Platform Overview

How Phishaver stops phishing at every stage of the kill chain

A multi-stage detection pipeline that analyzes email headers, URLs, attachments, and body content using LLM semantic analysis — all without touching your mail flow.

The detection pipeline

Every inbound email runs through five analysis stages in under 90 seconds. No email stored beyond your configured retention window.

Email Ingress Header Auth Check URL Sandbox Attachment Scan LLM Body Analysis semantic scoring Scoring Engine Block / Triage

Header Authentication

SPF, DKIM, DMARC alignment check. Sender domain age. Lookalike domain proximity scoring against your known-sender list.

URL Sandbox

Every URL detonated in an isolated environment. Full redirect chain evaluated. Final landing page risk scored — not just the first hop.

Attachment Scan

File type analysis, Office macro detection, executable sandbox detonation. Behavioral analysis, not just signature matching.

LLM Body Analysis

Semantic scoring for urgency language, impersonation signals, wire-transfer patterns, and context-matching manipulation — invisible to rule-based systems.

LLM inspection: what it catches that rules don't

Rule-based email security works by matching patterns to a known-bad list. An email from a fresh domain with no prior reputation, crafted to look exactly like your CFO's writing style, passes every rule. LLM semantic analysis doesn't need a prior signature.

What LLM analysis scores:

  • Urgency manufacturing — language patterns that create artificial time pressure
  • Authority impersonation — writing style and signature matching known executive patterns
  • Context specificity — emails referencing real internal projects or relationships (scraped from LinkedIn/public sources)
  • Financial request patterns — wire transfer, gift card, or invoice approval framing
  • Credential harvesting signals — login prompts, password reset requests, document access requests
  • Domain lookalike proximity — [email protected] vs [email protected]

How confidence scoring works

Each email receives a threat confidence score (0–100%) combining signals from all five pipeline stages. Scores above your configured threshold (default: 70%) trigger quarantine or analyst queue routing. Scores 50–70% are flagged for analyst review. Below 50% is delivered clean.

You see the breakdown: which pipeline stage contributed most, what signal triggered the flag, and the raw evidence (URL destination, domain registration date, detected urgency phrases).

Analyst triage queue

Flagged emails land in a prioritized queue with full detection context. One-click disposition — no manual header analysis needed.

Priority queue

High-confidence threats (70%+) surface first. Low-confidence reviews sorted below. Analysts work from the most urgent down, not FIFO.

Threat context

Each queue item shows: threat type, confidence score, triggering signals, sender domain registration date, URL final destinations, and flagged body phrases.

One-click actions

Quarantine, Release to user, Mark as clean, or Report as false positive. Actions feed back into Phishaver's detection model for your tenant.

Reporting and trends

Weekly email threat digests, click-rate tracking, and top blocked senders — delivered to your inbox or Slack channel.

Weekly threat digest

Automatically generated every Monday: total emails analyzed, threats blocked by category, top blocked sender domains, and any new threat patterns detected that week. Sent to configured email addresses or Slack channel.

Team click-rate and simulation

Track which users clicked flagged links before Phishaver blocked them. Identify repeat clickers for targeted security awareness. Export reports for compliance evidence.

Start in minutes

Ready to see what your email filters are missing?

Connect Phishaver to M365 or Google Workspace via OAuth. No MX changes. See your first analysis results within minutes of connecting.

Get protected Talk to our team