5 Email Security Blind Spots That Could Cost Your Company Millions

We've Been Protecting the Wrong Things

Let me tell you about a conversation I had last month with a CISO at a mid-sized manufacturing company. They'd just finished a $400,000 email security upgrade. New secure email gateway. Advanced threat protection. AI-powered phishing detection. The works.

Two weeks later, they lost $1.2 million to a BEC attack. The attacker never sent a single malicious email through their gateway. They didn't need to.

This is the story of email security in 2026. We're fighting yesterday's war while attackers have moved on to softer targets. Here are the five blind spots that keep showing up in breach after breach.

Blind Spot #1: Mailbox Delegation and Shared Access

Quick question: Do you know who has delegate access to your CEO's mailbox? How about your CFO's? Your head of HR?

Most organizations don't. And that's a problem.

Mailbox delegation is a legitimate feature. Executive assistants need to manage calendars and respond to routine emails. But it's also a powerful persistence mechanism for attackers. Compromise one account, grant delegate access to your target's mailbox, and you've got ongoing access even if the original credentials get rotated.

What makes this dangerous:

• Delegate access often isn't logged as visibly as direct logins
• It persists through password changes
• It's rarely audited or reviewed
• It looks completely normal to anyone who does check

We've seen cases where delegate access granted during a compromise went unnoticed for over a year. That's a year of reading the CEO's email without ever logging into their account.

Blind Spot #2: OAuth Application Consent

Your users are constantly being asked to grant permissions to third-party apps. "Sign in with Microsoft." "Allow access to read your email." Most of the time, it's legitimate. Sometimes, it's not.

Malicious OAuth apps are the phishing of 2026. Instead of stealing credentials directly, attackers create apps that request email permissions. User clicks through the consent prompt (we've all done it without reading), and now the attacker has API access to that mailbox. No credentials stolen. No malware installed. Just a persistent API token that works until someone revokes it.

The scary part: These tokens often survive MFA implementation, password changes, and even account suspensions in some configurations. We've seen organizations "remediate" a compromise by forcing password resets, only to discover the attacker still had access through an OAuth grant.

Blind Spot #3: Transport Rules and Connectors

At the organizational level, both Microsoft 365 and Google Workspace support mail flow rules that can redirect, copy, or modify messages in transit. These are powerful administrative tools. They're also powerful weapons if an attacker gains admin access.

Imagine a transport rule that BCCs a copy of every email containing "wire transfer" or "payment" to an external address. It operates at the mail flow level, invisible to end users and most security tools.

We've seen:

• Rules that redirect specific senders to attacker-controlled mailboxes
• Connectors that route certain domains through external servers
• Transport rules that strip security headers from incoming mail

These changes often fly under the radar because they're "just configuration." No malware involved. Just someone who shouldn't have admin access making changes that shouldn't be made.

Blind Spot #4: Mobile Device Mail Profiles

Here's one that almost nobody checks: mobile devices.

When users set up email on their phones, those devices get registered. Some get managed through MDM. Many don't. And even the managed ones often have less visibility than desktop clients.

Attackers who compromise an account will often set up a mail profile on a device they control. Even after the account is secured, that device might retain a valid token. We've seen cases where attackers maintained access for months through a phone profile that nobody thought to check.

The mobile angle also enables:

• Bypassing conditional access policies that focus on desktop/web
• Avoiding security tools that only inspect on certain platforms
• Maintaining access through "forgotten" device registrations

Blind Spot #5: Archive and Retention Settings

Last but definitely not least: what happens to email after it's deleted?

Most organizations have some form of retention policy. Deleted items might be recoverable for 14 days, 30 days, or longer. eDiscovery might hold copies of everything for years. These features exist for good reasons—compliance, legal holds, business continuity.

But from an attacker's perspective, they're gold mines.

If I compromise an account today and find it's been compromised before, I might be able to recover deleted emails from months or years ago. If I'm conducting corporate espionage, I might focus on recovering deleted emails that contain information people thought was gone.

We've also seen attackers:

• Modify retention policies to speed up deletion of evidence
• Create legal holds on specific mailboxes to preserve access to data
• Use archive features to access historical communications

Closing the Gaps

So what's the solution? You can't protect what you can't see. That's the uncomfortable truth.

These blind spots exist because most email security is focused on the message layer—what's coming in, what's going out, is it malicious. But modern email compromise increasingly happens at the configuration layer. Rules. Permissions. Delegates. Settings.

Here's the minimum you should be doing:

1. **Audit mailbox permissions regularly.** Delegates, folder permissions, send-as rights—all of it. Monthly at minimum.
2. **Review OAuth applications.** What apps have access to your users' mailboxes? You need visibility and a way to revoke suspicious grants.
3. **Monitor administrative changes.** Transport rules, connectors, and tenant-level settings should trigger alerts when modified.
4. **Include mobile in your security model.** Know what devices are registered. Have a process to audit and revoke.
5. **Understand your retention landscape.** What's being kept? Who can access it? How would you know if someone was mining your archives?

The Bigger Picture

Email security has evolved, but so have the attackers. They're not trying to sneak malware past your gateway—they're looking for configuration weaknesses that let them operate invisibly for months or years.

The organizations that avoid the next headline-grabbing breach won't be the ones with the fanciest email gateway. They'll be the ones who closed these blind spots before attackers could exploit them.

The question is: which one will you be?

MailBreach provides continuous visibility into the configuration layer of your email environment—the forwarding rules, delegates, and settings that attackers exploit. See what you've been missing.