrastructure are genuinely trusted, according to Abnormal AI. The operational lesson is that identity-aware behavioral correlation matters more than single-message authentication when compromised accounts are used from within.
At a glance
What this is: This is an analysis of vendor email compromise, showing how real compromised accounts and trusted infrastructure can bypass authentication-based email security controls.
Why it matters: It matters because IAM and security teams must treat authenticated identity abuse, not just spoofing, as a primary detection problem across human, NHI, and delegated access paths.
👉 Read Abnormal AI's analysis of vendor email compromise detection
Context
Vendor email compromise is a trust-abuse problem, not a spoofing problem. When attackers use a real account inside a real tenant, the message can look legitimate to the very controls that were designed to stop impersonation, which means authentication alone no longer tells you whether the communication is safe.
For IAM and security teams, the governance gap sits at the boundary between identity validity and behavioural legitimacy. A signed, authenticated message can still be malicious if the sending pattern, destination, and hosting relationship do not fit normal business behaviour.
Key questions
Q: How should security teams detect vendor email compromise when authentication checks pass?
A: They should treat authentication as necessary but insufficient. The better signal is behavioural alignment across sender identity, language, recipient pattern, link destination, and hosting relationship. If a legitimate account suddenly sends an unusual request pattern or directs users to non-standard infrastructure, the message deserves escalation even when SPF, DKIM, and DMARC all pass.
Q: Why do compromised business accounts create more risk than spoofed phishing emails?
A: Compromised accounts inherit trust from the real tenant, so security tools and recipients both see an authentic sender path. That makes the message harder to stop with reputation or signature-based controls. The risk increases because the attacker can exploit normal business context, including customer relationships and routine document-sharing workflows.
Q: Where do link-rewriting and sandboxing controls fail in email attacks?
A: They fail when the lure tells the recipient to leave the protected click path and navigate manually to the destination. At that point, the control no longer mediates the browser request, and the attacker can present a credential-harvesting page outside the normal inspection flow. Manual navigation prompts should therefore be treated as a control-evasion indicator.
Q: Who should be accountable for vendor email compromise incidents?
A: Accountability should sit with both the compromised organisation and the recipient environment's security team. The sender must manage mailbox protection and offboarding, while the receiver must detect behavioural anomalies, not just authentication failures. Shared business trust demands shared governance, especially when partner communications are part of the attack surface.
Technical breakdown
Why SPF, DKIM, and DMARC fail against compromised senders
SPF, DKIM, and DMARC are sender-authentication controls. They confirm that mail was sent from an allowed domain path and that message integrity was preserved, but they do not establish whether the human or account behind the message is acting legitimately. In vendor email compromise, the attacker uses a real mailbox and real tenant infrastructure, so the checks pass by design. That makes the message look authentic even when the intent is fraudulent. The failure is structural: authentication verifies origin, not trustworthiness.
Practical implication: treat authentication as a baseline control and add behavioural review for outbound identity anomalies.
How copy-paste URLs bypass email security tooling
Many email security stacks rely on link rewriting, detonation, and sandboxing. Those controls assume the user will click the protected link from within the email path. When a lure instructs the recipient to copy and paste a URL manually, the attacker shifts the browser session outside the security product’s inspection flow. That does not defeat every control, but it removes one of the most common enforcement points. The result is a social engineering bypass that turns user behaviour into the delivery mechanism.
Practical implication: add detections for manual-navigation prompts and non-click credential workflows in email content.
Why trusted hosting platforms complicate domain reputation checks
Domain reputation tools score infrastructure based on historical abuse and known malicious registrations. Hosting a credential portal on a broadly trusted platform such as Cloudflare Pages exploits that trust layer, especially when the subdomain is newly created and visually aligned to the brand being impersonated. Reputation systems often struggle when the malicious page sits on an otherwise legitimate hosting provider. In this pattern, the mismatch is not between bad and good domains alone, but between a trusted brand identity and an unaffiliated delivery surface.
Practical implication: correlate brand identity, hosting location, and destination history before allowing reputation to drive trust decisions.
Threat narrative
Attacker objective: The attacker aimed to harvest credentials from customers and partners while preserving the legitimacy of the compromised vendor relationship.
- Entry occurred through a compromised Microsoft 365 account belonging to a legitimate employee, giving the attacker a trusted sender identity.
- Credential access was sought through a document-sharing lure that sent recipients to a credential-harvesting page hosted on unaffiliated infrastructure.
