The security industry has spent the last decade meticulously fortifying the application perimeter. Organizations layered biometric authentication, hardware-backed credentials, behavioral analytics, adaptive risk scoring, device intelligence, passkeys, and increasingly sophisticated identity orchestration into login and recovery workflows, all in pursuit of reducing dependence on static credentials and limiting unauthorized access at the application layer. Yet, as organizations built these complex, frictionless entryways, they largely ignored the structural foundation upon which they rest.
Modern identity systems depend on email infrastructure and inherit many of its weaknesses.
When a biometric prompt fails, a physical security key is lost, or a user initiates an account recovery request, systems rely on a combination of mechanisms such as SMS, authenticator apps, or email-based codes to re-establish access. In practice, however, changing the delivery channel does not eliminate identity risk. In one recent case, introducing phone- and email-based OTP login options led to a significant increase in account takeover, with a large majority of affected accounts tied to already-compromised email identities. This reflects a broader pattern: while authentication methods evolve, identity continuity often still depends on the inbox.
As a result, the inbox effectively becomes a master credential. An attacker who gains access to a user’s primary email account can leverage recovery workflows to reset access across financial, commercial, and enterprise platforms that were never designed to share a common security boundary.
Changing how users authenticate does not change what attackers target.
This vulnerability persists because of a fundamental institutional lag: the fraud industry optimized for an earlier era of risk. Defenses were designed around credential theft, onboarding friction, and point-in-time transactions. During a typical registration event, risk engines execute a static assessment of the provided email address. They query whether the syntax is valid, whether the domain resolves to an active mail server, and whether the specific address has appeared in known data breaches.
This transactional evaluation is fundamentally blind to the reality of how adversaries operate. Defenders still evaluate identity transactionally while attackers build identity longitudinally.
Sophisticated fraud operations do not mint an email address at the exact moment they intend to monetize an attack. They operationalize identity infrastructure months in advance. A newly generated synthetic identity is often programmed to subscribe to mainstream newsletters and e-commerce promotions, artificially establishing an incoming mail footprint. These accounts sit dormant, aging quietly to circumvent the basic velocity filters and time-since-creation rules that legacy risk engines rely upon.
When an attacker finally deploys that asset, a single onboarding check cannot reliably distinguish between a legitimate user, a synthetic identity aged for six months, and a compromised inbox carrying a decade of authentic history. At registration, the static characteristics of all three appear identical.
The disparity between defense and offense is most starkly illustrated by how attackers manipulate the structural mechanics of email routing. To bypass rate limits without managing thousands of separate inboxes, operators exploit email aliasing features. While the Simple Mail Transfer Protocol (SMTP) technically permits case-sensitive usernames, virtually all major email providers silently enforce case-insensitive handling, and many support undocumented alias variations such as dot-insertion or plus-addressing. External platforms typically process these variations as entirely distinct users. In one documented campaign targeting an open-source software registry, attackers routed 139 distinct alias accounts through a single base email address, bypassing registration friction to publish nearly 4,000 spam packages.
Identity begins before onboarding. Fraud rarely initiates at the transaction layer; it is prepared upstream within the infrastructure itself. Acknowledging this requires discarding the assumption that a static validation check establishes durable credibility. Protecting digital ecosystems now demands observing the behavioral history accumulating around an inbox. That means tracking how malicious networks are operationalized, how aliases fan out, and how dormant accounts transition into active threats long before they ever attempt to cross a platform’s perimeter.
Go deeper on the mechanics of identity accumulation: inbox aging, alias fanout, and why defenders evaluating identity at a single point in time are structurally outmatched. Download "The Architecture of Accumulation" from myNetWatchman.
Download the White Paper →