How should security teams manage email security after repeated acquisitions?

Why This Matters for Security Teams

Repeated acquisitions turn email security into an identity, governance, and change-management problem, not just a mail filtering problem. Each acquired business may bring inherited domains, unmanaged mail routing rules, stale exceptions, orphaned administrators, and different approval paths for forwarding, delegation, and mailbox access. If those differences are left in place, the email stack becomes harder to trust exactly when attackers are most likely to exploit confusion during integration. The control question is whether one security model can still describe all mail flow, ownership, and exception handling across the combined estate, as reflected in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives and the NIST Cybersecurity Framework 2.0. The practical failure mode is usually not a single configuration error; it is control drift across many inherited tenants, domains, and administrator handoffs. In practice, many security teams discover the gap only after a merger mailbox, forwarding rule, or legacy domain has already been used for phishing or impersonation.

How It Works in Practice

A repeatable approach starts with inventory and ownership. Security teams should map every acquired domain, mailbox, relay, connector, forwarding rule, delegated admin account, and exception path into one governance model, then decide which controls are standard, which are temporary, and which should be retired. The NHI Lifecycle Management Guide is useful here because the same lifecycle logic applies to mail-related identities: create, approve, use, rotate, monitor, and revoke. That is especially important where mail systems also depend on secrets, API keys, or service accounts, because hidden dependencies often outlive the acquisition project. Operationally, teams should:

• Consolidate domain ownership, DMARC enforcement, and inbox policy exceptions into one register.
• Review mailbox delegation, auto-forwarding, and admin roles after every integration milestone.
• Time-box temporary exceptions and require explicit expiry dates for inherited access.
• Measure whether monitoring, ticketing, and incident response still cover all tenants and brands.
• Revalidate the control stack after each migration wave, not only at the final cutover.

This is also where identity governance matters: mail security weakens when service accounts, shared mailboxes, and automated workflows are left outside the same review cycle as human administrators. NHIMG’s Top 10 NHI Issues highlights the broader pattern: inherited credentials and unclear ownership create durable exposure long after the merger team thinks the project is complete. These controls tend to break down when integration spans multiple directories, regional mail platforms, and partially retired tenants because ownership evidence and enforcement controls no longer line up cleanly.

Common Variations and Edge Cases

Tighter consolidation often increases short-term operational friction, so organisations have to balance speed of integration against the risk of breaking business-critical mail flows. Best practice is evolving for companies that keep acquired brands live for legal, regulatory, or customer reasons, because there is no universal standard for how long inherited mail exceptions may remain in place. Some environments will need temporary coexistence, but that should still be governed as an exception with explicit review dates, named owners, and documented compensating controls. The hard edge cases are shared mailboxes used by finance or legal teams, cross-domain forwarding for customer support, and subsidiaries that retain local autonomy after the acquisition closes. Those cases often justify limited exceptions, but not indefinite ones. Security teams should also assume that older tenants may have weaker logging, incomplete MFA coverage, or stale admin groups that were never part of the original target-state design. The key is to keep a single authoritative view of ownership and risk, then retire exceptions as soon as the business can support it. For a governance lens on inherited access and control obligations, the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the State of Secrets in AppSec both reinforce how fragmented ownership and inconsistent rotation practices create lingering exposure across merged environments.

Related resources from NHI Mgmt Group

• How should security teams reduce vendor email compromise risk in finance workflows?
• What do security teams get wrong about replacing secure email gateways?
• How should security teams reduce invoice fraud risk in email workflows?
• What do security teams get wrong about email as an identity control surface?