Abstract: An email is received that is from an email sender. From the email, the display name of the email sender, an email address of the email sender, and an email domain of the email sender, is extracted. A score is determined for the email based on at least: the extracted display name of the email sender, the extracted email address of the email sender, and the extracted email domain of the email sender, where the score indicates a probability that the email is from a legitimate sender. Message content of the email is input into multiple classifiers each corresponding to a particular message type. The message type of the email is determined based on output of the classifiers. Based on at least the determined score for the email and the determined message type of the email, a determination is made whether the email is associated with a BEC attack.

Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes obtaining, from an electronic message received from the network, a triple of a display name, email address, and sending domain, determining a name score for triple, and determining characteristics of the electronic message. The name score of the triple and the characteristics of the electronic message may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: In an embodiment, the disclosed technologies include extracting, from a link contained in an electronic message received from an upstream device on a network, first unit-level input data of a first semantic type and second unit-level input data of a second semantic type; in response to inputting the first and second unit-level input data into first and second deep learning models, respectively, outputting, by the first and second deep learning models, first and second unit-level classification data that corresponds to the first and second unit-level input data, respectively, the first deep learning model having been trained to recognize, in unit-level data of the first semantic type, first patterns of syntactic features and semantic features that are predictive of phishing and the second deep learning model having been trained to recognize, in unit-level data of the second semantic type, second patterns of syntactic features and semantic features that are predictive of phishing; combining the first and second

Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes obtaining, from an electronic message received from the network, a triple of a display name, email address, and sending domain, determining a name score for triple, and determining characteristics of the electronic message. The name score of the triple and the characteristics of the electronic message may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: In an embodiment, a computer system comprises one or more computer processors configured with a message transfer application; a message transfer/vision processing (MT/VP) interface coupled to the one or more computer processors and interposed between the message transfer application and a vision processing computer, wherein the MT/VP interface performs operations comprising: extracting risk indicator data from a message that is in transit to a recipient computer on a computer network; in response to the risk indicator data matching a message risk criterion, transmitting an image address for an image of interest coupled to the message or the image of interest to the vision processing computer; receiving, from the vision processing computer, a label that semantically describes visual content of the image of interest; using the label, querying a set of correlation data to determine a reference address that is associated with the label; in response to the image address matching the reference address, transmitting