Abstract: Techniques for determining behavior of individual users or multiple users of an email system with regard to Internet services are disclosed. Such techniques may include a discrete analysis that includes determining whether an email relates to use, by a user of the email system, of an Internet service established with an email address of the user. Indications of Internet service activity of users of the email system can be written to a data store. By employing these techniques across all emails of an entity, insight may be gained into the aggregate nature of Internet services being used. A policy engine may take a corrective action for the email based on the discrete analysis. An aggregate analysis may be used to update the data store, wherein the aggregate analysis includes identification of an aggregate set of Internet services for a group of users.

Abstract: Techniques for detecting emails that pertain to Internet services are disclosed. Such emails can be recognized by heuristic pattern analysis that scans incoming emails for patterns known to pertain to certain Internet services. Emails relating to other Internet services can be detected by a machine learning classifier that uses labeled training data. These accesses to Internet services can be written to a data store. By employing these techniques across all emails of an entity, insight may be gained into the aggregate nature of Internet services being used. A policy engine may act on an individual email to request further information or action, quarantine the email, or to pass the email to other security tools. An aggregate account analysis engine can update the data store to provide a broad picture of Internet service usage within the organization (e.g., by department).

Abstract: Techniques for detecting emails that pertain to Internet services are disclosed. Information about such emails can be recognized by performing a discrete analysis of the email before delivering the email to the user and determining whether a corrective action is warranted. Such emails can be recognized by heuristic pattern analysis that scans incoming emails for patterns known to pertain to certain Internet services. Emails relating to other Internet services can be detected by a machine learning classifier that uses labeled training data. These accesses to Internet services can be written to a database. In many implementations, such discrete analysis is performed after an email has been classified as legitimate by one or both of a spam filter and a malware detector. An aggregate analysis, whose output can also update the database, can provide a broad picture of Internet service usage within a set of email users (e.g., by department).