Notifications
Clear all
Topic starter
27/06/2026 1:53 pm
TL;DR: Missed phishing detections improved by 30% with no increase in false positives, as calendar-invite attack remediation was added and Microsoft Teams coverage extended amid attackers shifting beyond the inbox, according to Abnormal AI. The broader lesson is that human-targeted threats now move across collaboration channels faster than legacy email controls can track.
NHIMG editorial — based on content published by Abnormal AI: Key insights from its 2025 platform updates for human threat protection
By the numbers:
- Abnormal says its core models use 50 percent more features, enabling proactive identification of tens of thousands of additional attack campaigns each week without increasing false positives.
- Abnormal says its expanded phishing coverage reduced missed detections by 30 percent.
Questions worth separating out
Q: How should security teams defend users across email, calendar, and chat channels?
A: They should treat those channels as one collaboration risk surface and align detection, alerting, and remediation across all of them.
Q: Why do behavioural models matter for phishing defence?
A: Behavioural models help security teams catch attacks that do not match known signatures, especially personalised phishing and account abuse.
Q: What breaks when Microsoft 365 permissions and settings are left unmanaged?
A: Attackers inherit a much larger blast radius.
Practitioner guidance
- Extend detection beyond the inbox Map email, calendar, and Teams into one response workflow so malicious content can be identified and removed across channels before users continue interacting with it.
- Review Microsoft 365 permission drift Continuously surface risky settings and excessive permissions in Microsoft 365, then assign ownership for remediation so configuration issues do not sit outside identity governance.
- Measure missed-detection reduction against false positives Track whether new behavioural models improve campaign catch rates without increasing analyst workload, because precision matters as much as coverage in human threat defence.
What's in the full article
Abnormal AI's full post covers the operational detail this post intentionally leaves for the source:
- Feature-by-feature breakdown of the 2025 behavioural model changes and how they affected detection quality.
- Implementation detail for Security Posture Management across Microsoft 365 settings and permissions.
- Workflow specifics for one-click remediation in Teams and calendar invite handling.
- Product-level explanation of how Misdirected Email Prevention uses behavioural context before send.
👉 Read Abnormal AI's 2025 overview of human threat detection and remediation updates →
Human threat coverage in 2025: what changed for security teams?
Explore further
27/06/2026 3:24 pm
Human threat protection is now a multi-surface governance problem, not an inbox problem. The article shows that email, calendar, Teams, and Microsoft 365 configuration are now part of the same control plane. That means the organisation is no longer defending a single channel, but a mesh of user touchpoints where trust can be manipulated. Practitioners should expect governance gaps to appear wherever detection and response do not follow the user across surfaces.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected, according to the 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when collaboration-channel attacks lead to data exposure?
A: Accountability usually sits across security operations, identity governance, and platform administration because the failure spans detection, permissioning, and user protection. If Teams, calendar, and email are managed separately, no single team sees the full path. Mature programmes define ownership for both channel protection and tenant posture.
👉 Read our full editorial: Abnormal AI's 2025 updates expand human threat coverage
