Email trust abuse and alert sprawl: what IAM teams need to act on

TL;DR: Attackers are compromising supplier accounts, abusing real collaboration links, and exploiting overlapping email tools to hide malicious messages until invoices, credentials, or tokens are stolen, according to Abnormal AI. The governance problem is no longer just detection quality, but whether identity and incident workflows can keep pace with trust abuse, duplicate alerts, and DORA-driven response deadlines.

NHIMG editorial — based on content published by Abnormal AI: Key Insights on 2025 email security trends

By the numbers:

• Under DORA, banks must notify regulators within 24 hours of a material cyber incident.

Questions worth separating out

Q: How should security teams reduce business email compromise from trusted supplier accounts?

A: Security teams should baseline supplier communication patterns, including reply timing, billing cycles, and account-change behaviour, so deviations can be challenged before payment is approved.

Q: Why do collaboration-platform phishing lures bypass traditional email gateways?

A: They bypass gateways because the link often points to a legitimate cloud service, even though the content behind it is malicious.

Q: What do email security teams get wrong about duplicate alerts?

A: They often treat duplicate alerts as a sign of better coverage, when they actually create correlation debt and slow containment.

Practitioner guidance

• Baseline supplier behaviour for payment-change requests Track normal reply timing, thread continuity, time zone patterns, and banking-detail changes for supplier accounts.
• Treat collaboration links as identity events Detonate external Teams or Google Drive invitations in sandboxing workflows and warn users when a message arrives from a new tenant, multiple recipients, or outside business hours.
• Consolidate overlapping email controls Inventory every control that modifies, inspects, or archives email, then keep the layer with the highest fidelity and retire redundant filters that create duplicate alerts.

What's in the full article

Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:

• Behaviour-based analytics examples for spotting supplier account abuse before invoice diversion.
• Detection logic for collaboration-link phishing that looks beyond the URL and into session behaviour.
• Operational guidance for reducing duplicate email alerts and simplifying SOC triage.
• DORA-oriented investigation workflow detail for evidence collection and regulator notice preparation.

👉 Read Abnormal AI's analysis of 2025 email security trends and BEC risk →

Email trust abuse and alert sprawl: what IAM teams need to act on?

Explore further

View Full Forum →  |  NHI Foundation Course →