Notifications
Clear all
Topic starter
27/06/2026 1:24 pm
TL;DR: Advanced socially engineered attacks are bypassing traditional email security by manipulating employees into wiring funds, sharing credentials, and granting access, according to Abnormal AI and Microsoft. The real issue is not email filtering alone but the governance gap between human judgment, authentication controls, and response discipline.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams stop socially engineered email attacks from becoming identity compromise?
A: They should pair email detection with identity validation at the point of action.
Q: Why do socially engineered attacks remain effective even when email filtering is in place?
A: Because many attacks do not need malware or obviously malicious links.
Practitioner guidance
- Verify high-risk requests out of band Require a second channel for payment changes, mailbox delegation, credential resets, and sensitive file transfers so a single email cannot complete the action.
- Tie email detections to identity controls Route suspicious messages into access review, step-up verification, or temporary block actions so detection produces containment rather than just an alert.
- Limit the blast radius of compromised mailboxes Restrict auto-forwarding, external delegation, and bulk access to shared data so a compromised account cannot easily expand into wider data exposure.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- The webinar discussion of how advanced socially engineered attacks bypass standard email filtering and where those controls fail in practice
- The speaker perspective on why human decision-making remains the critical weakness in email-driven compromise chains
- The vendor-led explanation of how behavioural AI is used to detect abnormal message and request patterns
- The practical framing from Microsoft and Abnormal on combining detection with broader email security coverage
👉 Watch Abnormal AI's on-demand webinar on socially engineered attacks and email security →
Socially engineered attacks and the email security gap teams are missing?
Explore further
27/06/2026 2:44 pm
Socially engineered email attacks are an identity problem disguised as a messaging problem. The article is really describing a control gap where human trust is used to bypass technical filters and reach authorised action. That means the security boundary is not the inbox alone, but the decision point where a person can approve, disclose, or transfer access. Practitioners should treat request validation as part of identity governance, not as a separate awareness exercise.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How can organisations measure whether their social engineering controls are working?
A: Measure whether suspicious requests are stopped before they become authorised actions. Useful indicators include the number of high-risk requests verified out of band, the rate of attempted mailbox delegation blocked, and how often payment changes are challenged before completion. If alerts do not translate into containment, the control stack is only observing risk, not reducing it.
👉 Read our full editorial: Socially engineered attacks are exposing the human weak point in email security
