Teams should shift from text-only filtering to behavioural detection. The most useful signals are unusual sender cadence, identity switching, delivery iteration, and login context that does not match normal user behaviour. Static content checks still matter, but they are no longer sufficient when attackers can automatically mutate wording, structure, and display names.
Why This Matters for Security Teams
AI-assisted phishing has changed the detection problem from “spot the bad message” to “spot the bad behaviour.” When attackers can rewrite text at scale, rotate domains, and vary branding or display names, content signatures age out quickly. That is why current guidance increasingly favours behavioural analytics and identity context, as reflected in the NIST Cybersecurity Framework 2.0 and NHI-focused operational guidance such as Top 10 NHI Issues.
The real risk is not just a convincing email. It is the sequence that follows: credential theft, session hijack, mailbox rule creation, OAuth consent abuse, and lateral movement into SaaS accounts or AI tools. That is especially relevant when phished credentials are later reused against systems that hold API keys, tokens, or delegated access. In practice, many security teams encounter the compromise only after the first suspicious login, rather than through intentional detection of the phishing campaign itself.
How It Works in Practice
Effective detection starts by treating phishing as an event chain, not a single artifact. Static mail filters still matter, but they should be paired with telemetry that can spot abnormal sender cadence, repeated delivery attempts, identity switching, and post-click behaviour that does not match the user’s normal context. The strongest signal often appears after the message is delivered: unusual authentication geography, impossible travel, new device fingerprints, or access into sensitive resources shortly after the email interaction.
Security teams typically improve outcomes by correlating email security, identity logs, and endpoint activity:
- Track whether the sender pattern is new, bursty, or inconsistent with the alleged domain owner.
- Compare login context against baseline behaviour, including device, ASN, location, and time of day.
- Flag mailbox actions such as forwarding rules, delegated access, OAuth grants, and token creation.
- Use content similarity only as one input, not the primary decision point.
This is where NHI governance becomes practical. If a phishing campaign captures an account that can mint tokens or access automation, the blast radius often extends beyond the human inbox. The Ultimate Guide to NHIs — Key Challenges and Risks is useful context here because phishing increasingly serves as a path into non-human credentials, not just human accounts. Detection also benefits from identity-centric controls described in the NHI Lifecycle Management Guide, especially where tokens and service accounts are in play. These controls tend to break down in organisations with weak identity telemetry, fragmented SaaS logging, or no visibility into OAuth and token activity because the attacker’s trail is spread across systems.
Common Variations and Edge Cases
Tighter behavioural detection often increases tuning overhead, requiring organisations to balance precision against alert volume and analyst fatigue. Current guidance suggests that this tradeoff is unavoidable when attackers continuously mutate content, because the strongest detection logic shifts from text matching to context correlation.
There is no universal standard for this yet, but a few patterns are emerging. Executive impersonation often produces fewer but higher-value signals, such as urgent delivery timing and follow-on login anomalies. Vendor compromise may look less suspicious in text and more suspicious in behavioural drift, especially when a familiar sender account starts sending at unusual hours or from new infrastructure. Multi-language phishing can also defeat content heuristics while still exposing weak identity context and abnormal access patterns. For teams that monitor AI tool access, the DeepSeek breach is a reminder that credential exposure can create downstream misuse far beyond the original message. The most reliable programs combine mail telemetry, identity signals, and post-click containment rather than waiting for content to look obviously malicious.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Behavioural phishing detection depends on continuous monitoring signals across email and identity. |
| OWASP Non-Human Identity Top 10 | NHI-05 | Phishing often leads to token abuse, mailbox rule changes, and other NHI compromise paths. |
| NIST AI RMF | AI-assisted phishing is an evolving risk that needs governed monitoring and response. |
Correlate email, auth, and endpoint telemetry to detect phishing by anomaly, not just content.
Related resources from NHI Mgmt Group
- How do teams know whether their email security controls are keeping up with AI phishing?
- How should security teams detect AI-generated social engineering that looks legitimate?
- How should security teams handle AI-powered phishing that changes faster than human review?
- How should security teams detect phishing that comes from legitimate Microsoft identity workflows?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
