They depend on known indicators, but modern attacks often avoid those indicators entirely. If the email is clean, the domain is close enough, and the request fits a business process, signature logic can miss it. Behavioural analysis works better because it measures whether the request is normal for that relationship, not just whether the message looks suspicious.
Why This Matters for Security Teams
Rules-based email controls fail because modern phishing and vendor impersonation rarely depend on obvious malware, broken grammar, or a visibly hostile domain. Attackers increasingly aim for messages that are syntactically clean and operationally believable, which means signature-driven controls miss the very cases that most resemble legitimate business traffic. NHI Management Group’s research on the Ultimate Guide to NHIs — Standards shows why static controls break down when identity trust is assumed instead of continuously evaluated. The same pattern appears in broader governance guidance such as the NIST Cybersecurity Framework 2.0, which emphasizes ongoing risk management rather than one-time perimeter checks.
The problem is not simply that phishing is “better written.” It is that impersonation now exploits trust relationships, invoice workflows, supplier onboarding, and routine approvals. A message can be clean enough to pass technical filters while still being fraudulent because the control is looking for the wrong signal. In practice, many security teams encounter vendor impersonation only after a payment request, mailbox compromise, or business email compromise has already been accepted as normal.
How It Works in Practice
Modern email defense works better when it treats each message as a trust decision, not a text-matching exercise. Rules still have value for obvious indicators, but they should be layered beneath behavioural and contextual analysis that evaluates sender history, relationship depth, request type, domain similarity, reply-chain integrity, and whether the action fits the business process. NHI Management Group’s DeepSeek breach coverage illustrates a broader lesson: attackers succeed when they can make abuse look routine enough to blend into normal operations.
Effective controls usually combine:
- Authentication checks such as SPF, DKIM, and DMARC, used as baseline hygiene rather than final verdicts.
- Relationship-aware filtering that scores whether the sender, recipient, and request history match prior interactions.
- Policy controls for payment, supplier, and account-change requests so that sensitive actions require independent verification.
- Detonation or sandboxing for attachments and URLs, paired with user reporting to catch what automated checks miss.
This aligns with current guidance from the CISA ecosystem and broader identity-centric thinking in the Ultimate Guide to NHIs — The NHI Market, because trust decisions should be based on who is acting, from where, and in what context. These controls tend to break down in heavily outsourced finance environments, where supplier communications are frequent, process exceptions are common, and attackers can hide inside legitimate operational noise.
Common Variations and Edge Cases
Tighter email verification often increases workflow friction, so organisations have to balance fraud resistance against business speed. That tradeoff is most visible in procurement, payroll, legal, and executive assistant workflows, where legitimate requests often arrive under time pressure and from unfamiliar contacts.
There is no universal standard for this yet, but current guidance suggests that the highest-risk messages should trigger step-up verification rather than automatic blocking alone. That includes first-time payee changes, bank detail updates, mailbox forwarding changes, and requests that bypass established approval chains. Behavioural tools can help, but they still need human process controls, especially when an attacker compromises a real vendor account and sends a plausible follow-up from inside an existing thread.
This is also where rules-based controls often fail against BEC-style attacks: the message may be technically valid, semantically normal, and operationally urgent, which leaves little for simple pattern matching to catch. In those cases, organisations need policy that assumes the message may be authentic-looking but still unauthorised.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Email trust decisions need continuous access and identity validation, not static allowlists. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Vendor impersonation often exploits abused non-human credentials and weak secret handling. |
| NIST AI RMF | Behavioural email defenses require governance for context-aware risk decisions and oversight. |
Use AI RMF governance to define accountability, escalation, and human review for automated email risk scoring.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
