Based on analysis of nearly 800,000 attacks spanning 4,600+ organizations, Abnormal AI’s 2026 Attack Landscape Report examines real threats observed across Abnormal's customer base between July and December 2025. The findings converge on a single operational reality: modern email attacks are shaped by the institutions they target. They calibrate to the defensive environment, adapt to organizational structure, and align with the workflows they expect to encounter. For federal agencies, those workflows are often public, well-documented, and procedurally dense, all of which makes them exploitable in specific and predictable ways.

This is not a theoretical concern. Executive Order 14390, Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens, signed on March 6, 2026, acknowledges that cybercrime, including phishing, financial fraud, and impersonation, is frequently carried out by transnational criminal organizations operating with the explicit or tacit approval of foreign governments. The Executive Order frames cybercrime not merely as a financial or reputational risk, but as a national security threat requiring a coordinated federal response that includes law enforcement, diplomacy, and offensive action. The data in this report illustrates the operational specifics of what that threat looks like inside agency inboxes every day.

Email-based attacks do not arrive uniformly. They adjust to the defensive environment, with evasion methods that scale in sophistication alongside the security infrastructure they expect to face. That adaptability has a direct implication for how agencies think about defense: when attacks are designed to blend into legitimate workflows, the signals that distinguish them from normal business communication are behavioral, not technical. A fraudulent notification looks like a real notification. A spoofed document-sharing request reads like a routine one.

Agency employees should take the opportunity with increased in-person work to put human faces to the names that appear in their inboxes. Familiarity with colleagues makes impersonation harder to pull off. But this alone cannot address the volume of digital communications flowing through an agency on any given day. No one can call to verify the authenticity of every message they receive. What agencies can do is equip their workforce to recognize the specific patterns of attack most likely to appear in their operational context.

File-Sharing Phishing

File-sharing phishing lures concentrate in industries and roles where document exchange is constant and expected. In Abnormal's data, finance and accounting roles see file-sharing phishing at 25.1% of all phishing, roughly double the 12.4% sample average. Legal and compliance follows at 21.4%, and sales and business development at 17.4%.

These roles do not map one-to-one to federal job classifications, but the underlying vulnerability does. Agency roles that depend heavily on external document exchange, including procurement, acquisition, legal, policy development, and grant management, should recognize that file-sharing phishing lures are calibrated specifically for the kinds of workflows they utilize daily. This is especially true where interaction with external third parties, such as contractors, grantees, and interagency partners, is a regular and expected part of the role. A "new document shared with you" notification from an unfamiliar sender is not inherently suspicious in those environments; it is routine. And that routine is exactly what attackers exploit.

Brand Impersonation

Across the full sample, 12% of phishing attacks involve brand impersonation: the use of a trusted company’s name and visual identity to make a credential-harvesting attempt appear as a routine notification. In large enterprises, brand impersonation is even higher at 16.3%.

Federal agencies share several characteristics with large enterprises that make them attractive targets for this technique. They employ tens of thousands of people. They operate extensive software stacks, including Microsoft 365, identity management platforms, and enterprise procurement tools. And critically, much of the software the government purchases is a matter of public record, which means an attacker does not need to guess which platforms to impersonate. A fake MFA prompt from Microsoft or a spoofed signature request carries real credibility when the recipient uses those tools every day.

This matters because email remains the only enterprise application where the end user is effectively asked to serve as their own security professional, making real-time judgments about legitimacy with limited tools and context.

Redirect Links and Link Shorteners

Approximately one in five phishing attacks (21.6%) use redirect links, intermediate URLs that route the recipient through one or more hops before reaching the final destination. Among phishing attacks that use redirects, 10.2% rely on link shortener services, which compress URLs into short, generic strings hosted on domains that security tools are reluctant to block wholesale.

Redirects skew toward smaller organizations: 26.6% of phishing at small organizations uses redirects, compared to 16.5% at large enterprises. The pattern is consistent with the observation that smaller organizations often lack sophisticated URL inspection, leaving basic redirect chains effective without additional obfuscation. Small and micro agencies, including independent commissions, boards, and offices with limited IT security infrastructure, should be particularly alert to phishing that relies on redirected or shortened URLs.

Impersonation or business email compromise (BEC) accounts for roughly 11% of attacks by volume, but the damage per successful attack is far greater than phishing. The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) reported over $3 billion in losses due to BEC in its annual report for 2025.¹ For federal agencies, where a single compromised transaction can involve taxpayer funds or national security information, the stakes are higher still.

