The Mailbox is the New Domain Admin: Reframing Identity Security in the Cloud Workspace

Most ITDR strategies have a blind spot

The security industry has spent considerable time, effort, and money building security around our digital identities. We’ve rolled out Single Sign-On (SSO) to centralize access, enforced Multi-Factor Authentication (MFA) to validate that access, and invested in Identity Threat Detection and Response (ITDR) platforms to monitor everything. We have dashboards to show us suspicious logins and impossible travel.

And yet, attackers are still waltzing through the front door far too often.

The problem is that for all our focus on the point of login, we’ve neglected evolving the security around the system of record that underpins the entire security lifecycle: the user’s primary mailbox. 

In the modern cloud workspace, the inbox has become the de facto skeleton key to a user’s digital life. If your ITDR strategy doesn’t start there, you’re not just missing a step of the attack, you’re missing what’s often the initial stages of the attack and the nexus for lateral spread.

More than just messages: inbox as identity hub

The role of the email account has quietly evolved. It’s no longer just a communication tool, it’s the central nervous system for our digital identity, and the trusted recovery path for nearly every other system we use.

Consider some of its core functions today:

• The universal reset button: Whenever the password to a non-federated app or system is forgotten, the “Forgot Password” button sends links and codes directly to the inbox. Control that inbox, and you control the passwords for any other applications with app-specific passwords. 
• The MFA backdoor: While we push for phishing resistant authenticators, many services still default to sending MFA codes and prompts via email as a primary or backup method.
• The SSO paper trail: Every new application provisioned through an IdP like Okta or Azure AD sends a notification email. This provides a convenient, searchable roadmap for an attacker who’s compromised that inbox.
• The data repository: The mailbox isn’t just chock full of identity workflows, it’s also often the largest unstructured data store in an organization, containing everything from credentials and API keys to sensitive PII, corporate strategy, and critical IP.

All of the above is a big reason email remains one of the most common attack points: the mailbox is a singularly valuable target for attackers looking to escalate a simple intrusion into a full-blown account takeover (ATO).

From inbox access to domain compromise 

Traditional identity detection and response tools are built to look for the loud, obvious signs of a compromise: impossible travel, rapid successions of failed logins, logins from new countries or locations. But a mailbox-driven attack is usually far quieter and more insidious. 

The attach chain is often brutally efficient:

1. Initial access: The dominoes first start falling with a standard phishing email, spearphishing, or credential stuffing attack, allowing the attacker to take over a session or the credentials completely.
2. Silent reconnaissance and persistence: Once a sophisticated attacker has control of the mailbox, they’re going to be careful not to trip any obvious alarms. They’ll start setting up email rules like auto-forwarding, and searching for keywords (“password,” “confidential,” “Okta,” etc).
3. The pivot: Once the attacker finds identity verification emails from a critical third-party application, they’ll navigate to that services’ login page, click the “forgot password” button, and get a password reset link to the inbox they already control. 
4. Escalation and takeover: With the password reset, the attacker now has a verified session in a second system, completely bypassing the corporate IdP and its monitoring.

By the time a conventional ITDR tool detects a suspicious login to one of these systems, it’s too late. THe attacker has already established a new beachhead, and you have limited to no visibility into how they got there, because it all originated inside the trusted, unmonitored walls of the mailbox.

Connecting the dots: an email-centric approach to identity defense

If the mailbox is the root of most of the problems, then securing it must be at the core of the solution. Just as effective email security needs to go beyond perimeter defenses to the context and content of the mailbox itself, so too must an effective ITDR strategy. 

This requires a broader set of capabilities than what you’ll find in most identity security toolboxes:

• Deep visibility: access logs are a great start, but you need to see and understand what’s going on inside the mailbox. That means understanding what data, app-specific passwords, and other critical material resides in the mailbox, and knowing when they’re accessed.
• Risk-based access control: not all data is created equal, and access shouldn’t be binary. Access should take into account the sensitivity of the data in question and balance security with the need for that information in day-to-day operations. A modern approach can apply just-in-time access to information–requiring a user to re-authenticate with phishing-resistant MFA before accessing high-risk historical email content, for example.
• Contextual response: by connecting broader identity detections with context and events across not just the mailbox but the entire cloud office, security teams can take more intelligent action, quicker. For example, you can automatically lock down access to sensitive emails or revoke sessions if a user’s account shows other signs of suspicious behavior, blocking the attacker’s ability to exfiltrate data and move laterally and blocking the ATO.

Securing the skeleton key

The cloud workspace has simplified many things, but it’s also unintentionally made the inbox an even greater target than it already was, as it’s now a dangerously centralized identity target. As long as the mailbox remains the universal recovery mechanism for everything else, it will remain the primary target for attackers seeking to get a foothold in an environment.

Building taller walls around your IdP is a worthy goal, but it’s not enough. Modernizing identity security means extending it to where the threats actually start: the mailbox.

Protecting this critical identity layer is the highest-leverage identity threat defense you can put into place. Learn how Material Security provides the visibility and control needed to defuse these threats at the source.