What Is Lateral Phishing?

Lateral phishing is a cyberattack in which an adversary uses a recently compromised email account within an organization to send phishing emails to other employees, contacts, or business partners. Unlike traditional phishing that originates from external, often spoofed accounts, lateral phishing originates from a legitimate, trusted internal account, making it extraordinarily difficult for both automated security systems and human users to detect. The attacking process begins with Account Takeover (ATO)—the attacker compromises an employee's email account through credential phishing, credential stuffing, password spraying, or other methods—then leverages the access to propagate attacks internally and externally to partners and personal contacts.

How does lateral phishing work?

Lateral phishing follows a multi-stage attack progression that exploits both technical account vulnerabilities and organizational trust dynamics. The attack begins with Account Takeover (ATO) of a legitimate employee email account. The attacker may achieve this through credential phishing (sending a fake login page), credential stuffing (using previously breached username/password combinations), password spraying (attempting common passwords across multiple accounts), or exploiting unpatched vulnerabilities. Once account access is gained, the attacker studies the organization—examining the address book, reviewing past email communications, observing organizational hierarchy, and understanding business relationships and communication patterns.

Using the compromised account, the attacker crafts phishing emails that appear to come from a trusted internal colleague. These messages may be sent to internal colleagues, requesting credential updates, account verification, access to files, or compliance information. Simultaneously, the attacker may target the compromised account holder's external contacts from the address book—personal connections, business partners, and contacts at partner organizations—making lateral phishing attacks extend beyond single-organization boundaries. Because the emails originate from a legitimate, known account within the organization's domain, they pass all email authentication checks (SPF, DKIM, DMARC), and recipients recognize the sender name as a trusted colleague.

According to the UC Berkeley/Barracuda USENIX Security 2019 study, the most cited research in this domain, 11% of lateral phishing attacks successfully compromised additional employee accounts, creating a chain reaction of propagating compromises. This cascading effect is the defining characteristic of lateral phishing: once one account is compromised, the attacker can use it to compromise additional accounts, each of which can be used to compromise more accounts, creating exponential attack amplification. Traditional email security controls—DMARC, SPF, DKIM—are entirely ineffective against lateral phishing because the email is sent from a legitimate, authenticated account on the organization's own domain with full authorization to send messages.

How does lateral phishing differ from spear phishing, Business Email Compromise, and clone phishing?

Key differentiator: Lateral phishing is unique in originating from a legitimately compromised internal account that passes all email authentication checks, while BEC typically impersonates executives and clone phishing duplicates prior legitimate messages. None is universally more dangerous; rather, they represent different attack vectors exploiting different organizational vulnerabilities.

Why has lateral phishing gained traction?

Lateral phishing has gained traction because it is exceptionally difficult to detect and creates cascading organizational impact. A landmark 2019 study by Barracuda Networks, UC Berkeley, and UC San Diego found that 1 in 7 organizations experienced lateral phishing over a 7-month study period. Among organizations experiencing lateral phishing, more than 60% had multiple compromised accounts, with some organizations having dozens of hijacked accounts. The 154 hijacked accounts collectively sent lateral phishing emails targeting over 100,000 unique recipients. Roughly 40% of recipients were internal employees; the remaining approximately 60,000 were external (personal contacts and business partners).

Most concerning for security operations: 42% of lateral phishing incidents were never reported by recipients, highlighting the difficulty of detecting these attacks and the need for automated detection systems rather than relying solely on user reporting. This underreporting gap means many organizations experience lateral phishing campaigns without ever becoming aware of the incident. The technique has gained traction because it bypasses the technical controls—SEGs, link analysis, malware sandboxing—that organizations have deployed to stop traditional phishing. Since the email originates from a legitimate internal account, all traditional email security signals indicate legitimacy.

Additionally, lateral phishing propagates through trusted internal networks where employees have lower skepticism than they would for external emails. When a colleague sends an email, users are less likely to hover over links, verify sender authenticity, or question requests for sensitive information. According to broader BEC and phishing statistics (FBI IC3 "2024 Internet Crime Report"), phishing-related cybercrime continues to grow, with phishing losses jumping from $18.7 million in 2023 to $70 million in 2024—a 274% increase, though this includes all phishing variants, not just lateral phishing specifically.

