Email remains one of the most common attack vectors because it reaches employees directly and relies on human judgment rather than technical barriers. With billions of messages exchanged daily, attackers have endless opportunities to embed malicious attachments, craft convincing phishing links, or disguise social engineering as routine correspondence.

This guide covers eight types of email attacks every employee should recognize, from business email compromise (BEC) schemes that exploit authority and urgency to AI-generated phishing that eliminates the grammatical errors people have been trained to spot. Understanding these threats turns the inbox from a vulnerability into a frontline of defense.

• BEC attacks cause billions in annual losses by relying on social manipulation rather than malicious payloads, making them difficult for rule-based filters to flag.
• Adversary-in-the-middle (AiTM) phishing and QR code attacks are systematically bypassing MFA and gateway-level scanning.
• AI-generated phishing removes traditional detection cues like poor grammar, requiring organizations to shift toward behavioral and contextual detection.
• Authentication protocols like DMARC, DKIM, and SPF are essential but insufficient against compromised legitimate accounts.
• Verifying requests through trusted, out-of-band channels remains the single most effective employee-level control.

Email remains the primary entry point for cybercriminals because it bypasses perimeter defenses and targets individual decision-making. A single message can deliver malicious links, weaponized attachments, or carefully crafted social engineering, turning ordinary communication into a doorway for credential theft or financial fraud.

Attackers favor email for reach and efficiency. One campaign can target thousands of employees simultaneously, while automated tools tailor each message to mimic legitimate correspondence. Unlike hardened network infrastructure, inboxes depend on human judgment under time pressure, and one click is often enough for compromise.

Email also exposes multiple attack surfaces at once. Links may redirect to cloned login pages, attachments can conceal harmful code, and persuasive requests manipulate trust. This combination makes the inbox the earliest and often most decisive battleground for stopping an attack before it spreads laterally across the organization.

Email threats have grown sophisticated enough to blend seamlessly with routine business communication. Generative AI enables attackers to craft messages with flawless grammar and polished corporate tone. Clone-phishing kits replicate logos, layouts, and error messages from trusted services, while domains differing by a single character appear authentic at first glance.

Technical evasion reinforces visual deception. AiTM proxy pages capture credentials and intercept MFA codes in real time. Compromised employee or vendor accounts distribute emails that pass SPF, DKIM, and DMARC checks, allowing fraudulent requests to appear as standard invoices, HR updates, or project notifications.

Traditional email gateways (SEGs) often struggle with these attacks because they rely on signatures and reputation scores. Payload-free social engineering, legitimate-domain messages from compromised accounts, and client-side code execution all exploit architectural gaps in rule-based inspection. Recognizing how these threats operate is critical for employees and security teams alike.

BEC remains one of the most financially damaging email cybersecurity threats because it weaponizes trust, authority, and urgency instead of relying on malware. The IC3 report documented $2.7 billion in adjusted losses from 21,442 BEC complaints, making it the second-highest cybercrime type by financial impact.

Common scenarios include a “CEO” demanding an urgent wire transfer, a “vendor” submitting revised payment details, or an “HR colleague” requesting payroll changes. Attackers use AI-generated language, spoofed domains, or compromised accounts to make messages indistinguishable from authentic correspondence. Because these emails often contain no malicious content, signature-based scanning has little to inspect.

These scams succeed by creating pressure to act quickly and quietly. Requests framed as confidential, time-sensitive, or “approved at the top” can short-circuit normal validation steps, especially when they arrive in the middle of legitimate-looking threads.

Warning signs include high-value requests that bypass approval processes, email addresses with subtle alterations, and instructions to keep the transaction confidential. The safest response is to pause, verify the request through a trusted communication channel, and follow established approval workflows.

Even a brief out-of-band check (for example, calling the requester using a known-good number) can break the attacker’s control of the conversation and prevent costly, irreversible actions.

Credential phishing works by replicating trusted login portals so convincingly that employees hand over usernames, passwords, and even MFA codes without hesitation.

Attackers copy HTML, CSS, and images from real websites to build near-perfect replicas hosted on look-alike domains. Many display valid HTTPS certificates, exploiting the false belief that the padlock icon guarantees safety. Some campaigns embed QR codes targeting mobile users, while others use AiTM proxies to relay sessions to real services, capturing credentials and authentication codes in real time. Even polished replicas can reveal flaws: unusual URL structures, unexpected requests for additional details, or login prompts that appear at odd times.

Three practices significantly reduce risk:

• Inspect the entire URL and confirm certificate details before entering credentials.
• Access key services only through bookmarks or by typing addresses directly.
• Treat unexpected login prompts or unrequested MFA codes as suspicious and alert security immediately.

Rule-based filters may mark the domain as clean if it was recently registered with a valid certificate, so these user habits add critical context when the content looks legitimate.

AiTM phishing represents a significant escalation in credential theft because it defeats standard multi-factor authentication in real time. Attackers position a reverse-proxy server between the victim and the legitimate authentication service. When the user completes the login and MFA challenge, the proxy intercepts the session token.

With a valid session token, the attacker accesses the account without needing the password or MFA code again. From there, they can launch internal phishing campaigns, manipulate inbox rules, or exfiltrate data. PhaaS platforms have made this technique available to less sophisticated operators, dramatically increasing its prevalence.

