Email account compromise as identity system attack vector: why attackers prioritise inbox access
Cybercriminals target email accounts as a primary objective because inbox control grants access to password resets, financial accounts, and identity verification across an individual's digital footprint. This represents a fundamental shift in attack prioritisation from specific services to the authentication hub itself.
Affected
The threat model described by ESET reflects a mature attacker understanding of digital infrastructure: email inboxes serve as de facto identity verification systems across consumer and enterprise environments. Whoever controls an email account controls access to password reset flows, two-factor authentication codes, sensitive communications, and often personal identity documents stored in cloud services. This makes inbox compromise a high-value objective that precedes lateral movement into banking, social media, cryptocurrency, and professional accounts.
Attackers recognise that most users lack segmentation between their email and other critical services. The same inbox receives both personal communications and authentication tokens for financial accounts, work systems, and subscription services. A single compromised email account cascades into compromise of dependent systems without requiring attackers to crack individual passwords. This explains why email-targeted attacks including phishing, credential stuffing, and SIM-swapping remain prevalent despite decades of security awareness.
The practical implication for defenders is that email security cannot be treated as equivalent to other security domains. Email compromise requires elevated defensive controls: enforced multi-factor authentication resistant to SIM-swap attacks (FIDO2 hardware keys or authenticator apps), monitoring for unusual account access patterns, and user education focused specifically on email targeting rather than generic phishing awareness. Organisations should assume that compromised email means compromised identity across all linked services.
From a broader perspective, this attack prioritisation exposes a systemic architectural weakness in how digital identity is implemented. Email was never designed as an identity system, yet became one through accumulation of integrations and user convenience. Until email is replaced by purpose-built identity infrastructure with proper isolation, email compromise will remain a critical attack path.
Sources