The IdP logged nothing unusual, the EDR was quiet, the SaaS app processed the request without incident. Yet, the attacker had already changed direct deposit information and triggered a spam bomb to bury the confirmation email. Every tool designed to catch identity attacks came up empty. The only signal that mattered was in the email inbox.

Abnormal's analysis finds that more than 90% of identity attacks leave traces in email. Not because attackers prefer email, but because email is the notification layer for everything: payroll changes, permission updates, new device enrollments, account recovery flows. SaaS apps generate these emails automatically. In most environments, they land in inboxes unread and unanalyzed.

The IdP sees authentication and the EDR sees endpoint behavior, but neither reads the downstream breadcrumbs that appear in email minutes after an identity is compromised. The data exists, but identity tools just aren't detecting and analyzing it.

Abnormal processes every email in an organization and PeopleBase, Abnormal's behavioral identity graph, maintains a profile for every employee: which systems they touch, when, and how often. When a payroll-change notification email arrives for an employee with no history of modifying that data, minutes after an anomalous sign-in, Abnormal connects both signals. The detection advantage comes from sitting on the data channel where identity attacks leave their clearest traces.

No other tool in the stack is reading it because a sharp algorithm on incomplete data still misses the attack.

See the latest from Abnormal's product and engineering teams.