Abstract: A message addressed to a user is received. A first model is applied to the message to produce a first output indicative of whether the message is representative of a non-malicious message. The first model is trained using past messages that have been verified as non-malicious messages. It is determined, based on the first output, that the message is potentially a malicious message. Responsive to determining that the message is potentially a malicious email based on the first output, apply a second model to the message to produce a second output indicative of whether the message is representative of a given type of attack. The second model is one of a plurality of models. At least one model included in the plurality of models is associated with characterizing a goal of the malicious message. An action is performed with respect to the message based on the second output.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Selectively rewriting URLs is disclosed. An indication is received that a message has arrived at a user message box. A determination is made that the message includes a first link to a first resource. The first link is analyzed to determine whether the first link is classified as a non-rewrite link. In response to determining that the first link is not classified as a non-rewrite link, a first replacement link is generated for the first link.

Abstract: A plurality of features associated with a message are determined. At least one feature included in the plurality of features is associated with a payload of the message. A determination is made that supplemental analysis should be performed on the message. The determination is based at least in part on performing behavioral analysis using at least some of the features included in the plurality of features. Supplemental analysis is performed.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Deriving and surfacing insights regarding security threats is disclosed. A plurality of features associated with a message is determined. A plurality of facet models is used to analyze the determined features. Based at least in part on the analysis, it is determined that the message poses a security threat. A prioritized set of information is determined to be provided as output that is representative of why the message was determined to pose a security threat. At least a portion of the prioritized set of information is provided as output.

Abstract: Techniques for detecting instances of external fraud by monitoring digital activities that are performed with accounts associated with an enterprise are disclosed. In one example, a threat detection platform determines the likelihood that an incoming email is indicative of external fraud based on the context and content of the incoming email. To understand the risk posed by an incoming email, the threat detection platform may seek to determine not only whether the sender normally communicates with the recipient, but also whether the topic is one normally discussed by the sender and recipient. In this way, the threat detection platform can establish whether the incoming email deviates from past emails exchanged between the sender and recipient.

Abstract: Techniques for detecting instances of external fraud by monitoring digital activities that are performed with accounts associated with an enterprise are disclosed. In one example, a threat detection platform determines the likelihood that an incoming email is indicative of external fraud based on the context and content of the incoming email. To understand the risk posed by an incoming email, the threat detection platform may seek to determine not only whether the sender normally communicates with the recipient, but also whether the topic is one normally discussed by the sender and recipient. In this way, the threat detection platform can establish whether the incoming email deviates from past emails exchanged between the sender and recipient.

Abstract: Selectively rewriting URLs is disclosed. An indication is received that a message has arrived at a user message box. A determination is made that the message includes a first link to a first resource. The first link is analyzed to determine whether the first link is classified as a non-rewrite link. In response to determining that the first link is not classified as a non-rewrite link, a first replacement link is generated for the first link.

Abstract: Deriving and surfacing insights regarding security threats is disclosed. A plurality of features associated with a message is determined. A plurality of facet models is used to analyze the determined features. Based at least in part on the analysis, it is determined that the message poses a security threat. A prioritized set of information is determined to be provided as output that is representative of why the message was determined to pose a security threat. At least a portion of the prioritized set of information is provided as output.

Abstract: Techniques for identifying and processing graymail are disclosed. An electronic message store is accessed. A determination is made that a first message included in the electronic message store represents graymail, including by accessing a profile associated with an addressee of the first message. A remedial action is taken in response to determining that the first message represents graymail.

Abstract: Deriving and surfacing insights regarding security threats is disclosed. A plurality of features associated with a message is determined. A plurality of facet models is used to analyze the determined features. Based at least in part on the analysis, it is determined that the message poses a security threat. A prioritized set of information is determined to be provided as output that is representative of why the message was determined to pose a security threat. At least a portion of the prioritized set of information is provided as output.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Techniques for identifying and processing graymail are disclosed. An electronic message store is accessed. A determination is made that a first message included in the electronic message store represents graymail, including by accessing a profile associated with an addressee of the first message. A remedial action is taken in response to determining that the first message represents graymail.

Abstract: Techniques for producing records of digital activities that are performed with accounts associated with employees of enterprises are disclosed. Such techniques can be used to ensure that records are created for digital activities that are deemed unsafe and for digital activities that are deemed safe by a threat detection platform. At a high level, more comprehensively recording digital activities not only provides insight into the behavior of individual accounts, but also provides insight into the holistic behavior of employees across multiple accounts. These records may be stored in a searchable datastore to enable expedient and efficient review.

Abstract: A plurality of features associated with a message are determined. At least one feature included in the plurality of features is associated with a payload of the message. A determination is made that supplemental analysis should be performed on the message. The determination is based at least in part on performing behavioral analysis using at least some of the features included in the plurality of features. Supplemental analysis is performed.

Abstract: Techniques for detecting instances of external fraud by monitoring digital activities that are performed with accounts associated with an enterprise are disclosed. In one example, a threat detection platform determines the likelihood that an incoming email is indicative of external fraud based on the context and content of the incoming email. To understand the risk posed by an incoming email, the threat detection platform may seek to determine not only whether the sender normally communicates with the recipient, but also whether the topic is one normally discussed by the sender and recipient. In this way, the threat detection platform can establish whether the incoming email deviates from past emails exchanged between the sender and recipient.

Abstract: Techniques for detecting instances of external fraud by monitoring digital activities that are performed with accounts associated with an enterprise are disclosed. In one example, a threat detection platform determines the likelihood that an incoming email is indicative of external fraud based on the context and content of the incoming email. To understand the risk posed by an incoming email, the threat detection platform may seek to determine not only whether the sender normally communicates with the recipient, but also whether the topic is one normally discussed by the sender and recipient. In this way, the threat detection platform can establish whether the incoming email deviates from past emails exchanged between the sender and recipient.

Abstract: Introduced here are computer programs and computer-implemented techniques for detecting instances of external fraud by monitoring digital activities that are performed with accounts associated with an enterprise. A threat detection platform may determine the likelihood that an incoming email is indicative of external fraud based on the context and content of the incoming email. For example, to understand the risk posed by an incoming email, the threat detection platform may seek to determine not only whether the sender normally communicates with the recipient, but also whether the topic is one normally discussed by the sender and recipient. In this way, the threat detection platform can establish whether the incoming email deviates from past emails exchanged between the sender and recipient.