Notifications
Clear all
Topic starter
27/06/2026 1:55 pm
TL;DR: Gartner’s 2025 Magic Quadrant for Email Security cites the high volume of sophisticated, email-enabled social engineering attacks and the difficulty of consistently quantifying detection efficacy, which is why organizations may need multiple vendors for coverage, according to Gartner. The real issue is not vendor count but whether identity, behavior, and context are governed tightly enough to blunt account takeover and credential phishing.
NHIMG editorial — based on content published by Abnormal AI: Abnormal AI named a leader in the 2025 Gartner Magic Quadrant for Email Security
By the numbers:
- Abnormal now protects more than 25% of the Fortune 500.
- Abnormal earned a 99% "Would Recommend" rating.
Questions worth separating out
Q: How should security teams detect business email compromise before it turns into account takeover?
A: Focus on identity behaviour, not only message content.
Q: Why do email attacks remain effective even when organisations use phishing filters?
A: Filters often see the message, but not the full identity context behind it.
Q: How can organisations govern autonomous email-remediation tools safely?
A: Define exactly which actions the automation can take, what evidence it must log, and when humans must review or override it.
Practitioner guidance
- Map email security to identity risk workflows Link phishing, BEC, and account takeover detections to IAM and SOC escalation paths so mailbox abuse becomes an identity incident, not just a message alert.
- Treat the email-security API as privileged access Review scope, token handling, audit logging, and offboarding for the integration with Microsoft 365 or Google Workspace, because that connector can inspect sensitive communications and act on mail.
- Baseline normal communication behaviour Use sender patterns, reply-chain history, and context signals to define what legitimate activity looks like before enabling automated blocking or remediation.
What's in the full analysis
Abnormal AI's full post covers the operational detail this post intentionally leaves for the source:
- How the Abnormal Behavior Platform correlates identity, behaviour, and contextual signals across cloud email events.
- Details on autonomous protection workflows for phishing, BEC, and account takeover use cases.
- Implementation notes for API-based deployment in Microsoft 365 and Google Workspace.
- The vendor’s own recognition context, including Gartner and customer-validation references.
👉 Read Abnormal AI's analysis of Gartner's 2025 Email Security ranking →
Email security and identity risk: are your controls keeping up?
Explore further
27/06/2026 3:26 pm
Email security is now an identity governance problem, not just a content-filtering problem. The article reinforces that modern attacks succeed by abusing trust in people, mailboxes, and connected cloud accounts. That means the control question is no longer only whether a message is malicious, but whether identity and behavioural context are strong enough to distinguish legitimate communication from impersonation. Practitioners should treat email telemetry as part of identity risk management, not a separate security silo.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- A separate finding from the same research shows that when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
A question worth separating out:
Q: What is the difference between content-based email filtering and identity-aware detection?
A: Content-based filtering looks for malicious links, attachments, or known patterns inside a message. Identity-aware detection also evaluates who is sending, how they normally behave, and whether the communication pattern fits the organisation’s baseline. That broader view is better for spotting BEC, impersonation, and account takeover attempts that do not rely on obvious malware.
👉 Read our full editorial: Email security leaders still need multi-vendor defense against BEC
