Large enterprises have more internal identities, more message volume, and more formal processes, so attackers move away from executive impersonation toward employee impersonation and compromised accounts. The credibility target changes with scale. Security teams should tune defences to the identities that are believable inside each operating model.
Why This Matters for Security Teams
business email compromise in large enterprises is less about a single “important” mailbox and more about believable identity collisions across departments, vendors, and delegated workflows. Attackers exploit the fact that a message from finance, procurement, HR, or a regional manager can look routine when thousands of similar requests move every day. That shift is well documented in NHI abuse patterns, including the broader identity sprawl described in The 52 NHI Breaches Report and the credential exposure dynamics highlighted in Ultimate Guide to NHIs — Why NHI Security Matters Now.
At enterprise scale, attackers rarely need to impersonate the CEO. They gain more value by blending into normal internal traffic, hijacking routine approvals, or reusing compromised accounts that already fit the environment. That makes the problem harder to solve with awareness training alone, because the message is not obviously malicious when it matches expected business language and process timing. Current guidance suggests that defenders should measure believability, not just authority, and tune controls to the identities that are most credible inside the organisation’s operating model. In practice, many security teams encounter the abuse only after an employee has already approved a payment, forwarded a sensitive request, or trusted a “known” internal sender.
How It Works in Practice
Large enterprises create a dense identity graph. Employees, contractors, shared mailboxes, delegated assistants, service accounts, and third-party contacts all create realistic impersonation targets. Attackers use that density to move away from broad executive spoofing and toward narrower pretexting that fits a team’s day-to-day rhythm. When a mailbox is compromised, the attacker can reply in thread, reference internal jargon, and abuse trust that already exists between business functions. That is why guidance from Anthropic’s report on AI-orchestrated cyber espionage matters here: automation makes pretexting more scalable and harder to distinguish from routine correspondence.
Operationally, defenders need to combine mail security with identity governance:
- Use tenant-wide telemetry to identify which internal identities are most often impersonated, not just which executives are targeted.
- Correlate mailbox login anomalies, forwarding rule creation, and impossible travel with unusual payment or approval requests.
- Apply stronger verification to payment, payroll, and vendor-bank changes, especially when the sender is internal but the request is out of character.
- Review delegated access, shared inboxes, and long-lived tokens because compromised accounts often appear legitimate long before the fraud is discovered.
For the identity and credential side of the problem, the DeepSeek breach is a useful reminder that exposed secrets and reused credentials accelerate compromise across seemingly separate systems. When an enterprise has many internal identities and many approval paths, attackers can choose the most believable route rather than the most privileged one. These controls tend to break down when mail flow is highly automated across subsidiaries because local exceptions and delegated approvals make malicious requests look operationally normal.
Common Variations and Edge Cases
Tighter verification often increases friction, so organisations have to balance fraud resistance against business speed. That tradeoff becomes sharper in large enterprises because not every high-volume request should be treated as suspicious, and not every unusual request is malicious.
There is no universal standard for this yet, but current guidance suggests different playbooks for different fraud surfaces. Executive impersonation still matters, yet in mature enterprises the more common edge cases are employee impersonation, supplier compromise, and abuse of delegated authority. Regional business units may also have different norms, so a request that looks abnormal in one division may be ordinary in another. Teams should therefore calibrate controls by process criticality, not by title alone.
One useful pattern is to combine identity-based risk scoring with transaction-aware controls. For example, a finance approval from a known internal account should still trigger extra checks if the destination account changed, the request arrived outside normal hours, or the conversation was moved to a less monitored channel. The same logic applies to compromised shared mailboxes, where the sender appears trusted but the surrounding behaviour changes. In large enterprises, BEC is often less about deception at the top and more about blending into the middle of the organisation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control help reduce believable internal impersonation. |
| NIST CSF 2.0 | DE.CM-1 | Monitoring is needed to spot mailbox compromise, forwarding rules, and anomalous requests. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Compromised credentials and identity misuse are central to enterprise BEC patterns. |
Harden credential handling, reduce reuse, and review high-value account exposure across mail and workflow systems.
Related resources from NHI Mgmt Group
- How should security teams reduce business email compromise without drowning analysts in false positives?
- Why are vendor email compromise attacks so effective in large enterprises?
- How do attackers turn a supply-chain incident into wider NHI compromise?
- Why can a single SaaS app create such a large blast radius?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
