Notifications
Clear all
Topic starter
27/06/2026 1:16 pm
TL;DR: Choice Hotels says advanced email attacks were bypassing legacy secure email gateways and traditional tools before it shifted to Abnormal, with faster remediation of BEC and vendor email compromise after the change. The underlying issue is that email attack handling still depends on controls that miss behaviourally driven abuse rather than stopping only known payloads.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should teams reduce the risk of BEC when email is still a core business channel?
A: Teams should assume email will remain an attack surface and move the highest-risk actions out of email trust alone.
Q: Why do legacy email gateways fail against modern impersonation attacks?
A: Legacy gateways are strongest against known malicious content, but impersonation attacks often use clean language, legitimate infrastructure, and human timing.
Practitioner guidance
- Map inbox-to-action workflows Identify the business actions that can be triggered by email, including payment changes, access resets, supplier updates, and urgent approvals.
- Separate message trust from action trust Do not allow a trusted mailbox to serve as sufficient evidence for high-risk decisions.
- Test controls against BEC and vendor impersonation Run phishing and impersonation scenarios that mimic real business requests, not just malware delivery.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- A walkthrough of how Choice Hotels identified that legacy SEGs were missing advanced email attacks in production.
- The remediation path for BEC and vendor email compromise incidents after the security change.
- Operational context on how the security team reclaimed time for proactive work after reducing manual response load.
- A live webinar format that expands on the hotel-franchise environment and the email abuse patterns it faces.
👉 Watch Abnormal AI's webinar on how Choice Hotels reduced advanced email attack risk →
Legacy email security and BEC risk: what IAM teams should note?
Explore further
27/06/2026 2:32 pm
Legacy email security fails when attacks are built around trust, not payloads. The article reinforces a common control gap: signature-era SEG thinking assumes malicious content is the primary problem. BEC and vendor email compromise instead weaponise legitimate-looking communication, so the weakest point becomes human and workflow trust. For security leaders, that means email protection has to be judged by abuse resistance, not inbox throughput.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Another finding: Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: How do organisations know if their email controls are actually reducing risk?
A: Look for fewer successful impersonation-driven actions, not just fewer spam messages. If users still approve fraudulent payment, credential, or routing requests after the inbox is protected, the control set is not reaching the real decision point.
👉 Read our full editorial: Email attack bypasses expose the gap in legacy SEG controls
