Email attack anomalies: what IAM teams need to know now

TL;DR: Phishing now accounts for 77% of advanced email attacks, while business email compromise caused more than $2.7 billion in losses last year and account takeovers averaged $4.67 million per breach, according to Abnormal AI. Traditional secure email gateways are losing their edge because modern attacks are contextual, credential-led, and increasingly tied to third-party app abuse.

NHIMG editorial — based on content published by Abnormal AI: 8 sinister cyber threats bypassing your SEG

By the numbers:

• Phishing now accounts for 77% of all advanced email attacks.
• Account takeovers average $4.67M per breach.
• Exploited third-party apps connected to email environments contribute to 30% of data breaches.

Questions worth separating out

Q: How should security teams defend against AI-generated phishing in email environments?

A: Security teams should move beyond header checks and malware scanning to behavioural and identity-aware detection.

Q: Why do account takeovers create such a large risk for enterprise identity programmes?

A: Account takeovers matter because a mailbox usually has more trust than a single login session.

Q: What breaks when third-party email apps are not reviewed after consent?

A: What breaks is ownership and visibility.

Practitioner guidance

• Map mailbox-to-application trust paths Inventory which connected applications can read, send, or act from email identities, then rank them by business impact and revocation difficulty.
• Review delegated app consent as lifecycle governance Treat every third-party email integration as an identity with an owner, purpose, expiry expectation, and offboarding trigger.
• Tune detection for context shifts, not only malware Prioritise behavioural signals such as unusual reply chains, injected bank details, sudden CC changes, and anomalous language patterns.

What's in the full article

Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:

• Per-attack breakdowns of credential phishing, BEC, QR-code abuse, and account takeover patterns that security operations teams can map to their own telemetry.
• Examples of how context-based detection spots subtle bank-detail changes, CC-field manipulation, and reply-chain hijacking in live email traffic.
• Practical discussion of how the vendor's AI-native platform remediates malicious mailboxes and removes attack artifacts after compromise.
• Implementation detail on how the vendor assesses identity and context in cloud email events, which is useful for teams evaluating operational deployment.

👉 Read Abnormal AI's analysis of AI-driven email attacks bypassing SEGs →

Email attack anomalies: what IAM teams need to know now?

Explore further

View Full Forum →  |  NHI Foundation Course →