They still work because many programmes verify users and devices but leave the email channel dependent on implicit trust. If the receiving domain does not enforce DMARC, attackers can exploit the visible sender name and address even when web access and endpoint controls are strong. Zero Trust fails when one channel is exempt.
Why Email Impersonation Still Bypasses Zero Trust Controls
Email impersonation remains effective because zero trust programmes often harden login, device, and network access while leaving mail flow treated as a trusted business channel. That gap matters: if the receiving domain does not enforce DMARC, a convincing display name, lookalike address, or reply-chain hijack can still reach users even when endpoint controls are strong. NIST’s Zero Trust Architecture makes the principle clear: trust must be continuously evaluated, not assumed by channel. NHIMG’s 52 NHI Breaches Analysis shows how identity failures often begin in places teams do not consider part of the control plane. In practice, many security teams discover email impersonation only after a finance or executive mailbox has already been used as the trusted path into the organisation.
How the Attack Works Inside a Zero Trust Programme
Impersonation attacks usually succeed by exploiting the difference between authenticated infrastructure and human perception. A sender can spoof the visible name, register a typo-squatted domain, compromise a legitimate mailbox, or abuse a vendor thread that already carries trust. If DMARC is not enforced at the receiving side, the message may be delivered even when the sender domain is unauthorised. The problem is not just message filtering. It is the assumption that “internal-looking” email deserves more trust than it actually has.
Effective defence is layered and channel-specific:
- Enforce DMARC with aligned SPF and DKIM, and move from monitoring to quarantine or reject where feasible.
- Treat executive, finance, payroll, and vendor-change workflows as high-risk identity paths, not just mailbox hygiene issues.
- Use phishing-resistant authentication for mail admin access and protect domain registrar and DNS accounts with strong controls.
- Monitor for lookalike domains, reply-to manipulation, and mailbox rule changes that redirect sensitive conversations.
This is consistent with current guidance from CISA cyber threat advisories, which repeatedly show that attackers chain social engineering with identity abuse rather than relying on one weakness alone. It also aligns with NHIMG’s Top 10 NHI Issues, where unmanaged trust boundaries are a recurring root cause. The best comparison is not a perimeter breach but a workflow compromise: the attacker enters through the message, then uses the business process to move money, reset credentials, or approve access. These controls tend to break down when organisations enforce Zero Trust on endpoints and apps but leave inbound and outbound email outside the same policy model because mail is treated as “just communication.”
Where the Standard Fix Becomes Insufficient
Tighter email authentication often increases operational overhead, requiring organisations to balance delivery reliability against spoofing resistance. That tradeoff becomes visible when large third-party ecosystems, legacy mail gateways, or marketing platforms cannot fully align with DMARC expectations. Best practice is evolving, but there is no universal standard for how quickly every domain should move to reject mode without disrupting legitimate traffic.
Edge cases matter. Partner ecosystems can produce false positives if vendors send on behalf of your domain without proper alignment. Shared mailboxes and delegated sending can also create confusion unless ownership and approval paths are explicit. In high-risk environments, an email policy should be paired with process controls: out-of-band verification for payment changes, approval thresholds for sensitive requests, and user training focused on recognising business email compromise rather than generic phishing.
NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because the same trust-boundary problem appears across machine identities and email workflows: once a channel is implicitly trusted, attackers do not need to beat every control, only the one exempted from policy. For organisations extending Zero Trust into communications, the practical target is not perfection; it is removing unaudited trust from the most abused message paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Email impersonation exploits weak identity assurance in trusted communication paths. |
| NIST Zero Trust (SP 800-207) | ID | Zero Trust requires continuous evaluation of each message path, not blanket trust. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Impersonation often succeeds when identity trust and secrets are not tightly bound. |
Verify sender identity and apply least privilege to mail-enabled workflows and admin access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
