Most organizations do not neglect security. They spend heavily on network firewalls, endpoint detection tools, and identity providers. Yet, the Verizon Data Breach Investigations Report (DBIR) consistently identifies email as a leading initial access vector.
It isn’t because email is inherently more fragile. It’s because the mailbox sits behind password resets, SaaS logins, financial approvals, and sensitive internal conversations. Compromise the mailbox and all of those become easier to reach. Across incident response investigations, a compromised inbox rarely stays confined to email. It becomes the primary bridge for lateral movement and internal reconnaissance.
The Perimeter Isn’t Where the Attack Starts
Years ago, IT security strategy focused on the network perimeter. The goal was to build high walls and filter traffic.
Attackers do not need to invent a new communication channel when they can abuse one that employees already rely on. Every member of an organization—from the warehouse floor to the C-suite—uses email to share invoices, confirm meetings, and authorize wire transfers. They don’t need to exploit the perimeter if they can authenticate as a legitimate user.
Phishing Doesn’t Look Like Phishing Anymore
Security training often tells users to look for typos or strange grammar. In practice, that advice is rarely helpful.
One pattern appears repeatedly in logs: conversation hijacking. An attacker compromises an external vendor, waits, and then jumps into an existing, legitimate email thread to request an “update” to a file or payment instructions. The context is perfect. The sender is a known contact.
These messages don’t rely on malware. They rely on the fact that the recipient has worked with that sender for years.
BEC Doesn’t Need Malware
The FBI’s Internet Crime Report highlights the financial impact of Business Email Compromise (BEC) for a reason.
A finance employee receives what appears to be a routine request from a long-time supplier asking that future payments be sent to a new account. The domain is legitimate because the supplier’s mailbox was compromised days earlier. Nothing about the message looks malicious to a gateway. It’s plain text. Because there is no technical “signature” to block, defending against this requires a move away from purely automated filtering toward behavioral analysis and secondary verification for high-risk requests.
Why Email Security Needs More Than Message Filtering
Most organizations already have basic email filtering in place. That eliminates a large volume of spam, malware, and known phishing campaigns before they ever reach a user’s inbox. Those controls remain important, but they solve a different problem than targeted email attacks.
A targeted attacker doesn’t need to send thousands of phishing emails. One convincing message sent to the right employee is often enough. Once a mailbox has been compromised, the activity that follows frequently looks legitimate. The user signs in successfully. Email is read from a familiar location. Messages are forwarded through standard mailbox rules. None of those actions automatically indicates malicious activity when viewed in isolation.
That’s why many organizations add cloud email security that extends beyond message filtering. Instead of looking only at inbound email, these platforms monitor mailbox activity for changes that fall outside a user’s normal behavior. Unexpected forwarding rules, newly approved OAuth applications, unusual sign-in patterns, and abnormal account activity can all provide early indicators that a mailbox has been compromised.
The goal isn’t simply to block another phishing email. It’s to recognize when a trusted account starts behaving like it no longer belongs to the person using it.
Your Mailbox Is an Identity System
When analyzing compromised environments, forwarding rules are often a bigger clue than the original phishing email.
- OAuth abuse: This has become a frequent path to access, often allowing an attacker to gain mailbox permissions without ever needing the user’s password.
- MFA: It is necessary, but if an attacker can steal a session cookie, the MFA challenge is irrelevant.
- Out-of-band verification: If a request involves money or sensitive data, confirm it through a secondary channel. Pick up the phone.
What Happens After the Mailbox Is Compromised
The initial compromise is often the shortest part of the attack. Maintaining access is usually more valuable than acting immediately. Investigators regularly find evidence that an attacker spent days, and sometimes weeks, inside a mailbox before attempting fraud or data theft.
- Review existing correspondence. Recent email threads show who approves purchases, which vendors submit invoices, how payment requests are normally handled, and who gets copied before money moves. That information helps attackers understand how the business actually operates.
- Establish persistent access. Forwarding rules, delegated mailbox permissions, and unauthorized OAuth applications allow continued access after the original phishing email has been removed. Depending on the method, a password reset may not be enough to interrupt that access.
- Monitor routine business activity. Rather than creating a new conversation, attackers frequently wait for a legitimate invoice, contract renewal, or payment request before responding within an existing email thread.
- Avoid actions that attract attention. Large data exports or mass mailbox downloads increase the chance of detection. Reading messages, downloading individual attachments, and sending replies from a compromised account often blend into normal business activity.
- Leave operational evidence behind. Unexpected forwarding rules, unfamiliar OAuth consent records, delegated mailbox access, and sign-in activity that falls outside a user’s normal pattern are all artifacts investigators commonly review when reconstructing an incident.
Closing the Gap
No single control catches every email attack. Organizations with mature security programs still investigate compromised mailboxes. That’s normal.
The clues usually aren’t dramatic. A forwarding rule appears overnight. An OAuth application is granted access when nobody remembers approving it. An executive who always signs in from Chicago suddenly has a successful session from somewhere else. None of those events automatically means an account has been compromised. Ignoring them is where the risk grows.
Spam filters still have a job to do. So do SPF, DKIM, and DMARC. They stop an enormous amount of low-effort abuse before it reaches a user. The investigations that consume security teams, though, usually start somewhere else. A trusted account behaves differently. A familiar vendor asks for a payment change. A mailbox begins forwarding messages outside the organization without anyone realizing it.
Email isn’t just another business application anymore. It sits behind password resets, cloud services, document sharing, financial approvals, and conversations that attackers can quietly observe for weeks. Once a mailbox is compromised, the objective often isn’t immediate disruption. It’s patience. Read the traffic. Learn how the business operates. Wait for a request that looks routine enough to avoid questions.
That’s why watching authenticated activity matters as much as filtering inbound messages. The phishing email may be deleted within minutes. The forwarding rule, delegated mailbox permission, or OAuth consent can remain long after the original message is gone. Those are often the artifacts investigators piece together when reconstructing how an attacker stayed inside an environment.

