Major Federal cyber breaches share one overlooked constant: email. From nation-state espionage to supply-chain attacks and credential theft, the inbox serves as the front door to the most sensitive parts of the Federal ecosystem. Even as agencies make significant strides in hardening infrastructure by deploying multi-factor authentication and endpoint detection and response, cyberattacks exploiting email continue to succeed.

The current approach of protecting only against "known bads" is a losing battle. To fully protect the Federal enterprise, agencies must shift their security mindset from safeguarding systems to safeguarding people, and adopt tools that reflect this change. AI is making the shift possible.

Several factors are compelling Federal agencies to adopt AI-based security technologies that advance their mission and enhance efficacy:

• A critical shortage of skilled Security Operations Center (SOC) staff

• A White House directive encouraging AI adoption across government

• The need to demonstrate tangible AI-driven value, such as substantial cost savings or the reallocation of personnel to higher-value security and strategic initiatives, through use case reporting¹

Together, these factors create a powerful impetus for integrating AI as an essential tool to strengthen cybersecurity posture and improve operational efficiency across the Federal landscape.

The following case studies illustrate how email played a pivotal role in major Federal cyber intrusions—and how modern, AI-powered defenses could have helped mitigate or even prevent the damage.

What happened: In one of the most infamous supply-chain breaches in history, threat actors compromised a SolarWinds email account, which facilitated credential theft and access into development systems—one of several steps in the broader Orion supply-chain breach.

Impact: These credentials provided the attackers with deep access to the Orion software build system, ultimately affecting nine Federal agencies. SolarWinds confirmed that “A SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”²

Traditional Mitigations:

• Enforce phishing-resistant MFA across all employee email accounts
  

• Segment email systems used by privileged development and infrastructure roles
  

Behavioral AI-Based Mitigation: Detect changes to sign-in signals and suspicious activity to neutralize threats prior to lateral movement.

What happened: Chinese state-sponsored actors phished OPM contractors and employees, stole their email credentials, and used them to access highly sensitive background investigation data and biometric records.³

Impact: More than 22 million individual records were compromised, with email as the primary entry point.

Traditional Mitigations:

• Mandate phishing-resistant MFA such as FIDO2

• Isolate contractor mail infrastructure from core agency systems

Behavioral AI-Based Mitigation: Detect phishing sent from compromised internal accounts and flag behavioral anomalies in user-to-user communications.

What happened: Chinese APT group Storm-0558 accessed Exchange Online inboxes of senior U.S. officials by forging authentication tokens with a stolen Microsoft signing key. The likely root was a compromised engineer’s device from a 2021 Microsoft acquisition. According to the Cyber Safety Review Board report, “Storm-0558 established its first point of infrastructure and gained access to email accounts.”⁴

Impact: Over 60,000 emails were exfiltrated from the State Department alone, targeting sensitive U.S.-China diplomatic communications.

Traditional Mitigations:

• Regular rotation and expiration of signing keys
  

• Strict validation controls for token scope and origin
  

Behavioral AI-Based Mitigation: Alert on access attempts that deviate from known usage patterns and application behaviors.

What happened: In 2023, hackers used a combination of phishing and email impersonation to redirect $7.5 million in grant disbursements from the Department of Health and Human Services.⁵ The attackers compromised email accounts and altered payment instructions through fraudulent emails that mimicked trusted personnel.

Impact: Millions in Federal grant funds were misdirected to fraudulent bank accounts, bypassing traditional financial checks due to the apparent legitimacy of the email communications.

Traditional Mitigations:

• Enforce verification procedures for all payment changes requested via email

• Monitor for impersonation and lookalike domain activity

Behavioral AI-Based Mitigation: Detect vendor email compromise and impersonation through behavioral baselines, identity signals, and communication anomalies.

What happened: In early 2025, the Office of the Comptroller of the Currency disclosed that one of its vendors suffered an email compromise that exposed sensitive OCC data. The attack did not breach OCC systems directly but exploited the trust relationship between the agency and its vendor's email systems.⁶

Impact: Highlights the ongoing risk posed by third-party email compromises, where agencies are exposed through breaches in vendors' poorly secured email infrastructure.

Traditional Mitigations:

• Require third-party vendors to implement MFA and email anomaly detection

• Limit sensitive data exchange over email; use secure portals instead

Behavioral AI-Based Mitigation: Monitor vendor communications for unusual content, volume, and context shifts, alerting on compromised partner accounts.

Across these attacks, email played one or more of the following roles:

• Initial Access: via phishing, credential stuffing, or token forgery
  

• Lateral Movement: using inbox delegation, mail flow rules, or OAuth token escalation
  

• Data Exfiltration: silently siphoning attachments, calendar data, and internal memos
  

Legacy infrastructure, limited visibility, and misconfigured email policies continue to create opportunities for attackers to exploit the inbox. The table below connects these common patterns to both traditional and AI-based mitigations.

Email is still the primary channel through which the government engages with the public. Yet traditional email security tools often stop at scanning content or flagging known bad actors. Flagging known bads does not account for the new techniques, tactics, and procedures employed by threat actors—especially in the age of AI.

Modern threats require modern defenses. Solutions like Abnormal AI offer behavioral, identity-aware defenses that go far beyond what rule-based systems can detect. Whether stopping forged token access or detecting a rogue inbox rule created by an attacker, email security must be dynamic, intelligent, and prioritized.

Because each of these breaches demonstrates the same truth: email is the adversary’s foothold.

See how Abnormal helps Federal agencies secure the inbox with behavioral AI. Schedule a demo today.

¹https://github.com/ombegov/2024-Federal-AI-Use-Case-Inventory
²https://www.solarwinds.com/blog/findings-from-our-ongoing-investigations
³“The adversary gained access to OPM’s network using credentials stolen from a KeyPoint contractor…It remains unclear precisely how the credentials were stolen from the KeyPoint contractor, but some evidence suggests it may have been the result of a phishing attack.”
https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
⁴https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewOfTheSummer2023MEOIntrusion508.pdf
⁵https://www.bankinfosecurity.com/report-hackers-scammed-75m-from-hhs-grant-payment-system-a-24157
⁶“On February 11, 2025, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes.”
https://occ.gov/news-issuances/news-releases/2025/nr-occ-2025-30.html#:~:text=Share%20This%20Page:,messages%20to%20determine%20their%20contents.