Abnormal AI, the leader in behavioral AI security, today released its 2026 Attack Landscape Report. Analyzing nearly 800,000 email attacks across 4,600+ organizations between July and December 2025, the findings reveal a fundamental shift in cybercrime: attackers are moving away from exploiting technical vulnerabilities and instead targeting behavioral and organizational ones—using highly tailored attacks that exploit trusted relationships and routine workflows.
While attackers are continuing to exploit internal relationships and trust between colleagues, vendor email compromise (VEC) now accounts for the majority of business email compromise (BEC) attacks, making up 61% of all BEC. As attackers shift toward impersonating trusted vendors, they are increasingly using high-stakes financial workflows to maximize impact.
Among these, billing account update requests stand out as the most dangerous vector, carrying a 26.5% compromise rate, which is dramatically higher than routine invoice inquiries at less than 1%. Unlike invoices, which can blend into high-volume payment workflows, billing updates require organizations to reroute legitimate, ongoing payments, prompting greater scrutiny from finance teams.
As a result, attackers are more likely to compromise real vendor accounts or convincingly replicate trusted relationships, investing additional time in reconnaissance and access. This pattern shows that attackers are selectively investing in more credible, higher-effort scenarios where the financial payoff is greatest and the likelihood of success justifies the added complexity.
Other key findings include:
- Phishing remains the most prevalent threat, accounting for 58% of all attacks, with evasion techniques deployed based on the target. More than one in five phishing attacks (21.6%) now use redirect chains—a tactic that routes victims through multiple URLs to obscure malicious destinations and evade detection by legacy security tools.
- Higher education is uniquely vulnerable to lateral attacks. Nearly one in eight phishing attacks reaching student inboxes originates from a compromised internal account, and 33% of all BEC in the sector is lateral, highlighting how open, high-turnover environments create ideal conditions for internal spread.
- Attackers adjust their tactics based on organizational complexity. In small organizations, VIP impersonation accounts for 43% of internal impersonation attacks because executives are more visible, accessible, and often directly involved in financial decisions, making authority-based requests both plausible and effective. In large enterprises, however, layered approval processes and greater awareness of executive impersonation reduce the effectiveness of this approach, prompting attackers to shift toward employee impersonation and more contextually grounded tactics.
“Modern email attacks are shaped by the institutions they target,” said Piotr Wojtyla, Head of Threat Intel and Platform at Abnormal AI. “Attackers are no longer just trying to circumvent security; they are exploiting the very mechanics of how we work. Whether it’s a fake SharePoint notification in a finance department or a lateral attack from a compromised student account, these threats succeed because they are difficult to distinguish from legitimate business as usual. When that happens, detection becomes a behavioral challenge, requiring AI that continuously learns how people and organizations actually operate.”
To download the full 2026 Attack Landscape Report, visit here.
About Abnormal AI
Abnormal AI is the leading behavioral AI security platform. Our anomaly detection engine analyzes identity and behavioral signals to detect sophisticated attacks and compromised accounts across email and connected applications. Abnormal deploys in minutes via API integration with Microsoft 365 or Google Workspace, with additional protection available for Slack, Workday, ServiceNow, Zoom, and other cloud applications. Abnormal is trusted by thousands of organizations, including more than 25% of the Fortune 500. Learn more at abnormal.ai.
Data note: Unless otherwise stated, all statistics in this press release are from Abnormal AI’s 2026 Attack Landscape Report, based on analysis of email attack activity observed across 4,600+ organizations from July–December 2025 (nearly 800,000 email attacks). Definitions and methodology (including how attacks are categorized and how rates are calculated) are described in the report.
Disclaimer
Statements in this communication that express beliefs or expectations about future events or performance are forward-looking in nature and are based on current assumptions. Actual results may differ materially. Abnormal AI undertakes no obligation to update these statements.
View source version on businesswire.com: https://www.businesswire.com/news/home/20260422236830/en/
Media gallery
