Subscribe to the Non-Human & AI Identity Journal
Home FAQ Threats, Abuse & Incident Response How should security teams reduce business email compromise…
Threats, Abuse & Incident Response

How should security teams reduce business email compromise without drowning analysts in false positives?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated June 27, 2026 Domain: Threats, Abuse & Incident Response

Use behavioural detections that model each identity’s normal communication, authentication, and request patterns. That lets teams separate legitimate business changes from socially engineered abuse, even when the message contains no malicious link or attachment. The goal is not more alerts, but better intent recognition and fewer reviews for routine traffic.

Why This Matters for Security Teams

business email compromise succeeds because it looks normal at the moment it matters. Attackers rarely need malware or a malicious attachment when they can hijack trust, imitate payment workflows, or exploit a mailbox that already has authority. That is why behaviour-based detection matters more than static signatures. NHI Management Group’s 52 NHI Breaches Analysis shows how compromised identities become a launch point for broader abuse, and the same pattern applies when a human mailbox is taken over and used as a trusted control plane. Current guidance suggests analysts should focus on intent, sequence, and deviation, not just content.

Traditional email security often over-indexes on URL scanning, attachment detonation, and sender reputation. Those controls still matter, but BEC usually bypasses them by using familiar language, valid accounts, and plausible timing. The security problem becomes one of recognising abnormal request patterns: changes to payment instructions, first-time vendor bank details, unusual forwarding rules, or authentication from a new device followed by a sensitive request. The NIST SP 800-63 Digital Identity Guidelines reinforce that identity assurance is context-dependent, not a one-time event. In practice, many security teams encounter BEC only after finance has already approved the request, rather than through intentional detection engineering.

How It Works in Practice

Reducing false positives starts with modelling each identity’s normal communication and action patterns. That means building detections around baseline behaviour rather than generic “suspicious email” rules. A high-quality BEC program correlates mailbox activity, authentication events, and business context so that analysts see the full chain: login anomaly, inbox rule creation, vendor impersonation, and payment change request. The most useful detections are often behavioural and temporal, not content-based.

For example, teams can score events using signals such as:

  • new geography or device followed by a change in forwarding rules
  • first-time payment detail requests from a high-trust mailbox
  • reply-chain hijacking with a sudden shift in domain, tone, or urgency
  • requests that match prior workflow patterns but arrive outside normal timing

This is where identity evidence matters. The question is not only “did the message look malicious?” but “did this identity behave like itself?” That aligns with NHI and workload security thinking: treat every privileged identity as an entity with a history, expected scope, and revocation path. NHI Management Group’s Ultimate Guide to NHIs — Why NHI Security Matters Now makes the same core point for machine identities: visibility, rotation, and least privilege reduce abuse opportunities. For mature BEC programs, the operational model should combine mailbox telemetry, IAM logs, and workflow approvals with rules that trigger review only when the request deviates from the identity’s established pattern. Anthropic’s first AI-orchestrated cyber espionage campaign report is a useful reminder that adversaries now automate reconnaissance and message crafting, which makes simple keyword filtering even less reliable.

These controls tend to break down in organisations with weak identity telemetry, fragmented finance workflows, or shared mailboxes, because the model cannot distinguish routine delegation from compromised authority.

Common Variations and Edge Cases

Tighter behavioural detection often increases tuning overhead, requiring organisations to balance fraud reduction against analyst capacity and business friction. That tradeoff is real, especially where executives, assistants, and finance teams regularly approve exceptions. Best practice is evolving, and there is no universal standard for exactly how much deviation should trigger review.

In smaller environments, simple high-risk workflow controls may outperform complex anomaly models. In larger enterprises, local teams often need separate baselines for executives, accounts payable, procurement, and customer success because each group has different communication rhythms. Shared inboxes, delegated access, and travel-heavy roles are common edge cases that can produce false positives unless the model understands who is authorised to act on behalf of whom. Another frequent failure mode is over-reliance on alert volume instead of case quality: if analysts are forced to review every slight wording change, the program collapses into noise.

Practical BEC defence also needs strong recovery paths. Even when detections work, finance should have out-of-band verification for bank detail changes, and identity teams should rapidly revoke suspicious session tokens, reset forwarding rules, and force step-up authentication. The broader lesson from the 52 NHI Breaches pattern is that compromised identity access rarely stays confined to one system. Once trust is abused, lateral movement into adjacent workflows is the real risk, not the email thread itself.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Credential rotation and short-lived access limit post-compromise mailbox abuse.
CSA MAESTROFocuses on secure agent and identity governance for autonomous, action-capable systems.
NIST AI RMFSupports risk-based, context-aware decisions for dynamic behaviour detection.

Apply MAESTRO principles to correlate identity context, action scope, and approval paths.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org