Notifications
Clear all
Topic starter
27/06/2026 1:47 pm
TL;DR: Vendor email compromise attacks can pass SPF, DKIM, and DMARC while still delivering credential-harvesting lures, because the sender account, domain, and infrastructure are genuinely trusted, according to Abnormal AI. The operational lesson is that identity-aware behavioral correlation matters more than single-message authentication when compromised accounts are used from within.
NHIMG editorial — based on content published by Abnormal AI: analysis of vendor email compromise and behavioural detection
Questions worth separating out
Q: How should security teams detect vendor email compromise when authentication checks pass?
A: They should treat authentication as necessary but insufficient.
Q: Why do compromised business accounts create more risk than spoofed phishing emails?
A: Compromised accounts inherit trust from the real tenant, so security tools and recipients both see an authentic sender path.
Q: Where do link-rewriting and sandboxing controls fail in email attacks?
A: They fail when the lure tells the recipient to leave the protected click path and navigate manually to the destination.
Practitioner guidance
- Correlate sender legitimacy with behavioural fit Score outbound vendor messages against historical language, recipient patterns, and attachment or link behaviour instead of relying on authentication verdicts alone.
- Detect manual-navigation lures Add detections for emails that instruct users to copy and paste URLs, enter credentials outside the normal click flow, or bypass link-rewriting controls.
- Inspect hosting and brand mismatches Flag messages where the branded sender is legitimate but the linked destination sits on unaffiliated hosting, especially when the destination is a fresh credential portal.
What's in the full article
Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:
- The exact behavioural indicators used to flag the compromised sender across multiple tenants
- The message and infrastructure patterns that separated legitimate vendor communication from the lure
- How Attune evaluated language, identity, and hosting mismatch in one detection flow
- The campaign characteristics that help security teams build stronger email triage rules
👉 Read Abnormal AI's analysis of vendor email compromise detection →
Vendor email compromise and behavioral detection: what changes now?
Explore further
27/06/2026 3:15 pm
Vendor email compromise is identity abuse, not email spoofing. The attacker did not need a fake domain or a forged sender when a real Microsoft 365 account could carry the lure for them. That changes the governance problem from blocking impersonation to detecting when a valid identity is being used outside its normal behavioural envelope. Practitioners should treat authenticated abuse as a first-class identity risk, not an email edge case.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: Who should be accountable for vendor email compromise incidents?
A: Accountability should sit with both the compromised organisation and the recipient environment's security team. The sender must manage mailbox protection and offboarding, while the receiver must detect behavioural anomalies, not just authentication failures. Shared business trust demands shared governance, especially when partner communications are part of the attack surface.
👉 Read our full editorial: Vendor email compromise exposes the limits of email authentication
