COMMENTARY: Email remains the cornerstone of modern business communication. Universally adopted across industries and functions, email connects employees, partners, vendors, and customers in real-time. However, that same ubiquity also makes it the most reliable entry point for cybercriminals.Attackers are drawn to email because it gives them direct access to the human element. Employees must constantly engage with the inbox, creating countless opportunities for threat actors to exploit psychology, familiarity, and routine behavior through seemingly benign interactions.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Based on real-world attacks observed across enterprises, these five trends are especially important for security leaders to recognize and adapt their defenses accordingly:1. Multi-stage QR code phishing.QR code phishing surged earlier in the 2020s, but the tactic has rapidly evolved. Rather than relying on a single malicious QR code leading directly to a credential harvesting page, attackers are now using multi-stage workflows designed to condition the target over several interactions.These campaigns often follow a layered approach. They begin with seemingly legitimate business communication—such as a request for quote or document exchange—before instructing the recipient to scan a QR code “using your phone’s camera.” That small instruction shifts the interaction from a corporate endpoint to a mobile device, often outside the visibility of enterprise email security controls. By the time a victim reaches the final page, they may have already passed through multiple steps that reinforce the illusion of legitimacy—such as verification screens or branded portals.Rather than treating each email as an isolated event, we need to evaluate the broader attack sequence— and that’s why visibility into QR codes, downstream redirects, and abnormal user actions has become essential to detecting these attacks early.2. Thread-spoofed vendor impersonation.Financial fraud remains one of the most damaging outcomes of email compromise, and attackers are increasingly investing more effort into making these schemes believable.Thread-spoofed vendor impersonation represents a notable evolution in these tactics. Instead of sending simple invoice fraud emails, attackers fabricate entire email threads that appear to show prior correspondence between a vendor and an internal employee. In many cases, the thread appears to show an internal authority figure granting approval to proceed with paying an invoice or updating bank details. The attackers aim for psychological manipulation, not technical exploitation. Familiar workflows, apparent approval from leadership, and realistic documentation combine to pressure recipients into acting quickly.We need to focus on message authenticity as well as business intent. Validating vendor relationships, payment workflows, and approval patterns has become just as important as scanning attachments or links.3. OAuth consent phishing.Multi-factor authentication (MFA) has reduced the effectiveness of traditional credential theft, but attackers have adapted by targeting the systems designed to make modern authentication easier.OAuth consent phishing manipulates users into authorizing malicious applications rather than entering their credentials directly. Instead of stealing a password, attackers trick victims into granting permissions to an attacker-controlled app through a legitimate authorization flow.These attacks work because OAuth prompts are familiar and routine. When employees see a message asking them to approve a request from a trusted application or meeting invitation, they are naturally inclined to click through without question. Once consent gets granted, attackers can obtain token-based access to the user’s account, which may result in them being able to read emails, send messages, or maintain persistent access depending on permissions granted.Because the protocol itself functions exactly as designed, detecting these attacks requires identifying when legitimate authorization flows are being abused. Start with a regular review of OAuth application permissions, monitor for newly authorized apps, and ensure email defenses analyze the full URL chain behind authentication requests.4. Lateral phishing.Lateral phishing has also gained momentum. It lets attackers leverage a compromised internal account to target employees within the same organization.Messages originating from legitimate internal accounts carry inherent trust. They pass authentication checks, appear familiar to recipients, and often mirror normal communication patterns. Once inside the environment, attackers can use these trusted identities to expand their access, escalate privileges, and move deeper into the organization.This shift reflects a broader change in attacker priorities. Rather than focusing solely on initial access, many adversaries now prioritize persistence and post-compromise expansion. We can protect against lateral phishing by monitoring external threats and internal behavior patterns to detect anomalies such as unusual messages, security alerts, or links that may indicate a compromised user.5. AI-generated payroll fraud.Payroll fraud has existed for years, but the level of automation and personalization attackers can now achieve has changed. Generative AI has dramatically increased the effectiveness of these social engineering attacks in which attackers impersonate employees to redirect direct deposits.Employees are quickly identified and impersonated using AI-driven research tools to determine who manages payroll within an organization. Generative AI can then produce highly-convincing messages that mimic an individual’s tone and communication style.The resulting emails often contain no links, malware, or obvious technical indicators. Instead, they present routine administrative requests, such as asking payroll staff to update direct deposit information. Because these messages blend seamlessly into normal workflows, they can evade both traditional security tools and employee suspicion.Defenders now need to implement verification processes for sensitive financial changes and deploy security technologies that can analyze identity context, communication patterns, and behavioral anomalies.These five attack types all exploit trust, identity, and routine business processes rather than technical vulnerabilities.Closing the gap requires security strategies that go beyond traditional security tools to focus on behavior and context. Platforms that analyze identity relationships, communication patterns, and workflow anomalies can detect subtle signals that reveal malicious intent even when a message appears legitimate.Business email will continue to serve as the central nervous system of modern organizations—and as long as it does, attackers will target it.Mick Leach, Field CISO, Abnormal AISC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Email security, Identity, AI benefits/risks
5 email threats to watch as identity and AI attacks evolve
(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds