The Behavioral Shift: Why Trusted Relationships Are the Newest Attack Surface

Summary

Analysis of 800,000 email attacks across 4,600+ organizations reveals attackers are abandoning technical exploits in favor of sophisticated behavioral and social engineering tactics. The study identifies phishing (58%), business email compromise (11%), and vendor email compromise as primary attack vectors, with attackers using redirect chains, link shorteners, and carefully crafted pretexts that blend into legitimate organizational workflows. The trend highlights how trusted relationships and routine processes have become the newest attack surface, with defensive AI recommended as a key countermeasure.

Full text

You can no longer recognize a phishing email by simply counting the typos. And you will get caught if you simply respond to a genuine-looking email without thinking. Analysis of almost 800,000 email attacks across more than 4,600 organizations shows attackers moving away from exploiting technical vulnerabilities in favor of targeting behavioral and organizational weaknesses. In short, email attackers are now targeting their victims with tailored tactics that exploit trusted relationships and routine workflows. The three primary email attack methods are phishing, business email compromise (BEC) and vendor email compromise (VEC). Phishing remains predominant, accounting for 58% of all attacks. BEC comprises 11% of attacks, while VEC (a subtype of BEC) accounts for more than 60% of all BEC attacks. Details are provided in Abnormal AI’s 2026 Attack Landscape Report. Phishing varies by target. File-sharing lures are concentrated on industries and roles where document exchange is common and expected. Brand impersonation aligns with the complexity of the target’s software footprint. In both cases, the lure is designed to blend into the workflows and tools that employees use. “The same structures, workflows, and relationships that define how an organization operates also define where an attack can blend in undetected,” says the report. More than 20% of phishing attacks use redirect chains to obscure the final malicious page from both users and their security tools. Just over 10% of these use link shorteners, with tinyurl (31.6%) and t.co (26.6%) dominating. Tinyurl is a free service, while t.co is automatically and freely applied by X/Twitter to outbound links. In both cases the URL can appear legitimate and security teams are reluctant to impose automatic blocks.Advertisement. Scroll to continue reading. BEC is less frequent, involves more attacker craftsmanship, and is more impactful. BEC and VEC are less frequent but potentially more impactful than phishing. (BEC targets employees within an organization, while VEC relies on a compromised vendor account to then target the vendor’s customers or suppliers.) In BEC, VIP impersonation is used in 43% of attacks at small enterprises, but only 7% at large enterprises. Lateral attacks within an organization, where one compromised account targets another account, is the reverse: less than 1% at small organizations rising to more than 23% in large organizations. Noticeably, higher education is especially susceptible to such lateral attacks, where 33% of the BEC attacks are lateral, “Highlighting,” writes Abnormal, “how open, high-turnover environments create ideal conditions for internal spread.” Image Credit: Abnormal AI The precise methodology used in a BEC attack changes with the size of the company: lateral compromise is effectively nil in small companies, increasing with the size of the company; while VIP/executive impersonation decreases with the size of the company. Nearly 40% of all BEC attacks exploit the trust employees place in colleagues, executives, and internal departments. Forty-five percent of these attacks impersonate a named non-executive colleague. Generic impersonations (“the fake IT helpdesk notice, the HR benefits update, the payroll system alert”) follow at 36.7%. These succeed, comments Abnormal, “Because employees are conditioned to act on communications from internal systems without scrutinizing who actually sent them.” The VEC subtype of BEC is now more common than BEC personal impersonation itself. Invoice fraud dominates VEC in North America, accounting for 42% of VEC campaigns. In EMEA procurement-stage pretexts dominate at 41% of campaigns, demonstrating that geographic business practices are incorporated into attack methodologies. “What makes VEC especially difficult to defend against is that billing and payments are a routine part of the vendor-customer relationship, discussed over email every day. Consequently, malicious messages seemingly from vendors requesting changes to banking information or large fund transfers may not be immediately flagged as suspicious,” warns Abnormal. What is very clear from Abnormal’s analysis is that the old hap-hazard typo-strewn ungrammatical email attack is now assigned to the bin of history. Today we have finely targeted attack campaigns targeting common workflows with sophisticated pretexts and evasion. The report makes no mention of criminal use of AI being used in this new quality of attack (it would be impossible to quantify), but it is undoubtedly an important element. The report does, however, clearly suggest that defensive use of AI can help defend against this quality of attack. “Closing that gap requires AI that analyzes identity, context, and content to build behavioral baselines for every employee and vendor in an enterprise’s cloud environment. That’s what makes it possible to flag the moments when an attack tries to pass as business as usual—before an employee ever has the opportunity to engage.” What is source for the goose must definitely be used as source for the gander. Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM DataCoChat Launches AI Collaboration Platform to Combat Shadow AI‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain AttacksCISO Conversations: Ross McKerchar, CISO at Sophos‘Mythos-Ready’ Security: CSA Urges CISOs to Prepare for Accelerated AI ThreatsBrowserGate: Claims of LinkedIn ‘Spying’ Clash With Security Research FindingsCan We Trust AI? No – But Eventually We MustAnthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks Latest News Rilian Raises $17.5 Million for AI-Native Security OrchestrationLuxury Cosmetics Giant Rituals Discloses Data BreachAI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers Apple Patches iOS Flaw Allowing Recovery of Deleted ChatsRecent Microsoft Defender Vulnerability Exploited as Zero-DayAfter Bluesky, Mastodon Targeted in DDoS AttackMost Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysNew Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and

Indicators of Compromise

• domain — tinyurl.com
• domain — t.co

Entities