Notifications
Clear all
Topic starter
27/06/2026 1:52 pm
TL;DR: Mergers and acquisitions create email security blind spots because acquired tenants often inherit legacy authentication, uneven policy enforcement, and delayed oversight, with one healthcare example finding 14% of accounts lacking MFA and a manufacturer uncovering 18 compromised inboxes before close, according to Abnormal AI. For IAM and security teams, deal integration is now an identity governance problem as much as an email defence problem.
NHIMG editorial — based on content published by Abnormal AI: M&A email risk in acquired tenants
By the numbers:
- The FBI reported over $2.7B in 2024 losses from BEC alone.
- A healthcare organization found that 14% of accounts in an acquired entity lacked MFA and used legacy auth methods attackers could exploit.
Questions worth separating out
Q: How should security teams assess acquired email tenants before integration?
A: Security teams should baseline acquired tenants in read-only mode before close, inventorying users, privileged accounts, OAuth apps, and legacy authentication paths.
Q: Why do acquisitions increase business email compromise risk?
A: Acquisitions increase business email compromise risk because oversight fragments while systems are changing, and attackers exploit the gap between inherited exposure and unified control.
Q: What breaks when inherited accounts still use legacy authentication?
A: What breaks is the assumption that all acquired identities already meet the acquiring organisation's baseline.
Practitioner guidance
- Baseline acquired tenants in read-only mode before close Inventory users, privileged accounts, OAuth-connected apps, and legacy authentication methods before integration begins so you know which identities are already exposed.
- Prioritise MFA and legacy-auth remediation in inherited accounts Treat missing MFA in acquired entities as an immediate exposure indicator, and sequence remediation before mailbox consolidation or policy migration.
- Unify reporting across tenants and gateways Create a single operational view for Microsoft 365 and Google Workspace environments so exceptions, risky inboxes, and coverage gaps do not stay hidden in separate teams.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step visibility workflow for read-only pre-close tenant assessment and mailbox risk discovery
- Practical guidance on consolidating Microsoft 365 and Google Workspace oversight during integration
- Operational examples of policy exception reduction and security coverage timelines after acquisition
- Detailed descriptions of AI-based email rule management and the reporting outputs used by deal teams
👉 Read Abnormal AI's analysis of M&A email risk across acquired tenants →
M&A email risk: are your acquired tenants actually protected?
Explore further
27/06/2026 3:22 pm
M&A email security is an identity governance problem before it is a mail security problem. The control failure starts when acquired tenants, accounts, and connected apps are accepted as transitional rather than governed assets. That means the programme is already behind if it waits for post-close standardisation before assessing exposure. Practitioners should treat the acquisition window as an identity assurance phase, not a cleanup phase.
A few things that frame the scale:
- From our research: Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Our research also shows that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, reinforcing that identity exposure is already a mainstream operating condition.
A question worth separating out:
Q: Who is accountable for email security during an acquisition?
A: Accountability should sit jointly with the security, IAM, and integration leads, because the control failure is cross-functional. Deal teams own timing, IAM owns account assurance, and security owns risk validation. If those responsibilities are not explicit, risky inboxes, overlapping gateways, and compromised accounts can remain unaddressed until after integration.
👉 Read our full editorial: M&A email risk exposes security gaps across acquired tenants
