Notifications
Clear all
Topic starter
27/06/2026 1:37 pm
TL;DR: More than 90% of identity attacks leave traces in email, but IdPs and EDR tools typically do not inspect the downstream notification layer where payroll changes, device enrollments, and recovery alerts surface, according to Abnormal AI. Identity governance fails when defenders monitor authentication and endpoints but ignore the messages that confirm compromise after the fact.
NHIMG editorial — based on content published by Abnormal AI: LLMjacking-related identity attack signals in email notifications
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams detect identity attacks that only show up in email notifications?
A: Security teams should correlate identity-related emails with recent sign-ins, account changes, and device activity instead of treating mail as a separate security domain.
Q: Why do IdPs and EDR tools miss some identity compromises?
A: Because they usually monitor authentication and endpoint behavior, not the downstream business notifications that appear after the compromise.
Q: How can teams tell whether email is acting as an identity signal?
A: Teams can measure whether high-risk identity events generate emails that arrive close to suspicious sign-ins or account changes.
Practitioner guidance
- Ingest identity notifications into detection workflows Route payroll-change, device-enrollment, and recovery emails into a SIEM or detection pipeline so they can be correlated with recent sign-ins and account actions.
- Baseline per-employee identity activity Build simple behavioural profiles that capture which systems a person normally touches and how often identity-related changes occur.
- Extend review coverage beyond the IdP Add post-authentication notifications to identity investigations, especially for high-impact actions such as payroll edits, account recovery changes, and new device enrollments.
What's in the full article
Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:
- The per-employee behavioural profile logic behind PeopleBase and how it clusters normal identity activity.
- Examples of the email patterns Abnormal says indicate payroll, recovery, and enrollment abuse.
- The analyst's view of why reading the notification layer changes detection outcomes in practice.
- Product and engineering context on how the system processes organisation-wide email data.
👉 Read Abnormal AI's analysis of email-based identity attack signals →
Email notification signals: what IAM teams are missing today?
Explore further
27/06/2026 3:01 pm
Email is part of the identity control plane, not just a communication channel. Abnormal AI's analysis is directionally correct because the notification layer often contains the first durable evidence of identity abuse. If teams do not observe the messages generated by payroll changes, device enrollments, and recovery events, they are not seeing the full identity lifecycle. The practitioner conclusion is that email telemetry belongs in identity detection, not only in mail security.
A few things that frame the scale:
- More than 90% of identity attacks leave traces in email, according to Ultimate Guide to NHIs.
- Only 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What should organisations do when identity notifications are being buried by spam?
A: They should preserve the original notification stream, correlate it with recent identity activity, and treat message flooding as a potential anti-detection tactic. Spam can be used to hide a payroll or recovery confirmation long enough for fraudulent changes to settle. Containment depends on seeing the alert before it disappears into noise.
👉 Read our full editorial: Email notification signals are the blind spot in identity defense
