Notifications
Clear all
Topic starter
27/06/2026 1:47 pm
TL;DR: CISA says more than 90% of successful cyberattacks begin with phishing, while Los Angeles County cut SOC ticket volume from 75,000 to about 2,000 after deploying AI-native email security, according to the source article. Email remains the dominant trust and access choke point, so static defenses are no longer enough.
NHIMG editorial — based on content published by Abnormal AI: AI-native email security and the federal shift away from legacy phishing defenses
By the numbers:
- more than 90% of successful cyberattacks begin with a phishing email
- cybercrime exceeded $12.5 billion in losses in 2024
Questions worth separating out
Q: How should security teams handle phishing as an identity problem rather than an email problem?
A: Security teams should map phishing to identity compromise paths, not just message filtering.
Q: Why do legacy email filters miss modern phishing attacks?
A: Legacy filters depend on signatures, sender reputation, or known malicious artefacts.
Q: What signals show that email security is working well enough?
A: Useful signals include fewer false positives, lower ticket volume, faster triage of suspicious messages, and earlier detection of impersonation or thread hijacking.
Practitioner guidance
- Reclassify email as an identity risk control Map phishing, impersonation, and mailbox compromise into IAM and incident response playbooks.
- Test for behavioural detection coverage Measure whether your email stack can identify thread hijacking, anomalous sender behaviour, and suspicious reply-chain activity without relying on known indicators.
- Align email telemetry with identity response Ensure mailbox alerts feed the same triage and containment workflow used for account takeover and privileged access events.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- The federal policy timeline and the specific executive-order language behind the move to AI-powered defenses.
- The Los Angeles County operational results in more detail, including the SOC workload changes and efficiency gains.
- The Protective Email Service concept and how API-based deployment would change federal integration effort.
- The article’s discussion of procurement reform and what agencies would need to change in buying criteria.
👉 Read Abnormal AI’s analysis of AI-native email security and federal phishing defense →
AI-native email security and phishing defense: what changes now?
Explore further
27/06/2026 3:14 pm
Email is now an identity control surface, not just a messaging channel. The article is right to frame phishing as a strategic issue because inbox compromise often becomes the first step in identity compromise. Once a message leads to credential capture, token theft, or delegated access misuse, the problem is no longer mail hygiene but programme-wide access governance. Practitioners should treat email telemetry as part of identity risk management, not as a separate security silo.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- In the same study, 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which leaves delegated access paths hard to govern at scale.
A question worth separating out:
Q: Who should own response when phishing leads to account compromise?
A: Ownership should sit with both the email security team and the identity team, because the event crosses control domains. Mailbox compromise affects authentication, access, and downstream privilege. The right model is shared accountability with a single containment workflow, not separate queues that slow response.
👉 Read our full editorial: AI-native email defense is now central to federal cyber strategy
