Abstract: A method for threat detection may include obtaining data that is related to a series of digital activities performed with accounts on a channel through which employees of an enterprise can communicate with other employees of the enterprise or accounts external to the enterprise. The method may include parsing the data to identify an attribute of each digital activity. The method may include generating one or more metrics indicative of a threat posed by a respective digital activity of the series of digital activities. The method may include generating a plurality of digital profiles for at least some of the employees of the enterprise based on the series of digital activities and comprising the one or more metrics. The method may include generating a graphical user interface indicating a risk category associated with at least some of the digital activities of the series of digital activities.

Abstract: A system may include one or more memory devices. The one or more memory devices may store instructions thereon that, when executed by one or more processors, cause the one or more processors to receive a message reported by a first user device of a group of user devices. The instructions may cause the one or more processors to provide the message to one or more models configured to determine whether the message includes one or more facets representative of a given type of attack and produce an output indicating whether the message is representative of a malicious message or a non-malicious message based on whether the message includes the one or more facets. The instructions may cause the one or more processors to perform a first action with respect to the message based on the output.

Abstract: A method for behavior-based threat detection may include obtaining a first set of data corresponding to at least one of an employee or an enterprise associated with the employee. The method may include training a machine learning model for at least one of the employee or the enterprise associated with the employee by providing the first set of data to the machine learning model as training data, the machine learning model configured to identify deviations between behavioral traits of email communications and behavioral traits of the employee or the enterprise. The method may include receiving an email communication addressed to the employee. The method may include determining that the email communication represents a security risk by applying the machine learning model to the email communication. The method may include performing a remediation action on the email communication based on determining that the email communication represents a security risk.

Abstract: A method for behavior-based account compromise investigation may include obtaining data that is related to a series of email communications corresponding to an employee linked to an enterprise. The method may include generating, for the employee, a baseline based on the data that is related to the series of email communications, the baseline indicating normal email behavioral traits of the employee. The method may include obtaining a real time email communication corresponding to an account associated with the employee, the real time email communication comprising one or more signals. The method may include determining, based on the one or more signals and the baseline, whether the real time email communication is representative of the normal email behavioral traits of the employee. The method may include performing a first action with respect to the real time email communication.

Abstract: A method for threat detection may include obtaining data related to a series of email communications corresponding to employees linked to an enterprise. The method may include identifying an attribute of each email communication in the series of email communications indicative of a potential threat associated with a respective email communication. The method may include generating a series of records by populating a data structure with a record of each email communication including a respective attribute. The method may include obtaining a first criterion for record retrieval, the first criterion indicating one or more attributes corresponding to the series of records. The method may include retrieving one or more records of the series of records that satisfy the first criterion. The method may include generating a graphical user interface associated with the one or more records including information associated with email communications corresponding to the one or more records.

Abstract: Introduced here is a network-accessible platform (or simply “platform”) that is designed to monitor digital activities that are performed across different services to ascertain, in real time, threats to the security of an enterprise. In order to surface insights into the threats posed to an enterprise, the platform can apply machine learning models to data that is representative of digital activities performed on different services with respective accounts. Each model may be trained to understand what constitutes normal behavior for a corresponding employee with respect to a single service or multiple services. Not only can these models be autonomously trained for the employees of the enterprise, but they can also be autonomously applied to detect, characterize, and catalog those digital activities that are indicative of a threat.

Abstract: A message addressed to a user is received. A first model is applied to the message to produce a first output indicative of whether the message is representative of a non-malicious message. The first model is trained using past messages that have been verified as non-malicious messages. It is determined, based on the first output, that the message is potentially a malicious message. Responsive to determining that the message is potentially a malicious email based on the first output, apply a second model to the message to produce a second output indicative of whether the message is representative of a given type of attack. The second model is one of a plurality of models. At least one model included in the plurality of models is associated with characterizing a goal of the malicious message. An action is performed with respect to the message based on the second output.

Abstract: Techniques for detecting instances of external fraud by monitoring digital activities that are performed with accounts associated with an enterprise are disclosed. In one example, a threat detection platform determines the likelihood that an incoming email is indicative of external fraud based on the context and content of the incoming email. To understand the risk posed by an incoming email, the threat detection platform may seek to determine not only whether the sender normally communicates with the recipient, but also whether the topic is one normally discussed by the sender and recipient. In this way, the threat detection platform can establish whether the incoming email deviates from past emails exchanged between the sender and recipient.

Abstract: Introduced here are computer programs and computer-implemented techniques for generating and then managing a federated database that can be used to ascertain the risk in interacting with vendors. At a high level, the federated database allows knowledge regarding the reputation of vendors to be shared amongst different enterprises with which those vendors may interact. A threat detection platform may utilize the federated database when determining how to handle incoming emails from vendors.

Abstract: A generated training set comprising a plurality of training samples is received. The generated training set includes at least one training sample constructed using one or more linguistic hints, comprising at least one keyword of phrase, about an attack for which malicious textual communications associated with the attack, when processed by a natural language processing model could be classified as benign textual communications before being trained using the generated training set. The natural language processing model is trained at least in part by using the generated training set, wherein the trained natural language processing model is configured to determine a likelihood that a received communication transmitted by a sender to a recipient poses a risk.

Abstract: It is determined that a first email is present in a mailbox where emails deemed suspicious are placed for analysis. In response to determining that the first email is present in the mailbox, it is determined whether the first email is representative of a threat to an enterprise based at least in part by applying a trained model to the first email. In response to determining that the first email represents a threat to the enterprise, a record of the threat is generated by populating a data structure with information related to the first email. The data structure is applied to inboxes of a plurality of the employees to determine whether the first email is part of a campaign. In response to determining that the first email is part of a campaign, a filter associated with the data structure is applied to inbound emails addressed to employees of the enterprise.