Why attackers don't break in anymore – they blend in

Businesses have never spent more on keeping attackers out. Layered defences, verified access, and sophisticated monitoring tools have made the network perimeter harder to breach than ever.

 

Yet the costliest attacks on businesses today don’t breach those defences. Instead, they walk straight past them by exploiting something no firewall can protect: the trust between people.

 

A supplier chasing an overdue invoice. A colleague requesting an urgent payment approval. An executive confirming a wire transfer. These interactions happen hundreds of times a day in every organisation as the background hum of normal operations to which few people give a second thought.

 

That implicit trust has become the greatest weapon in the cyber-attacker’s arsenal.

 

Precision attacks on trusted connections

There is a truly staggering volume of malicious email targeting business inboxes today, with automated tools and AI enabling attackers to reach an industrial scale of production.

 

But the scale alone isn’t why so many attacks are succeeding. After analysing more than 159 million email attacks detected across our customer base in the second half of 2025, we found that it’s precision, not volume, that is the defining characteristic.

 

More attackers are investing in understanding their targets. They study communication norms, map vendor relationships, and mirror the approval workflows their targets use every day. Again, automated tools have made this level of research far more accessible.

 

The result is malicious messages that are increasingly indistinguishable from routine business correspondence, giving their targets little reason to doubt what they’re seeing.

 

Of the business email compromise attacks we analysed, 39% impersonated colleagues, executives, or internal departments. A further 61% involved vendor or partner impersonation – fake invoices, fraudulent payment requests, and procurement approaches engineered to look exactly like the supplier communications finance teams process daily.

 

For larger organisations with over 50,000 employees, we also found a greatly increased risk of account takeovers. Nearly a quarter (23%) of business email compromises here originated from genuinely compromised internal accounts. These lateral attacks pass every possible authentication check because technically, there is nothing wrong.

 

It’s the ultimate weapon against defences designed around establishing identity and trust.

 

 

Driving a wedge into Zero Trust

Zero Trust has become one of the most popular approaches to enterprise security, built on the simple premise of ‘assume nothing, verify everything’. Applied to networks and infrastructure, it has transformed how organisations manage access – nobody gets in simply because they were already inside.

 

As most organisations have implemented it, Zero Trust stops at the system boundary. It governs which devices can connect to networks, application access permissions, and the legitimacy of login attempts. What it doesn’t govern is the relational layer – the web of human relationships, communication habits, and working patterns that constitute how business actually gets done.

 

The growing number of lateral emails we identified as originating from compromised accounts completely sidesteps network identity measures such as Zero Trust.

 

That gap is widening. AI-powered impersonation now enables attackers to replicate not just a sender’s identity, but their tone, their context, and their timing. The informal judgment employees have historically relied on is no longer a reliable defence. Employees must be supported by systems that can consistently identify attempts to exploit their trust.

 

So how do we bring the precise, logical authentication of Zero Trust to something as imprecise as human interactions?

 

 

Extending Zero Trust to the human layer

Bringing trust back to the inbox means applying the same rigour to communication that organisations already apply to access. Moving beyond verifying who a message claims to be from, to understanding whether it behaves as expected, in the context it arrives, at the time it appears.

 

There are three main components needed here. First are behavioural baselines that establish what normal communication looks like across every employee, vendor, and partner relationship. This is combined with contextual analysis that interrogates the request itself rather than just the sender. Finally, we need intent modelling that identifies social engineering even when the message is technically flawless.

 

None of this is achievable at the speed and volume of modern business without AI. Human judgment, however well-trained, cannot process the contextual signals embedded in thousands of daily communications.

 

 

Reestablishing a trusted inbox must be a top priority

Trust is one of the most important assets in any business. It underpins everything from the most casual internal email to critical partner contracts that will define the company’s future.

 

The question for every business leader is straightforward. If you apply rigorous verification to ensure trust in every system your organisation relies on, why not take the same approach to every communication? The attackers exploiting that inconsistency already know the answer. It’s time security strategies caught up.

 

The full data behind these findings is in Abnormal AI’s 2026 Attack Landscape Report, and is worth a read if you want to understand the scale of what your teams are facing.

 

---

 

Mick Leach is Field CISO at Abnormal AI

 

Main image courtesy of iStockPhoto.com and AndreyPopov