Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Techniques for producing records of digital activities that are performed with accounts associated with employees of enterprises are disclosed. Such techniques can be used to ensure that records are created for digital activities that are deemed unsafe and for digital activities that are deemed safe by a threat detection platform. At a high level, more comprehensively recording digital activities not only provides insight into the behavior of individual accounts, but also provides insight into the holistic behavior of employees across multiple accounts. These records may be stored in a searchable datastore to enable expedient and efficient review.

Abstract: Access to emails delivered to an employee of an enterprise is received. An incoming email addressed to the employee is acquired. A primary attribute is extracted from the incoming email by parsing at least one of: (1) content of the incoming email or (2) metadata associated with the incoming email. It is determined whether the incoming email deviates from past email activity, at least in part by determining, as a secondary attribute, a mismatch between a previous value for the primary attribute and a current value for the primary attribute, using a communication profile associated with the employee, and providing a measured deviation to at least one machine learning model.

Abstract: It is determined that a first email is present in a mailbox where emails deemed suspicious are placed for analysis. In response to determining that the first email is present in the mailbox, it is determined whether the first email is representative of a threat to an enterprise based at least in part by applying a trained model to the first email. In response to determining that the first email represents a threat to the enterprise, a record of the threat is generated by populating a data structure with information related to the first email. The data structure is applied to inboxes of a plurality of the employees to determine whether the first email is part of a campaign. In response to determining that the first email is part of a campaign, a filter associated with the data structure is applied to inbound emails addressed to employees of the enterprise.

Abstract: A message addressed to a user is received. A first model is applied to the message to produce a first output indicative of whether the message is representative of a non-malicious message. The first model is trained using past messages that have been verified as non-malicious messages. It is determined, based on the first output, that the message is potentially a malicious message. Responsive to determining that the message is potentially a malicious email based on the first output, apply a second model to the message to produce a second output indicative of whether the message is representative of a given type of attack. The second model is one of a plurality of models. At least one model included in the plurality of models is associated with characterizing a goal of the malicious message. An action is performed with respect to the message based on the second output.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Introduced here are computer programs and computer-implemented techniques for discovering malicious emails and then remediating the threat posed by those malicious emails in an automated manner. A threat detection platform may monitor a mailbox to which employees of an enterprise are able to forward emails deemed to be suspicious for analysis. This mailbox may be referred to as an “abuse mailbox” or “phishing mailbox.” The threat detection platform can examine emails contained in the abuse mailbox and then determine whether any of those emails represent threats to the security of the enterprise. For example, the threat detection platform may classify each email contained in the abuse mailbox as being malicious or non-malicious. Thereafter, the threat detection platform may determine what remediation actions, if any, are appropriate for addressing the threat posed by those emails determined to be malicious.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Introduced here are computer programs and computer-implemented techniques for building, training, or otherwise developing models of the behavior of employees across more than one channel used for communication. These models can be stored in profiles that are associated with the employees. At a high level, these profiles allow behavior to be monitored across multiple channels so that deviations can be detected and then examined. Moreover, remediation may be performed if an account is determined to be compromised based on its recent activity.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Techniques for building, training, or otherwise developing models of the behavior of employees across more than one channel used for communication are disclosed. These models can be stored in profiles that are associated with the employees. Such profiles allow behavior to be monitored across multiple channels so that deviations can be detected and then examined. Remediation can be performed if an account is determined to be compromised based on its recent activity.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Techniques for producing records of digital activities that are performed with accounts associated with employees of enterprises are disclosed. Such techniques can be used to ensure that records are created for digital activities that are deemed unsafe and for digital activities that are deemed safe by a threat detection platform. At a high level, more comprehensively recording digital activities not only provides insight into the behavior of individual accounts, but also provides insight into the holistic behavior of employees across multiple accounts. These records may be stored in a searchable datastore to enable expedient and efficient review.

Abstract: Techniques for building, training, or otherwise developing models of the behavior of employees across more than one channel used for communication are disclosed. These models can be stored in profiles that are associated with the employees. Such profiles allow behavior to be monitored across multiple channels so that deviations can be detected and then examined. Remediation can be performed if an account is determined to be compromised based on its recent activity.

Abstract: Introduced here are computer programs and computer-implemented techniques for producing records of digital activities that are performed with accounts associated with employees of enterprises. Such an approach ensures that records are created for digital activities that are deemed unsafe and for digital activities that are deemed safe by a threat detection platform. At a high level, more comprehensively recording digital activities not only provides insight into the behavior of individual accounts, but also provides insight into the holistic behavior of employees across multiple accounts. These records may be stored in a searchable datastore to enable expedient and efficient review.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Introduced here are computer programs and computer-implemented techniques for discovering malicious emails and then remediating the threat posed by those malicious emails in an automated manner. A threat detection platform may monitor a mailbox to which employees of an enterprise are able to forward emails deemed to be suspicious for analysis. This mailbox may be referred to as an “abuse mailbox” or “phishing mailbox.” The threat detection platform can examine emails contained in the abuse mailbox and then determine whether any of those emails represent threats to the security of the enterprise. For example, the threat detection platform may classify each email contained in the abuse mailbox as being malicious or non-malicious. Thereafter, the threat detection platform may determine what remediation actions, if any, are appropriate for addressing the threat posed by those emails determined to be malicious.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.

Abstract: Conventional email filtering services are not suitable for recognizing sophisticated malicious emails, and therefore may allow sophisticated malicious emails to reach inboxes by mistake. Introduced here are threat detection platforms designed to take an integrative approach to detecting security threats. For example, after receiving input indicative of an approval from an individual to access past email received by employees of an enterprise, a threat detection platform can download past emails to build a machine learning (ML) model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors). By applying the ML model to incoming email, the threat detection platform can identify security threats in real time in a targeted manner.