Notifications
Clear all
Topic starter
27/06/2026 1:38 pm
TL;DR: Anticimex blocked more than 40,000 malicious emails that Microsoft missed between February and April, avoiding an estimated $169,000 in losses through AI Security Mailbox automation and graymail filtering, according to Abnormal AI. The bigger lesson is that email defence built for older threat volumes and patterns is no longer keeping pace with AI-accelerated attacks.
NHIMG editorial — based on content published by Abnormal AI: Key Insights from Stockholm on AI-powered email attacks and native protection gaps
Questions worth separating out
Q: How should security teams improve email defence against AI-generated phishing?
A: They should combine native email security with behavioural detection, mailbox automation, and user workflow controls.
Q: Why do AI-assisted email attacks create identity risk beyond the inbox?
A: Because email is a control plane for human identity.
Q: What breaks when organisations rely only on native Microsoft protections?
A: They miss attacks that are too personalised, too dynamic, or too behaviorally subtle for static filtering to catch.
Practitioner guidance
- Strengthen behavioural email detection Add controls that score intent, thread context, and anomalous sending patterns rather than relying only on signatures and known bad indicators.
- Reduce inbox noise before it reaches users Use graymail filtering and automated triage to remove recurring low-value mail so security teams are not asking users to act as the primary detection layer.
- Tie mailbox alerts to identity workflows Route suspicious email events into password reset, approval, and help desk monitoring so mailbox abuse cannot quietly trigger downstream identity changes.
What's in the full analysis
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- The live Stockholm AI Roadshow context and the defender stories that shaped the discussion.
- The specific way AI Security Mailbox automation and graymail filtering were applied in the Anticimex environment.
- The broader narrative around why native Microsoft protections missed messages that employees spotted manually.
- The vendor's demo and next-event call to action for teams that want implementation details.
👉 Read Abnormal AI's analysis of AI-powered phishing and email defence gaps →
AI-powered email attacks: what it means for Microsoft-centric teams?
Explore further
27/06/2026 3:02 pm
AI-powered email defence is now an identity control, not just a messaging control. When malicious mail gets through, the first thing at risk is human identity, because the inbox is where password resets, approvals, and vendor conversations intersect. Anticimex's result shows that native filtering alone may leave too much exposure in place. Practitioners should treat email detection quality as part of identity assurance, not an adjacent convenience layer.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: How do teams know whether graymail filtering is improving security?
A: They should look for fewer malicious messages reaching users, fewer user-reported phishing events, and reduced false trust in routine mail. If inbox noise drops while malicious-message detection rises, users can focus on the few messages that actually matter. That is a measurable security gain, not just a productivity win.
👉 Read our full editorial: AI-powered email attacks are outpacing native Microsoft protections
