Email security , Phishing , Risk Identification/Classification/Mitigation , Exposure management Beyond the inbox: Why your domain and social media are the next front lines May 7, 2026 Share By Paul Wagenseil Created with SocialSight AI. For decades, email security has centered on filtering malicious messages, blocking attachments, and, more recently, enforcing authentication protocols like SPF, DKIM and DMARC. Attackers, sadly, can now bypass these defenses. Instead of breaking into your inbox, they steer around it by exploiting domain infrastructure, DNS misconfigurations, and social-media trust to launch highly effective phishing and business email compromise (BEC) campaigns. Malicious messages without payloads or embedded links are sent from hijacked subdomains. Spoofed social-media accounts cajole customers into giving up sensitive company or personal information. Phishing pages on lookalike domains lure in the unwary. The result is a new threat landscape where brand impersonation , not inbox infiltration, is the primary attack vector — and your brand's reputation, as well as your organization's assets, are on the line. How attackers bypass traditional email security Modern phishing campaigns can dodge detection by avoiding red flags like attachments or malicious links in email messages. They exploit trust rather than technical vulnerabilities. One tactic is a classic confidence scheme: Draw the target into an ongoing dialogue lasting days or even weeks and build up a rapport through pleasant interactions before subtly moving in for the kill. "They're pivoting away from the typical phishing and virus-linking attachments and gearing more towards what I like to call conversational phishing , which has no weaponized payload, no nothing," explains Faisal Misle, Technical Lead at email-security provider Red Sift. "It's kind of like a long con." These schemes may start with routine business requests, such as a polite payment reminder or a job application, and gradually escalate into financial manipulation. Because the messages carry no malware or suspicious links, they can often evade secure email gateways. "It pretty much goes under the radar because the HR and finance people are not particularly tech-savvy and they're dealing with three thousand things at once, and it's not an unusual request," explains Misle. These schemes are propped up by external infrastructure designed to fool the target. Lookalike domains can host convincing login pages — for example, "micro-soft.com" instead of "microsoft.com." Adversaries may send emails from hijacked subdomains (e.g. "attacker.microsoft.com") in a technique that Red Sift calls SubdoMailing . Social media adds another layer of deception. Fake executive profiles or customer service accounts can be used for reconnaissance or direct fraud, as can hijacked social-media accounts. Real-world incidents, such as a recent incident in which a bogus trucking company stole $400,000 of fresh lobster from Costco , show how simple domain spoofing can enable large-scale theft without ever touching a corporate inbox. "Besides stealing your financial information, it also damages your reputation," says Misle. "Once it gets discovered or things start going missing, whether it's money or lobsters, it's a hit to your reputation." How to implement a layered defense strategy Defending against domain-stealing and domain-spoofing threats requires a layered domain-defense approach. The DMARC email security solution makes sure that legitimate domains can't be spoofed directly, but it's only the starting point. The next step is to extend protection to your DNS listings and domain infrastructure. Continuous DNS monitoring can spot misconfigurations such as dangling records that could allow subdomain hijacking. Automated domain discovery helps detect lookalike domains before they can be weaponized. Tools like Red Sift's OnDMARC and DNS Guardian combine authentication and DNS hygiene to reduce exposure. Equally important is monitoring your brand. Attackers can easily create fake social-media profiles or register deceptive domains that look like yours, but early detection will let you rapidly take them down. "Spinning up fake profiles is trivial, and you can't really stop it, but you can get ahead of it," says Misle. "Detect quick and neutralize quick." Solutions such as Red Sift's BrandTrust and attack surface management shine a light on these external threats, including whether any of your organization's digital certificates, essential for secure online transactions, have been compromised. "With certificate asset discovery," Misle adds, "you can see if somebody's spinning up assets using your name, or they may have compromised a CA [certificate authority] to get certificates on your behalf." Finally, make human verification part of your regular workflows. If you're getting a request for a high-risk or high-value transaction, secondary validation, such as a phone call or another out-of-band communications, remains one of the most effective defenses against BEC. "Always double-verify," says Misle. "Even if it's somebody you speak with weekly, always double verify via a second option, whether that's a text message, or a fresh e-mail to the address you know works, or a phone call." And if it's suspiciously well-written yet strangely impersonal, that should raise eyebrows too. " AI has a very distinctive way of phrasing certain things," he adds. "If it sounds like it could be machine-generated, maybe do a double take and again perform additional validation." Why security teams need full attack surface visibility Attackers have access to tools, often powered by AI, that let them quickly map your organization's external-facing assets. "AI is giving full attack-surface visibility to the bad guys," says Misle. "You should get the same level of visibility the bad guys have so that you can know where your weaknesses are." "Because AI's been commoditized," he adds, "anybody can now poke holes in your attack surface that were previously reserved for nation-state hackers with unlimited resources." Email is no longer the primary battleground of phishing or business email compromise. It's just one vector among many. Domains, DNS records, certificates, and social-media accounts are all potential entry points, and security teams that focus solely on inbox protection leave critical gaps exposed. To plug these holes, your organization needs to adopt continuous attack surface monitoring, integrating data from certificate transparency logs, DNS records and external asset inventories. With this wider scope, you can enable proactive defenses and your teams can spot and stop threats before they reach users. Phishing and BEC attacks have shifted from exploiting inbox vulnerabilities to exploiting brand trust. Effective defense requires broadening your domain-authentication scope beyond email messages to encompass the entire digital presence of a corresponding organization. Protecting the inbox isn't enough when the battle is being fought everywhere your brand exists. Paul Wagenseil Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com. Related Email security Amazon SES abused for sophisticated phishing attacks SC Staff May 5, 2026 Attackers are leveraging Amazon SES, a legitimate and trusted service, to send malicious emails that bypass authentication checks like SPF, DKIM, and DMARC. Email security Commercial spam and phishing attacks increasingly leverage trusted platforms SC Staff May 1, 2026 Commercial spam now constitutes 46% of all spam globally, with a significant portion originating from compromised accounts and free email services, according to VIPRE Security Group's Q1 2026 Email Threat Trends Report. Threat Management Microsoft: QR code, CAPTCHA-gated phishing more than double in Q1 2026 Laura French May 1, 2026 The company detected about 8.3 billion email-based phishing threats between January and March. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Backdoor Brute Force Bug Business Email Compromise (BEC) DNS Spoofing Darknet Data Mining Dictionary Attack Domain Hijacking Store-and-Forward You can skip this ad in 5 seconds