- Impact would have been account compromise or downstream partner compromise through stolen credentials and trust exploitation across the vendor relationship.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Vendor email compromise is identity abuse, not email spoofing. The attacker did not need a fake domain or a forged sender when a real Microsoft 365 account could carry the lure for them. That changes the governance problem from blocking impersonation to detecting when a valid identity is being used outside its normal behavioural envelope. Practitioners should treat authenticated abuse as a first-class identity risk, not an email edge case.
Authentication controls were designed for origin assurance, not behavioural legitimacy. SPF, DKIM, and DMARC were built for a world in which message origin was the main question. That assumption fails when the sender is a compromised legitimate account and the content, language, and hosting pattern are the only real indicators of malice. The implication is that email security programmes must stop over-weighting pass/fail authentication results as a proxy for trust.
Manual navigation instructions create a control-evasion pattern that traditional SEG logic misses. Asking users to copy and paste a URL moves the user out of the security product's inspected click path. That means a core assumption of safe link handling, namely that user interaction stays inside a rewritten or sandboxed flow, is no longer reliable. Teams should recognise this as a behavioural bypass pattern, not merely a suspicious instruction.
Identity blast radius expands when trust is inherited across business relationships. A compromised vendor mailbox can reach customers and partners with the credibility of a known relationship, even when the message is operationally unusual. Cross-tenant behavioural correlation matters here because the same abuse pattern can move across multiple environments before any static blocklist catches up. The practitioner lesson is to govern trust as a dynamic relationship, not a fixed allowlist.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
- For a broader control lens, Ultimate Guide to NHIs , Key Challenges and Risks helps teams map where sprawl, over-privilege, and unmanaged credentials create the most exposure.
What this signals
Behavioural trust scoring is becoming the real control plane for email security. Once compromised identities can pass authentication cleanly, security teams need a way to decide whether the message fits normal communication behaviour rather than just whether it originated from a valid mailbox. That shift pushes email governance closer to identity risk analytics than to simple spam filtering.
The operating model also changes for vendor management and third-party access. When trusted partners can be used as delivery vehicles, the security boundary is no longer only the inbox, it is the relationship itself, which means monitoring has to extend across tenants and business ecosystems.
Cross-tenant correlation is the named concept to watch here: spotting the same abusive sender pattern across multiple environments before static indicators exist. That approach matters because it turns isolated message review into shared behavioural intelligence, especially when attackers reuse legitimate accounts and trusted hosting services.
For practitioners
- Correlate sender legitimacy with behavioural fit Score outbound vendor messages against historical language, recipient patterns, and attachment or link behaviour instead of relying on authentication verdicts alone.
- Detect manual-navigation lures Add detections for emails that instruct users to copy and paste URLs, enter credentials outside the normal click flow, or bypass link-rewriting controls.
- Inspect hosting and brand mismatches Flag messages where the branded sender is legitimate but the linked destination sits on unaffiliated hosting, especially when the destination is a fresh credential portal.
- Use cross-tenant behavioural correlation Share behavioural indicators across tenants so the same compromised sender pattern can be identified earlier without waiting for static indicators or takedown feeds.
Key takeaways
- Vendor email compromise succeeds because it borrows trust from real identities, so authentication checks alone cannot separate legitimate mail from malicious mail.
- The strongest indicators in this campaign were behavioural, including language fit, hosting mismatch, and manual-navigation prompts that removed the attack from standard email protections.
- Security teams need cross-tenant behavioural correlation and identity-aware detection if they want to catch abuse that looks authentic at the protocol layer but abnormal at the relationship layer.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Behavioural monitoring is central when authentication passes but intent is malicious. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Trusted access must be continuously evaluated, not assumed from login success. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Compromised service or mailbox identities create abuse risk when credentials are not governed tightly. |
Add identity-behaviour monitoring to detect trusted accounts used outside normal communication patterns.
Key terms
- Vendor Email Compromise: A vendor email compromise is a phishing or fraud campaign that uses a real vendor mailbox to send malicious messages from trusted infrastructure. The attack works because recipients and security controls see a legitimate sender path, while the content and destination are repurposed for credential theft or deception.
- Behavioural Alignment: Behavioural alignment is the degree to which a message, identity, and delivery pattern match what is normal for a relationship or tenant. In email security, it means judging whether communication fits historical behaviour, not just whether authentication and reputation checks passed.
- Cross-Tenant Correlation: Cross-tenant correlation is the practice of linking similar malicious behaviour across multiple customer environments or tenants. It helps teams recognise repeat abuse patterns earlier, especially when attackers reuse legitimate accounts, trusted hosting, or evolving infrastructure that would not trigger a static blocklist.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: analysis of vendor email compromise and behavioural detection. Read the original.
Published by the NHIMG editorial team on 2026-03-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
