Account Takeover and Email Security: How Compromised Mailboxes Lead to BEC and VEC

Account takeover is one of the most dangerous moments in the email attack chain. Once an attacker gets inside a real mailbox, they are no longer just pretending to be trusted. They can send from a legitimate account, read past conversations, understand business relationships, and time their messages around real work already happening.

That is why compromised inboxes are such a powerful launchpad for business email compromise, also known as BEC, and vendor email compromise, also known as VEC. These attacks often do not rely on malware, suspicious attachments, or obviously malicious links. The payload is trust itself, a known sender, a familiar thread, a normal business request, and enough context to make the recipient act before they verify.

The financial risk is significant. In the FBI IC3 2025 Internet Crime Report, BEC generated more than $3 billion in reported losses from 24,768 complaints, making it one of the highest-loss cyber-enabled fraud categories of the year. But the impact is not limited to direct payment fraud. A compromised mailbox can also be used to steal sensitive data, impersonate employees, target customers, manipulate vendors, and spread attacks deeper into the organization.

Account Takeover Changes the Email Security Problem

A traditional phishing attack asks the recipient to trust a message from the outside. An account takeover attack changes the starting point. The attacker first compromises a mailbox, then uses that account to attack from the inside.

That difference matters because many security controls are designed to evaluate whether an email looks suspicious at delivery time. They inspect the sender domain, links, attachments, authentication results, and known indicators of compromise. But when the message comes from a legitimate account, many of those checks may look normal.

The email can pass authentication checks. The sender may have an existing relationship with the recipient. The thread may contain real history. The request may be written in the same style the employee, vendor, or executive normally uses.

This is what makes account takeover so dangerous it turns a trusted identity into attacker infrastructure.

How Attackers Get Into the Mailbox

Most account takeover incidents begin with credential theft or identity abuse. Attackers may use phishing pages, adversary-in-the-middle login flows, device code phishing, password spraying, stolen session tokens, infostealer malware, or malicious OAuth consent requests.

In some cases, the attacker does not need the victim’s password at all. Modern phishing techniques can capture session tokens or abuse legitimate authentication flows, allowing the attacker to access cloud services after the user has already authenticated.

Microsoft has reported increased use of techniques such as device code phishing, malicious OAuth apps, and adversary-in-the-middle attacks. In device code phishing, attackers trick users into entering a code into a legitimate looking authentication flow and then use the resulting tokens to access email, files, and other cloud services.

Once inside, the attacker rarely sends the fraudulent message immediately. First, they learn.

They search the mailbox for invoices, payment terms, vendor names, executive conversations, file-sharing links, HR messages, customer threads, and internal approval language. They may create forwarding rules, delete security alerts, register a new MFA method, or monitor active conversations until the right opportunity appears.

How Compromised Mailboxes Become BEC

Business email compromise is usually described as an attacker impersonating a trusted internal identity to convince an employee to take an action. That action may be sending money, changing payroll details, sharing sensitive data, approving a purchase, or granting access.

When BEC comes from a compromised mailbox, the attack becomes much harder to question.

The attacker may send an urgent message from a real executive account asking finance to review a payment. They may use a compromised HR account to request employee tax information. They may use an internal IT account to push users toward a fake login page. They may hijack a real conversation between two departments and insert a request that feels like part of the normal workflow.

These attacks work because they remove many of the warning signs employees are trained to look for. The sender address is not misspelled. The domain is not suspicious. The tone may match the person’s previous emails. The request may reference real projects, real invoices, or real deadlines.

In other words, the attacker does not need to break trust. They borrow it.

How Compromised Mailboxes Become VEC

Vendor email compromise follows the same trust-abuse model, but the attacker starts from the vendor, partner, or service provider side of the relationship.

In a VEC scenario, a vendor mailbox is compromised first. The attacker watches real conversations between the vendor and its customers. They learn who handles invoices, which projects are active, when payment is expected, and what language the vendor normally uses.

Then they strike at the point of least friction.