VIP Impersonation

Given the size of federal agencies, where interaction with certain parts of the organization may happen without regular physical contact (e.g. IT, compliance, ethics, personnel, OIG), the impact of an impersonation-based BEC attack could be even more significant than in the private sector. This dynamic is amplified in agencies with dispersed field offices scattered across the country, where employees may never meet their leadership in person. It is further amplified where interaction with political leadership or senior executives is rare, creating an environment where a message purportedly from the front office is more likely to prompt a quick response than careful inspection.

The data bears this out. More than 41% of internal impersonation BEC reaching executive leadership involves VIP impersonation, by far the highest of any job category and five times the 8.4% sample average. The dynamic is worth stating plainly: executives are both the most common subjects of VIP impersonation (attackers impersonate them to reach other departments) and the most common recipients of it (attackers impersonate other executives to reach them). In the federal context, consider the implications: an email impersonating political leadership sent to career staff in procurement, or an email impersonating the agency head sent to a deputy. In both cases, the recipient is less likely to question the request, and both the rarity and regularity of such contact are precisely what makes the lure effective.

A Federal Case Study: NASA and the Spear-Phishing of Export-Controlled Software

The same dynamic extends beyond internal hierarchies to the trusted external collaborators federal researchers work with every day. In April 2026, the National Aeronautics and Space Administration (NASA) Office of Inspector General² stated that between January 2017 and December 2021, Chinese national Song Wu created Gmail accounts impersonating an established aerospace professor known to NASA, and used them to request export-controlled software and source code, including aerospace engineering tools developed and maintained by NASA, from dozens of U.S. researchers, professors, and engineers. Victims spanned NASA, the Air Force, the Navy, the Army, the FAA, major universities, and private companies. In some cases the ruse worked, and recipients unwittingly violated U.S. export control laws by sending the requested files. Song was indicted in September 2024 on 14 counts of wire fraud and 14 counts of aggravated identity theft following a joint NASA OIG and FBI investigation, and remains at large.

The pretext here is the federal-agency dynamic in a different key. Instead of an acquisition official reading a note that appears to be from the agency head, a researcher reads a note that appears to be from a longtime collaborator they trust by reputation but rarely, if ever, encounter face-to-face. The asymmetry is the same: familiar enough to be plausible, distant enough that verification feels socially awkward. Mission-focused agencies, especially those that work in or adjacent to the national security apparatus, must be especially vigilant against impersonation attempts that exploit the very collaboration networks—interagency, academic, and contractor—on which their work depends.

Generic Internal Impersonation

Of internal impersonation BEC reaching IT and technology recipients, 66.6% involves generic internal impersonation, well above the 36.7% sample average and the second-highest among named job categories after finance and accounting at 72.8%.

The elevated rate makes sense when you consider what generic internal impersonation looks like in practice: fake IT helpdesk notices, system alerts, credential reset requests, MFA re-enrollment prompts, and access provisioning emails. These are communications that IT staff receive legitimately and routinely in the course of their role. A threat actor impersonating "IT Security" and asking a recipient to verify their credentials is a far more contextually appropriate pretext when directed at someone in IT than at someone in communications. The job function most familiar with helpdesk-style messages is also the one most likely to find those attack pretexts believable.

For agencies managing large IT environments, or those that frequently collaborate with external parties, this means the teams responsible for defending the network are simultaneously among the most targeted recipients of attacks designed to look like the tools and processes they manage every day.

Vendor email compromise (VEC) accounts for roughly 61% of all BEC and is especially difficult to defend against because billing and payments are a routine part of the vendor-customer relationship, discussed over email daily. A malicious message from a vendor requesting changes to banking information or a large fund transfer may not immediately register as suspicious, particularly in organizations that work with dozens or hundreds of vendors.

Billing Account Update Fraud

Government agencies have the highest billing account update rate of any industry at 40.8% of VEC, nearly double the sample average of 23.6%. The account compromise rate within those billing update attacks is also elevated at 41.2%, compared to the 26.5% sample average for that pretext. The government VEC sample is relatively small, meaning these figures are directionally suggestive rather than definitive, but the pattern is consistent with what the procurement environment would predict.

Vendor payment changes in government contexts typically require documentation, formal approval workflows, and audit trails. That procedural friction makes a convincing email from a lookalike domain a harder sell than it might be elsewhere, which pushes attackers toward the higher-effort approach of compromising an actual vendor account before requesting a change to banking details.

