Cybercriminals have gone global—and so has cloud email security. Attackers are increasingly writing in the language, tone, and even the cultural style of their targets. Whether it’s a supplier impersonation in Japanese or an invoice scam in German, localized phishing and business email compromise (BEC) attacks are growing both in volume and sophistication.

Yet, most security systems were trained primarily in English. Even AI-powered systems can struggle to recognize the nuanced phrasing, idioms, and formality that define real-world business communication in other languages—that leaves security teams exposed to multilingual attacks that traditional “English-first” detection often misses. Further, traditional security awareness training products relied on synthetic, templated content to train global users to recognize these attacks.

Abnormal’s behavioral AI has long analyzed communication patterns across more than 100 languages—understanding relationships, tone, and context rather than just words on the page. This foundation has allowed us to stop the majority of multilingual attacks, even without deep linguistic understanding. But as attackers began exploiting subtle, language-specific cues—like overly casual phrasing in German or mismatched levels of politeness in Japanese—we evolved our models to close that gap.

Building on this foundation, Abnormal has refined its models to better interpret German and Japanese, improving multilingual detection for business communication in these languages. In parallel, we have extended Abnormal AI Phishing Coach to deliver simulations and lessons in employees’ native languages, so the same cultural and linguistic nuance our AI uses to detect attacks now helps global employees recognize and report them.

In German, long compound nouns and formal phrasing often confuse systems trained primarily on English syntax. In Japanese, attackers exploit subtle shifts in honorific tone or overly polite phrasing to impersonate executives and trusted vendors.

While many email security vendors focus on translation-based detection, Abnormal rebuilt its multilingual detection approach to understand communication the way people actually write. This distinction is critical in practice.

Legacy systems trained primarily on English phishing patterns may not fully recognize when a German business email uses suspiciously informal phrasing, or when a Japanese message employs the wrong level of keigo (honorific speech). These subtle shifts in tone and formality are invisible to translation-based AI, but they are the very cues attackers often exploit to make their messages appear authentic.

We optimized our detection models using authentic, region-specific data—both legitimate and malicious—and rebuilt our text-tagging system from rule-based matching into a neural classifier powered by multilingual embeddings. This new architecture is designed to enable our models to interpret the fine-grained cues that define professional communication in different cultures.

To illustrate how these linguistic and cultural nuances manifest in real attacks, here are a few examples of phishing and impersonation attempts Abnormal has detected in both German and Japanese—threats that often bypass legacy, English-trained systems.

Detecting a German BEC Attempt Disguised as Everyday Conversation

Abnormal stopped a socially engineered email impersonating a company executive and requesting a colleague’s WhatsApp number. The attacker used a free Gmail account and signed the message with the name and title of a real employee, hoping to initiate a conversation over a less-monitored channel. Although the message contained no links or attachments, Abnormal flagged it based on content signals like impersonation, behavioral anomalies, and the suspicious pretext of moving the conversation off email. These cues matched known patterns of executive impersonation and BEC initiation attempts.

English translation:

Detecting a Japanese Toll Scam Masquerading as a Legitimate Notice

The message impersonated a trusted Japanese toll service (ETC) and urged the recipient to update their payment method. It included a masked redirect URL leading to a lookalike login page hosted on a suspicious domain. The language, urgency, and impersonation of a government-affiliated service aligned with known phishing patterns. These behavioral and linguistic anomalies—combined with a deceptive link structure—triggered Abnormal’s detection models.

English translation:

Prior to these enhancements, our detection in German and Japanese relied on language-independent signals of maliciousness. Post-upgrade, internal tests show our accuracy in German, Japanese, and English is now on par. In plain terms, we can now detect attacks in all three languages just as reliably, while flagging fewer legitimate emails by mistake—no special settings or extra work required.

These improvements are already being recognized by customers across both markets:

“Abnormal’s support for German-language detection has significantly improved our ability to stop localized phishing and impersonation threats targeting our finance and executive teams,” said Sun Robin Flamm, Head of Cybersecurity at KOKI Group. “We’ve seen a clear drop in false negatives, and our SOC spends less time reviewing suspicious messages.”

“With Abnormal’s enhanced localization for Japanese-language detection, we’ve seen a meaningful improvement in our ability to block sophisticated phishing and executive impersonation emails written in Japanese," said Takeshi Teshigawara, Engineering Specialist at Macnica. “It’s reduced the number of missed threats and helped our team avoid manual review of suspicious messages. As a global company with regional teams, this capability gives us confidence that Abnormal can deliver consistent protection across all languages and geographies.”

These advancements represent the next step in Abnormal’s global expansion. Our vision is simple—to deliver Abnormal’s AI-native attack protection everywhere—and our customer obsession drives us to deliver weekly detection enhancements on behalf of all of our customers.

As attacker tactics evolve and expand into new languages and regions, our detection capabilities are designed to adapt—aimed at ensuring that no matter the language, Abnormal detects the threat.

Curious to see how Abnormal’s detection engine can stop threats before they reach the inbox? Schedule a demo.