Intellectual property theft poses a serious and growing risk to U.S. companies, threatening both financial performance and operational stability. Source code, product designs, trade secrets, and strategic plans are all potential targets.

Yet one of the most common channels for this theft remains dangerously underprotected.

Email is identified as the attack vector in 27% of breaches, second only to web applications, with phishing appearing in 14% of breach cases. Every day, sensitive files move through inboxes that legacy security tools were never designed to fully protect, which leaves organizations exposed to both external attackers and insider threats operating in plain sight.

Understanding how these email-based attacks work and where traditional defenses fall short can help security teams close the gap before critical IP walks out the door.

• Email supports both the start of intellectual property theft through phishing and account compromise and the exit of data through insider forwarding and covert mailbox rules.
• NIST draft indicates that traditional email gateways (SEGs) and rule-based data loss prevention (DLP) often struggle because proprietary data frequently lacks the structured patterns these tools require.
• The same NIST draft supports using behavioral baselines that track communication patterns, recipient relationships, and timing shifts to surface activity that static rules can miss.
• A layered defense combining email authentication, DLP, behavioral analytics, and a formal insider threat program can provide stronger protection against IP theft via email.

Email matters in intellectual property theft because it can support access, collection, and exfiltration in the same workflow. Attackers use it to gain initial access through phishing and credential harvesting, and insiders use it to move proprietary data out of the organization.

This creates a challenge that many security architectures do not fully address. In practice, secure email gateways (SEGs) focus primarily on inbound threat detection, while data loss prevention (DLP) focuses on content classification at the boundary. That separation can leave gaps when the same channel supports both compromise and data theft.

The problem spans multiple motivations and techniques:

• Nation-state operators can use phishing to reach employees with access to valuable research or product data.
• Compromised business accounts can be used to request sensitive files under a routine pretext.
• Insiders can forward files or messages to personal accounts during periods of elevated risk.
• Hidden forwarding rules can quietly continue collecting sensitive mail after the initial compromise.

Attackers usually steal intellectual property through a small set of repeatable email-based patterns. These patterns exploit weaknesses in how organizations protect sensitive data and how users trust familiar email workflows.

Spear phishing remains a common way to start an IP theft campaign. Attackers identify employees with access to valuable IP repositories, then send crafted messages containing malicious attachments or credential-harvesting links. A CISA advisory documents Chinese state-sponsored actors using spearphishing campaigns with domain typosquatting and social engineering lures tailored to specific targets.

Once credentials are captured, the attacker can authenticate to corporate email, SharePoint, and cloud storage to download IP-containing files. MITRE T1566.002 describes consent phishing that uses OAuth authorization links to grant persistent application-level access without requiring the user's password on subsequent visits. In that sequence, the email account becomes both the delivery mechanism and the gateway to broader data access.

Business email compromise (BEC) can also be used to extract intellectual property. An attacker compromises or spoofs an executive's email account and sends a targeted request to an employee with IP access, asking for design specifications or product documentation under a business pretext.

The employee replies with sensitive documents attached, and the email passes authentication checks because it appears to come from a legitimate or convincingly spoofed account.

This matters because the request can look operationally normal:

• The sender appears to be a known executive or business stakeholder.
• The content aligns with routine document-sharing workflows.
• The requested files may not trigger content-based controls if they are unstructured.

That combination can allow a socially engineered request to blend into legitimate traffic.

Insider misuse remains one of the clearest email-based paths for IP theft. Email forwarding remains a common exfiltration method, including sending to personal accounts, competitors, or foreign governments.

These insiders are typically scientists, engineers, or programmers who steal assets they created and already had permission to access, which makes the misuse harder to distinguish from routine work.

This pattern often combines authorized access with suspicious timing. An employee may already have permission to handle the material, which makes the misuse harder to distinguish from routine work until the surrounding behavior changes.

Mailbox forwarding rules can turn a compromised account into a quiet exfiltration channel. After compromising an email account, attackers can create hidden inbox rules that automatically forward copies of incoming emails to an external address. This approach works well for sustained, passive collection from a single mailbox.

When attackers need broader access, they can move beyond forwarding rules to direct mailbox harvesting. The APT29 profile documents harvesting emails from targeted mailboxes within compromised Azure AD tenants using Exchange Web Services API requests. The cited activity focused on executives and IT staff to collect sensitive discussions, product specifications, and M\&A communications.

A trusted third party can also become the email path to sensitive data. When attackers compromise a vendor's email account, they can reduce human suspicion and slip past reputation-based filtering.

The Cloud Hopper testimony describes a campaign in which spear phishing emails sent to managed service provider employees led to provider compromise and then lateral movement into client networks across multiple sectors.

Traditional email security often misses IP theft for three main reasons discussed below.

Static classification works best when sensitive data matches known patterns. Standard DLP systems typically operate on binary policy logic: data either matches a configured rule, such as a regex pattern, fingerprint, or keyword list, or it does not.