The broader VEC data for government agencies reinforces the direction of this pattern. The overall account compromise rate across all VEC attack types targeting government agencies is 20.2%, more than double the sample VEC average of 8.95%, suggesting the shift toward higher-effort techniques extends beyond billing updates alone. In practical terms: when the target environment demands more credibility, attackers invest in acquiring it.

A Federal Case Study: HHS Payment Management System Fraud

This is, in essence, what happened at the Department of Health and Human Services (HHS) between March 2023 and January 2024. According to an HHS Office of Inspector General audit published in June 2025:

From March 2023 through January 2024, bad actors fraudulently diverted a total of $7.8 million from the Department of Health and Human Services’ (HHS’s) Program Support Center (PSC) grant payment system, known as the Payment Management System (Payment System). This fraudulent activity impacted 10 grants awarded to 7 HHS recipients.

The bad actors gained access to PSC’s Payment System by using fake grant recipient email addresses to request access. Once they gained access, the bad actors masqueraded as grant recipients and requested account changes such as deleting valid users and changing bank accounts and other account contact information. After the bad actors made account changes, they either requested grant payments be disbursed to the changed bank accounts in their name or waited for a grant recipient to request a grant payment, which was diverted to the bad actor’s bank account. These incidents led to over $10 million in grant funding being diverted to the bad actors’ bank accounts. After banks rejected over $2 million of these deposits, HHS experienced an actual loss of $7.8 million in grant funds.

This incident illustrates the VEC pattern at scale within the federal government. The attackers did not need to defeat sophisticated technical controls. They needed to look like the people the system expected to hear from, and the system was not designed to distinguish between the two.

The data in this report reveals something federal cybersecurity professionals should internalize: the attacks targeting your agency are not generic. They are adapted to your organizational structure, your procurement workflows, your communication norms, and your defensive posture. Phishing lures are designed to look like the document-sharing notifications your teams receive every day. BEC impersonation targets the specific authority dynamics and dispersed reporting relationships that define how large agencies operate. Vendor email compromise exploits the procedural rigor of government procurement, not by overwhelming it with volume, but by meeting the credibility threshold that your own controls demand.

This creates a defense problem that traditional security tools are structurally limited in addressing. Signature-based filters and reputation lists are designed to catch known threats. The attacks documented here succeed precisely because they avoid those mechanisms, using legitimate-looking domains, authentic vendor accounts, and pretexts that are indistinguishable from the routine business communications they are designed to mimic.

EO 14390 calls for the federal government to "harden our financial and digital systems" and to leverage "technical capabilities, threat intelligence, and operational insights from commercial cybersecurity firms" in the effort to combat cyber-enabled crime. The data in this report offers a concrete starting point: understanding which attack types are most likely to reach specific roles, which pretexts are calibrated to government workflows, and where threat actors are investing more effort because they know the environment demands it.

Three priorities emerge from the data for federal defenders:

1. Recognize that attack exposure is role-specific, not uniform. Procurement, acquisition, legal, and IT personnel each face a distinct threat profile shaped by the workflows of their position. Security awareness efforts should be tailored accordingly, not delivered as one-size-fits-all training.
   

2. Treat vendor email compromise as a primary threat vector, not a secondary one. VEC accounts for the majority of BEC, and federal agencies face higher rates of account compromise than any other sector in the dataset. Vendor banking change requests, even those arriving from verified accounts, require out-of-band confirmation through channels that an attacker cannot control.

3. Accept that the detection problem has outgrown rule-based tools. When the attack is engineered to look normal, defending against it requires the ability to define what "normal" looks like for every user, every vendor relationship, and every communication pattern across the agency, and to flag deviations in real time. That is a behavioral detection problem, and it requires capabilities that can learn and adapt at the speed the threat environment demands.

The adversaries documented in this report are studying how federal agencies operate and building their attacks accordingly. Effective defense starts with understanding the same thing they do: that the operational context of the institution determines the shape of the threat. Agencies that invest in that understanding, and in the tools capable of acting on it, will be better positioned to identify attacks at the point of delivery, before an employee has the opportunity to engage.

To learn more about the modern cyberthreats targeting federal workflows, download the 2026 Attack Landscape Report.

¹https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf
²https://oig.nasa.gov/news/nasa-investigators-expose-a-chinese-national-phishing-for-defense-software/