Notifications
Clear all
Topic starter
27/06/2026 1:13 pm
TL;DR: Security teams relying on Microsoft 365 or legacy secure email gateways face blind spots in behavioural context, more false positives, and SOC fatigue when identity-based, AI-powered attacks move faster than rule-based filters, according to Abnormal AI. Traditional email controls were not designed for this attack pattern, so “good enough” protection can still leave operational drag and business risk.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams evaluate email protection against identity-based attacks?
A: They should test whether the control can use behavioural context, sender trust signals, and message content together, not just whether it flags obvious phishing text.
Q: Why do legacy email filters struggle with AI-assisted impersonation?
A: Legacy filters depend on stable patterns, but AI-assisted impersonation can vary language, tone, and timing while keeping the business context plausible.
Practitioner guidance
- Map email abuse to identity controls Treat suspicious inbox behaviour as an identity signal and review whether mailbox security, sign-in telemetry, and access governance are connected in one response path.
- Measure false-positive load as a governance metric Track how many analyst hours are spent on manual tuning, benign alerts, and escalations caused by email filtering errors, then set a target for reduction.
- Test controls against impersonation and behavioural variation Use simulations that vary sender style, timing, and business context so you can see whether the control still detects abuse when the content is no longer obvious.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- How Peak Technologies measured the cost of false positives and manual tuning in day-to-day operations
- The specific evaluation criteria used to compare modern AI-native email protection with legacy SEG controls
- A first-hand account of where native controls created user friction and SOC fatigue
- The implementation perspective on what changed after rethinking “good enough” email security
👉 Watch Abnormal AI's on-demand webinar on identity-based email attack blind spots →
Email security blind spots: are your controls keeping up?
Explore further
27/06/2026 2:29 pm
Identity-based email abuse is not a mail-filtering problem, it is an identity governance problem. Once the attacker can mimic legitimate business context, the control question shifts from message classification to trust validation. That makes email security part of broader IAM, PAM, and lifecycle governance rather than a separate content-security silo. Practitioners should treat inbox compromise as an identity path, not just a spam event.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why identity-linked abuse is still hard to govern at scale.
A question worth separating out:
Q: Should organisations replace legacy secure email gateways immediately?
A: Not automatically, but they should test whether the current stack can handle trusted-context abuse, identity-based deception, and analyst workload at the same time. If the answer is no, the organisation should plan a migration path that improves contextual detection without increasing manual tuning. The decision should be driven by measurable operating limits, not vendor preference.
👉 Read our full editorial: Email security blind spots expose identity-based AI attacks