A proprietary algorithm emailed as a Python script can look syntactically similar to any other Python script. A competitive analysis sent as plain text can resemble ordinary business correspondence. Much enterprise IP may never be formally classified as confidential in the DLP sense. This leaves organizations exposed when they depend on data classification alone.

In practice, the gap usually appears in a few places:

• Source code and technical notes often do not map cleanly to fixed patterns.
• Plain-text strategy documents may look like ordinary correspondence.
• Sensitive information may be validly accessed by the sender, making context more important than content alone.

Point-in-time inspection can miss patterns that only become visible over time. Most email gateways evaluate each message in isolation, without tracking what's normal for a specific user. An insider who sends repeated attachments just below a policy threshold may never trigger a single alert, even though the broader pattern tells a different story.

This limitation also applies to encrypted attachments. When sensitive files are sent as password-protected archives, the gateway sees an opaque file and has little way to judge whether that behavior is unusual for the sender.

Authorized accounts can make malicious activity look routine. Both SEGs and DLP often assume that an authenticated sender is acting within a normal business role.

When that assumption fails through account takeover or insider misuse, these tools may have limited ways to assess intent independently. CERT research cited earlier shows why this is difficult: insiders can steal IP during normal working hours because they already have approved access, which makes legitimate use and misuse harder to distinguish.

Behavioral detection improves IP protection by helping teams find shifts in email activity that isolated message inspection may miss. That makes it useful for identifying timing changes, new recipient patterns, and unusual attachment behavior linked to IP loss.

Per-user baselines can help teams spot unusual email activity tied to IP loss. Behavioral AI helps build a picture of each user's typical activity, including who they communicate with, how often they send messages, when they send them, and what kinds of attachments they use.

Those patterns help define what normal email behavior looks like for that individual. Deviations such as a spike in outbound attachments, contact with previously unseen external domains, or off-hours file transfers can then stand out for review.

Pre-departure activity can create a visible shift in email behavior. A high-risk period before resignation may appear as increased forwarding of internal communications to personal addresses, emailing documents outside normal functional scope, and unusual after-hours activity with attachments. No single email event needs to trigger a policy threshold for the pattern to matter. Longitudinal analysis can make the shift easier to recognize.

Signals worth reviewing in this period can include:

• New personal or external recipients receiving internal material.
• A change in the volume or timing of attachment sends.
• Messages involving documents outside the sender's usual role.

Recipient and sharing changes can reveal suspicious IP movement even when content looks ordinary. Behavioral approaches can model regular sharing partners, common file types, and expected interaction frequency. When a finance employee shares models with a regular external auditor, that may fit a normal workflow.

When the same employee shares engineering IP with a previously uncontacted domain, the relationship change can surface even if the file is not formally classified. This kind of directional analysis can help catch exfiltration attempts that broad external-sharing rules may miss or flood with false positives.

A layered defense against IP theft via email works best when controls span authentication, data protection, monitoring, and governance.

Foundation

• DMARC enforcement: Enforce DMARC at a rejecting policy level to reduce domain spoofing used to impersonate internal senders.
• Rule audits: Restrict auto-forwarding rule creation and audit existing rules using Exchange management tools to identify hidden forwarding rules established during prior compromises.
• Email filtering: Use email filtering with macro stripping, URL rewriting, attachment sandboxing, and reputation-based blocking as a baseline inbound defense layer.
• Mailbox access: Audit mailbox delegation rights and Exchange administrative roles, and restrict privileged email infrastructure administration to dedicated workstations.

Data Protection

• DLP controls: Tune DLP policies for intellectual property patterns across email, endpoint, and cloud layers.
• TLS guidance: Enforce transport encryption between mail transfer agents to reduce unauthenticated and unencrypted SMTP connections.
• Message encryption: Use S/MIME or OpenPGP for communications involving the most sensitive intellectual property.
• Mailbox encryption: Encrypt mailbox storage and apply least-privilege access controls to mailbox contents.

Governance and Detection

• Insider program: Establish a formal insider threat program with a documented scope that explicitly covers IP theft via email and includes a privacy and civil liberties review for user activity monitoring.
• ATT\&CK mapping: Deploy behavioral analytics with detections mapped to email collection, archive creation, and exfiltration techniques.
• Alerting guidance: Configure alerts for large attachment volumes, forwarding rule creation, bulk email to personal or external accounts, and off-hours email activity involving IP-classified data.
• Role-based training: Use training that addresses email-based IP exfiltration scenarios, including spear phishing against R\&D personnel and BEC against IP-rich departments.

Protecting intellectual property over email requires more context than static controls can provide on their own. Static rules can still catch known-bad patterns, while behavioral analysis can help surface unusual recipients, off-hours attachment surges, and gradual shifts in communication behavior that may precede data loss.

For many teams, the practical path is to layer stronger behavioral detection on top of foundational email security controls rather than rely on either approach alone.

For security teams evaluating how to strengthen IP protection across email, Abnormal is designed to help detect the behavioral signals that rule-based tools often miss. Book a demo to see how Behavioral AI applies to your environment.