Webinar to examine behavioral AI against phishing and account takeovers

BleepingComputer will host a live webinar July 8, 2026, on how security teams can use behavioral AI to detect phishing, business email compromise and account takeover attacks that slip past legacy email controls.

The session, titled "Stop chasing alerts: Automating email security with behavioral AI," will feature Dan Nickolaisen, solutions architect manager at Abnormal AI, and Eric Danneker, director of cyber vigilance and defense at Novant Health.

Attackers now use AI-written lures, trusted business accounts and real authentication workflows to make malicious activity look routine. A user sees a familiar sender. A security gateway sees a clean message. An identity tool sees a valid login path. The attacker uses that gap to steal credentials, move inside a mailbox or redirect payments.

Secure email gateways, multifactor authentication and credential monitoring still help, but attackers have learned to work around controls that depend on known-bad links, suspicious attachments or stolen passwords. Device code phishing gives one example. Microsoft describes the flow in its device authorization grant documentation: a user enters a code on a trusted Microsoft page, and the attacker receives access after the user completes authentication.

That pattern creates a hard problem for defenders. The user may pass MFA. The login may come through a normal cloud service. The message may contain no malware. Security teams then have to decide whether the sender, timing, language, login context and mailbox behavior fit the user.

Behavioral AI tools try to answer that question by building a baseline for users, vendors and communication patterns. Instead of searching only for known phishing indicators, these systems compare a message or account action against expected behavior. A sudden vendor payment change, a strange reply chain, an unusual forwarding rule or a login pattern that does not match prior activity can push an alert into investigation.

Abnormal AI says its platform applies behavioral AI across inbound email threats and compromised accounts. The company focuses on account behavior, sender identity, relationship graphs and message context to spot attacks that signature tools may miss. The July webinar will examine how teams can use those signals to cut manual triage and speed remediation.

The session will cover phishing, business email compromise and account takeover. It will also address alert fatigue, investigation queues and response delays, which consume security teams when email tools generate too many low-value alerts.

For many organizations, the first pain point comes after detection. Analysts have to inspect headers, check identity logs, review mailbox activity, contact users, confirm vendor requests and remove malicious messages. A slow process gives attackers time to harvest more credentials, search mailboxes or send internal phishing emails from a trusted account.

The webinar will focus on automation across three response stages: detection, investigation and remediation. In practice, that means a tool identifies abnormal behavior, gathers supporting evidence and takes action such as removing messages, disabling malicious mailbox rules or escalating an account for reset.

Security leaders should expect the discussion to cover trade-offs. Behavioral systems need access to communication patterns and identity signals. Teams have to tune workflows so automation removes clear threats without creating new business friction. Analysts also need evidence they can understand, because a black-box alert can slow response when the system flags a senior executive, finance user or health care workflow.

The health care angle adds weight to the session. Novant Health operates in a sector where attackers target patient data, payroll, invoices and clinical operations. Email compromise in health care can expose protected health information, disrupt care coordination and give attackers a path into connected systems.

Attendees should leave with a practical checklist for email defense. Security teams can map which controls inspect inbound messages, which tools monitor identity activity and which systems can remediate mailbox changes. They can also identify manual steps that analysts repeat during each phishing or account takeover case.

A strong email security program should cover sender identity, user behavior, authentication logs and post-delivery mailbox activity. Teams should review device code phishing exposure, limit risky OAuth consent paths and monitor for suspicious mailbox rules. Microsoft provides guidance on device code phishing defenses for organizations that use Microsoft Entra ID.

The webinar will suit security operations leaders, email security administrators, identity teams and incident responders who handle phishing investigations. It will also help teams that already use MFA and secure email gateways but still see account takeover attempts or business email compromise losses.

BleepingComputer said attendees will learn how organizations can reduce manual investigation work, improve detection accuracy and build a faster email security process against attacks that abuse trust instead of malware.