Email attacks bypassing Microsoft controls: what IAM teams should know

TL;DR: Customers average 462 advanced attacks per month per 1,000 mailboxes bypassing Microsoft native controls, according to Abnormal AI. Its behavioral model is trained on more than 1 billion signals and now powers 85% of detections across the platform, and the governance lesson is that intent-based identity and communication profiling is now essential because signature-only controls cannot keep pace with socially engineered abuse.

NHIMG editorial — based on content published by Abnormal AI: Key insights on behavioral AI detecting advanced email attacks

By the numbers:

• Abnormal customers average 462 advanced attacks per month per 1,000 mailboxes bypassing Microsoft native controls.
• 44% of employees who read a vendor email compromise message engage with it.
• Since Attune launched, unique attack detections rose approximately 68%.

Questions worth separating out

Q: How should security teams reduce business email compromise without drowning analysts in false positives?

A: Use behavioural detections that model each identity’s normal communication, authentication, and request patterns.

Q: Why do rules-based email controls fail against modern phishing and vendor impersonation?

A: They depend on known indicators, but modern attacks often avoid those indicators entirely.

Q: How can organisations tell whether email AI is actually improving security?

A: Look for measurable reductions in false positives, faster analyst review, and higher-confidence detections that explain why a message was flagged.

Practitioner guidance

• Rebuild detections around identity-specific baselines Prioritise controls that compare a message against the sender’s communication history, authentication pattern, and relationship context rather than broad organisational norms.
• Harden vendor-change workflows Require secondary verification for banking detail changes, invoice amendments, and other relationship-sensitive requests, especially when the request arrives in an existing thread.
• Test for signature blind spots Run controlled simulations of thread hijacking, lookalike domains, and internal-account abuse to see whether current tools detect intent when payloads remain clean.

What's in the full article

Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:

• Customer-specific detection telemetry showing how behavioural AI reduces false positives in production email environments
• Expanded examples of thread hijacking and vendor impersonation patterns that bypass native Microsoft controls
• How the platform’s model uses production feedback to sharpen detections without manual rule writing
• Operational context on why some detections move from analyst review to automation with minimal friction

👉 Read Abnormal AI's analysis of behavioral email attacks bypassing Microsoft controls →

Email attacks bypassing Microsoft controls: what IAM teams should know?

Explore further

View Full Forum →  |  NHI Foundation Course →