Employees should be wary of login pages reached through email links, even if the page looks identical to their corporate portal. Organizations should evaluate FIDO2 guidance, which binds authentication to the legitimate domain and resists proxy-based interception.

Attackers frequently disguise malware inside files that appear routine, making every attachment a potential entry point. Office documents with macros remain a favored method, prompting users to “enable content” that silently executes hidden code. PDFs with embedded scripts, executables masked with double extensions, and compressed archives pose similar risks.

HTML smuggling is a technique where the malicious payload assembles directly in the browser after the email passes gateway inspection. Because the email itself contains only benign HTML and JavaScript at the time of scanning, content-based filters may see nothing suspicious. SVG file exploitation follows a similar pattern, combining image file legitimacy with executable JavaScript capability.

Safe handling requires discipline. Here are steps employees can take to reduce risk:

• Open attachments in protected view when available.
• Avoid enabling active content (such as macros) without verification.
• Route suspicious files through endpoint scanners or sandbox environments.
• Confirm unexpected attachments through a separate channel, such as a direct call to the sender.

These layered steps build defense even when a file evades initial scanning.

Once an account is compromised, attackers operate as trusted insiders. They add forwarding rules, register rogue devices, and escalate privileges, often blending into normal communication patterns. Because these attacks leverage valid identities, messages sent from compromised accounts pass authentication checks and bypass external sender warnings.

Internal phishing from a compromised account is particularly dangerous. Colleagues trust emails from known senders, and multiple employees can fall victim within minutes. Post-compromise techniques include inbox rule manipulation, email thread hijacking, unauthorized SharePoint access, and MFA method registration changes.

Early warning signs to watch for include:

• Unexpected MFA prompts.
• Logins from unfamiliar devices or locations.
• New inbox rules that conceal security alerts.
• Changes to recovery emails.

Even a single anomaly should prompt immediate investigation and a password reset. Detection depends on spotting behavioral deviations in how an account is used, not just what content it sends.

Vendor compromise turns trusted partner relationships into an email cybersecurity threat that can be hard to spot. Attackers often gain access to a supplier’s mailbox, monitor ongoing threads, and then reply at the exact moment a payment or document exchange is expected.

Fraudulent invoices and altered payment instructions frequently arrive through compromised vendor accounts. Because messages originate from legitimate domains, they pass standard authentication checks and blend into normal correspondence, even when the request is malicious.

The DBIR report found that third-party involvement in breaches doubled to 30%, underscoring how vendor relationships increasingly serve as attack vectors.

Mitigation requires both process discipline and monitoring. Vendor callbacks confirm payment changes through trusted channels, while anomaly detection helps surface shifts such as unusual sending times, altered reply-to details, or requests that deviate from established vendor norms.

QR code phishing bypasses email gateway inspection by encoding malicious URLs inside images that traditional scanners do not parse. Attackers embed QR codes in email bodies or PDF attachments directing recipients to credential harvesting pages, often disguised as MFA setup prompts or document access portals.

This technique is especially effective because scanning a QR code typically opens the link on a personal mobile device, which often has weaker security controls than a corporate laptop. Attackers further obscure the final destination by routing through legitimate URL shorteners or embedding Cloudflare Turnstile verification steps.

Employees should treat QR codes in unexpected emails with the same caution as suspicious links. Preview the URL before navigating, and if an email requests QR-based authentication that was not initiated by the user, verify through a separate trusted channel before proceeding.

AI-generated phishing eliminates the grammatical errors and awkward phrasing that employees have traditionally relied on to identify suspicious messages.

Beyond text quality, AI enables attackers to personalize messages at scale, referencing specific projects, colleagues, or recent events scraped from public sources. This makes each email appear uniquely relevant to the recipient. AI also accelerates campaign velocity, attack timelines from days to minutes.

The traditional heuristic is no longer reliable. Employees should focus on contextual signals instead: Is this request expected? Does the sender normally communicate this way? Is the ask consistent with established workflows? Verification through a separate channel remains the strongest countermeasure when content alone looks legitimate.

SPF, DKIM, and DMARC form the foundation of email authentication and are essential for blocking domain spoofing. CISA guidance specifies DMARC should be set to “reject” as the authoritative posture, ensuring spoofed emails are rejected before delivery.

However, authentication alone does not protect against compromised legitimate accounts. When an attacker controls a real mailbox, outbound emails pass SPF, DKIM, and DMARC checks because they genuinely originate from the authenticated domain. This is why BEC and vendor compromise attacks succeed despite properly configured authentication, and why organizations need detection approaches that evaluate behavioral context alongside protocol compliance.

Employees should understand that a message passing authentication checks does not guarantee it is safe. Verification of unusual requests through out-of-band channels remains essential, regardless of whether the email appears technically legitimate.

Rule-based email security and authentication protocols address known threat patterns effectively, but they often struggle to detect payload-free social engineering, compromised legitimate accounts, and novel attack techniques that lack known signatures. These gaps leave employees as the last line of defense against threats specifically engineered to look routine.

Abnormal helps close these gaps by layering behavioral AI across cloud email and collaboration platforms like Slack and Teams. By learning how every employee and vendor typically communicates, including who they interact with, when, and in what context, the platform can help surface anomalies that signature-based tools miss, from sudden payment detail changes to unusual login activity tied to internal phishing. Ask for a demo to see how it works.