However, lateral phishing's expansion is constrained by several factors: it requires successful initial ATO (making strong MFA critical to prevent), it creates observable internal email anomalies that AI-based detection systems can identify, and it requires the compromised account to remain undetected long enough to launch campaigns. Organizations with rapid ATO detection capabilities can interrupt lateral phishing campaigns before significant propagation occurs.

What are the limitations of lateral phishing?

Lateral phishing faces significant constraints that limit its effectiveness and enable defenses. First, the technique absolutely requires successful Account Takeover of at least one legitimate account as a prerequisite. If organizations deploy strong Multi-Factor Authentication (especially phishing-resistant methods like FIDO2/WebAuthn hardware keys), the initial ATO becomes significantly more difficult, raising the barrier to attack. Second, lateral phishing creates observable behavioral anomalies that AI-based email security tools can detect. When a compromised account suddenly sends messages to unusual recipients, at unusual times, with unusual content compared to historical baseline behavior, these deviations can trigger alerts.

Third, the legitimate account owner will eventually notice compromise (unusual email activity, password reset, mail forwarding rules). Organizations with rapid user notification and account lockout procedures can significantly shorten the lateral phishing opportunity window. Fourth, internal email monitoring and Data Loss Prevention (DLP) systems can identify and quarantine lateral phishing messages targeting unusual recipient patterns before they reach all intended recipients. Fifth, if recipients verify unusual requests through a different communication channel—a phone call, in-person conversation, or separate email thread—lateral phishing fails immediately because the attacker cannot intercept out-of-band verification.

Sixth, email forwarding rules created by attackers can be detected through mailbox rule auditing. Seventh, modern email security platforms increasingly offer internal email monitoring and lateral phishing-specific detection capabilities, improving defense posture. Eighth, the technique is ultimately limited to the attack surface defined by the compromised account's contact list and email distribution; it cannot reach people not in the victim's address book without wider organizational access.

Defense gaps persist: many organizations still lack dedicated Account Takeover detection and response capabilities; security awareness training often focuses on external phishing and neglects internal email threats; and many users have lower skepticism toward internal emails than external ones, enabling lateral phishing to succeed despite internal origin.

How can organizations defend against lateral phishing?

Organizations should implement a defense strategy combining account security, behavioral detection, and user education. The most critical technical control is Multi-Factor Authentication, particularly phishing-resistant methods such as FIDO2/WebAuthn hardware keys. These measures prevent the initial Account Takeover that enables lateral phishing. Implement AI/ML-based email security that analyzes behavioral baselines—sending patterns, recipient lists, content style, attachment types—to identify anomalous emails from compromised accounts. Traditional rule-based filters cannot detect lateral phishing because the sender is legitimate; behavioral analysis is essential.

Deploy dedicated Account Takeover (ATO) detection tools that monitor for indicators of compromise such as impossible travel (login from geographically impossible locations in short timeframes), unusual login patterns (different times of day, devices, or locations), mailbox rule changes, email forwarding rule additions, and mass email sends from accounts that normally send minimal email. When compromise is detected, automatically disable the account, revoke all active sessions, quarantine sent emails, and notify affected recipients of potential exposure. Configure SIEM (Security Information and Event Management) systems and security analytics platforms to identify and alert on unusual internal email patterns.

Implement internal email monitoring and Data Loss Prevention (DLP) that can identify lateral phishing campaigns targeting unusual recipient lists or containing suspicious payloads. This monitoring should be balanced against user privacy concerns but is necessary to detect compromised accounts before damage extends. Establish mailbox rules auditing and anomaly detection to identify unauthorized mail forwarding rules or unusual rule patterns that suggest compromise.

Conduct security awareness training that specifically addresses lateral phishing—teaching users that phishing can originate from internal, trusted accounts, not just external sources. Train employees to verify unexpected requests through a second communication channel (phone call to a known number, not a number from the suspicious email). Establish a culture where even emails from trusted colleagues warrant verification if the request is unusual, sensitive, or time-critical. Use lateral phishing simulations to reinforce learning and measure training effectiveness.

Implement automated incident response procedures: when a compromised account is detected, execute a playbook that automatically disables the account, invalidates sessions, notifies the user, quarantines sent messages, and scans the organization for lateral propagation. Establish clear procedures for affected recipients to report potential compromise and for IT to investigate. Apply Zero Trust architecture principles by limiting privileges even for internal accounts and enforcing continuous verification of user access and actions.