A common attack looks like this:

The message may not contain a malicious link. The attachment may be a normal-looking PDF. The sender may be the real vendor account. To the recipient, it can look like a routine operational update.

VEC is especially difficult because the victim organization may have strong internal security controls but still be exposed through a trusted third party. If one vendor account is compromised, every customer that relies on that vendor relationship becomes a potential target.

Why Legacy Email Defenses Miss These Attacks

Legacy email security tools are often effective against known-bad infrastructure, malware signatures, suspicious links, and obvious spoofing.

They can bypass traditional controls because:

This is why the detection problem is no longer only, “Is this email malicious?” It is also, “Does this email make sense for this sender, this recipient, this relationship, and this business process?”

Detection Signals After Account Takeover

Detecting BEC and VEC requires looking beyond static indicators. The strongest signals are often behavioral, contextual, and relationship-based.

Mailbox and Identity Signals

Email Behavior Signals

Vendor and Payment-Context Signals

Why Employees Miss Compromised-Mailbox Attacks

Security awareness training often teaches users to look for misspellings, strange domains, generic greetings, suspicious links, or urgent language.

A compromised mailbox can remove the obvious clues. The message can be written in clean language, come from a known sender, and reference real business context. Generative AI makes this even easier by helping attackers write more believable messages, translate across languages, and adapt tone for different industries or roles.

The human problem is not carelessness. It is context overload.

Employees make hundreds of trust decisions every week. They approve requests, answer questions, open documents, update records, and keep business moving. Attackers exploit that speed. They place the malicious request inside a workflow that already feels familiar.

How Organizations Can Reduce the Risk

Reducing the risk requires coordinated controls across identity, email, vendor management, and financial approval workflows.

Strengthen Identity Controls

Phishing-resistant MFA should be prioritized for email and cloud accounts, especially for executives, finance, IT, procurement, and vendor-facing roles. Conditional access, impossible-travel alerts, risky sign-in detection, and session controls can reduce the chance that stolen credentials become long-term access.

Organizations should also monitor for new MFA devices, OAuth app consent, mailbox delegation changes, external forwarding, and suspicious inbox rules.

Monitor Mailbox Behavior, Not Just Email Content

A compromised account may not send a malicious email right away. Security teams should look for reconnaissance activity inside the mailbox, such as searches for invoice terms, payment keywords, customer names, payroll details, or vendor conversations.

When unusual mailbox activity is followed by a payment request, credential request, file-sharing message, or vendor update, the risk should increase immediately.

Verify vendor and Payment Changes Out of Band

Bank-detail changes, new IBANs, invoice-routing updates, and urgent payment requests should never be approved only through email. Teams should verify changes through a known phone number, vendor portal, or previously established contact channel.

The key is to verify the change using a trusted source, not the contact information provided in the suspicious email.

Build Relationship-Aware Detection

BEC and VEC detection should understand normal communication patterns. Who usually talks to whom? Which vendors usually send invoices? What payment details have been used before? Which employees approve sensitive requests? Does this sender normally ask this recipient for this type of action?

This context helps identify attacks that look technically clean but operationally wrong.

Prepare for Downstream Attacks

When one mailbox is compromised, the response should not stop at password reset. Security teams should review sent items, deleted items, inbox rules, forwarding settings, OAuth grants, MFA changes, file access, and emails sent to customers or vendors.

A compromised account may already have launched secondary attacks before the organization notices the initial compromise.

Conclusion

Account takeover is not just an identity problem. It is an email security problem, a vendor-risk problem, and a business-process problem.

Once attackers control a real mailbox, they can bypass authentication-based trust, hijack conversations, impersonate employees, manipulate vendors, and launch downstream attacks against customers and partners. BEC and VEC are often the visible result, but the root issue is deeper, attackers are learning how businesses communicate and then using that knowledge against them.

Organizations that want to stop these attacks need to verify trust continuously. That means combining identity controls, mailbox monitoring, vendor intelligence, behavioral detection, and clear approval workflows before a trusted email becomes a costly decision.