They should use behavioural signals such as sender history, thread context, request timing, and relationship baselines. Payload-less BEC often contains no malware, so content filters alone will miss it. The best controls compare the email against normal communication patterns and trigger response when the message departs from expected business behaviour.
Why This Matters for Security Teams
Payload-less business email compromise is difficult to catch because it often looks like normal conversation, not malicious software delivery. Attackers rely on trusted relationships, urgent business language, and timing that matches legitimate workflows, which means content filters can be technically correct and still miss the risk. That is why security teams need behavioural detection that compares each message against known communication patterns, not just signature or attachment scans.
NHI Management Group has repeatedly shown that identity abuse is often the real control failure, not the presence of malware, including in The 52 NHI breaches Report. The same lesson applies to email: once an attacker can speak in a trusted voice, the payload is optional. Current guidance also aligns with the NIST Cybersecurity Framework 2.0, which emphasises continuous monitoring and risk-based detection rather than static trust assumptions. In practice, many security teams discover BEC only after payment instructions have already been changed or mailbox rules have already been abused, rather than through intentional early detection.
How It Works in Practice
Behavioural BEC detection works by scoring messages against the normal shape of business communication. That means building baselines for who usually emails whom, how quickly they respond, what topics they discuss, which devices or locations they use, and whether the request matches the relationship history. A message from a familiar sender can still be suspicious if the ask is out of pattern, the timing is unusual, or the thread context has been subtly altered.
Security teams typically combine several signals:
- Sender relationship drift, such as a first-time payment request from a previously quiet mailbox.
- Thread anomaly, including reply-to hijack, subject drift, or quoted-text manipulation.
- Request timing, for example urgent instructions that appear just before a deadline or outside normal business hours.
- Behavioral mismatch, such as new banking details, invoice changes, or executive impersonation that do not fit past exchanges.
This approach is stronger when paired with mailbox telemetry, identity telemetry, and policy-driven response. A useful reference point is the Top 10 NHI Issues, which reinforces that compromised identities are operational assets, not just login events. Teams should also align detection with the mailbox and identity control patterns described by NHI Lifecycle Management Guide, especially where access review, session monitoring, and rapid revocation are required. These controls tend to break down when organisations have weak baselines for executives, shared mailboxes, or outsourced finance workflows because the “normal” pattern is too inconsistent to score reliably.
Common Variations and Edge Cases
Tighter behavioural detection often increases analyst workload and can create false positives, so organisations must balance sensitivity against operational friction. That tradeoff matters most in high-change environments where approvals, acquisitions, travel, or seasonal finance activity produce legitimate communication spikes.
Some edge cases need special handling. Executive assistants may trigger anomalous-thread alerts by design. External counsel and auditors often have sparse baselines. Newly acquired business units can look suspicious simply because their communication patterns have not yet stabilised. Current guidance suggests using risk scoring rather than hard blocking for these cases until baselines mature.
There is no universal standard for this yet, but mature programs usually add out-of-band verification for high-risk requests, especially payments, bank detail changes, and beneficiary updates. Teams should also watch for mailbox-rule abuse and account takeover, because BEC frequently starts with legitimate access before it becomes a fraudulent request. The behavioural model fails when metadata is incomplete, when user roles change faster than baselines can adapt, or when alerts are not tied to a fast human verification path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Behavioural BEC often follows identity compromise and mailbox abuse. |
| NIST CSF 2.0 | DE.CM-7 | Continuous monitoring supports detection of anomalous email behaviour. |
| NIST AI RMF | Risk management applies to behavioural models used for BEC detection. |
Limit standing access and rotate credentials quickly when email identity misuse is detected.
Related resources from NHI Mgmt Group
- How should security teams reduce business email compromise risk beyond secure email gateways?
- How should security teams handle email compromise as an identity risk?
- How should security teams detect AI-written malware without relying on signatures?
- How should security teams detect headless browser abuse without relying on static fingerprints?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
