Research, analysis, and practical guidance on email threat detection for mid-market security teams.
Rule-based email gateways block known indicators but have no model of contextual coherence. Here is how LLM-based intent scoring catches the campaigns they miss, and why the distinction matters for mid-market security teams.
Read the full article →
Microsoft Defender for Office 365 catches a wide range of commodity phishing, but attacker playbooks have adapted. We walk through the specific bypass patterns appearing across mid-market M365 tenants and what detection looks like at each gap.
Read the full article →
Every employee's 90-day send-receive history encodes a behavioral fingerprint. Mapping that graph and flagging anomalies against it catches display-name spoofing and lookalike-domain attacks that content scoring alone cannot see.
Read the full article →
Eight to fourteen percent of spear-phishing emails bypass Proofpoint or Mimecast rules in 2024 benchmarks from mid-market tenants. This post breaks down where those gaps appear and what compensating controls close them.
Read the full article →
Average dwell time from first malicious email delivery to credential compromise is 22 minutes when MFA is absent. Understanding how attackers chain phishing to Okta SSO sessions is the first step to closing that window.
Read the full article →
A one- to four-analyst SOC cannot triage 400 alerts a day without burning out or missing real threats. Structured evidence summaries reduce per-alert review time and shift analyst effort toward confirmation rather than reconstruction.
Read the full article →
Commodity blocklists lag attacker infrastructure by hours. Certificate transparency logs and domain registration events surface new phishing infrastructure before it accumulates enough volume to appear in shared threat feeds.
Read the full article →
Both platforms address behavioral email security but make different bets on where detection value lives. This comparison focuses on the deployment model, analyst workflow, and total cost of ownership relevant to teams with one to four security staff.
Read the full article →
Google Workspace's built-in spam and phishing filters handle high-volume commodity attacks well. The gaps appear at the account-takeover and spear-phishing layer, where API-level connectors with behavioral context provide coverage Google's native tooling cannot.
Read the full article →
BEC attacks do not rely on malware or phishing links, which makes them invisible to gateway rules. Detecting them requires modeling the business context behind each payment or redirect request, not the technical indicators in the message headers.
Read the full article →