How Phishaver Works
Phishaver sits above your existing email gateway — Proofpoint, Mimecast, or native Google/Microsoft filtering — and adds the one layer those tools don’t have: contextual intent scoring based on each employee’s communication history and the OSINT context around the sender.
Eight to fourteen percent of spear-phishing emails bypass Proofpoint or Mimecast
Mid-market security teams running Proofpoint or Mimecast are blocking the threats they were built to block: known-bad URLs, attachment hashes, and sender IP reputation. The problem is the category of attacks those tools were not built to block.
In 2024 benchmarks across mid-market tenants, 8 to 14 percent of spear-phishing emails bypass Proofpoint or Mimecast rule sets. These are not commodity phishing attempts—they are campaigns crafted around each specific recipient’s communication patterns, job function, and publicly available LinkedIn context. A rule-based engine has no model of whether an email’s urgency framing makes sense given what this person actually does and who they actually correspond with.
Once a credential-harvest link reaches the inbox, the average dwell time to compromise is 22 minutes when multi-factor authentication is absent. Remediation costs for mid-market organizations in the 200 to 1,000 employee range average $38,000 to $90,000 per incident—not counting the productivity loss from the investigation and the reputational cost if the breach becomes public.
The detection gap is not a configuration problem. It is an architectural one. Rule-based engines evaluate indicators. They do not evaluate whether this specific email makes sense in the context of this specific employee’s role, relationships, and communication history. Closing that gap requires a different class of model.
Six layers of contextual threat analysis.
LLM-Powered Intent Scoring
Phishaver’s inspection layer reads the full message body, sender metadata, and attached file names through a fine-tuned LLM trained on labeled spear-phishing corpora contributed by managed security partners. For each inbound message, it generates an intent score that captures whether the urgency framing, financial-action request pattern, or impersonation style matches known phishing playbooks — even when every URL and attachment hash is clean. The score updates within 800 milliseconds of delivery and is available as a custom header before the user’s inbox renders the message.
Relationship Graph Baseline
On initial connection to a Google Workspace or Microsoft 365 tenant, Phishaver ingests the past 90 days of message metadata — sender, recipient, subject-line hash, reply-chain depth, and timing patterns — to construct a per-employee communication baseline. When a new message arrives from a domain or display name that superficially resembles a known contact but does not appear in the relationship graph, the anomaly is flagged independently of content analysis, catching display-name spoofing and lookalike-domain attacks that LLM content scoring alone may miss.
OSINT Context Layer
Phishaver maintains a continuously refreshed feed of domain registration events, SSL certificate transparency logs, and reported phishing infrastructure from threat-intel vendors including Cofense and Abnormal Security’s shared indicators. When an inbound email arrives from a recently registered domain, a domain with a mismatched certificate subject, or a sender IP appearing in recent campaign reports, the OSINT signal is merged with the content risk score to produce a combined threat indicator. This catches campaign infrastructure before it accumulates enough volume to appear in commodity blocklists.
SOC Alert Queue with Evidence Summaries
High-confidence threats surface in a real-time SOC dashboard as prioritized queue items. Each item includes a one-paragraph evidence summary generated by Phishaver — listing which risk signals fired, which graph anomalies were detected, and which OSINT indicators matched — so an analyst can assess and approve or dismiss the alert without re-reading the raw email. The queue integrates with Okta SSO for access control and exports to Splunk and PagerDuty so existing SOC workflows receive Phishaver alerts through the tools analysts already use.
End-User Plain-English Warnings
For messages scoring above a configurable risk threshold, Phishaver inserts a plain-English warning banner directly into the email client UI — available for Gmail and Outlook via native add-in. The banner explains in one sentence why Phishaver flagged the message, what the employee should do next (forward to SOC, mark safe, or delete), and links to the organization’s security-awareness training resources in KnowBe4 or Cofense PhishMe. Employee response choices feed back into the model as reinforcement signals, improving accuracy over time on tenant-specific impersonation patterns.
Automated Remediation Actions
When an analyst confirms a high-confidence phishing threat in the SOC dashboard, Phishaver executes a single-click remediation action: quarantining the original message in all affected mailboxes across the Google Workspace or Microsoft 365 tenant, retracting the message from inboxes where it has been read but not acted on, and logging the full remediation scope to the audit trail. For messages involving credential-harvest links, Phishaver also sends an automated notification to the Okta SSO administrator to monitor for suspicious sign-in attempts from affected employee accounts within the next 24 hours.
Connect, baseline, detect. In that order.
Phishaver is designed to be operational the same day you connect it. No professional services engagement, no mail-routing changes, no coordination with your email vendor.
Connect via API
Authorize Phishaver via the Google Workspace or Microsoft 365 API. The OAuth connection takes under 15 minutes and requires no changes to your MX records, DNS configuration, or existing gateway rules. Your email routing stays exactly as it is.
Ingest 90-day message history
Phishaver reads 90 days of message metadata across every mailbox — sender, recipient, timing patterns, reply-chain depth — to construct per-employee communication baselines. Message body content does not leave your tenant during baseline ingestion.
Score inbound messages in real time
Every inbound message is evaluated by the LLM inspection layer within 800 milliseconds of delivery. The intent score writes to a custom email header, and high-confidence threats surface in the SOC queue with plain-English evidence summaries before any analyst has touched the inbox.
Remediate across the tenant
When your analyst confirms a threat, a single click quarantines the message across all affected mailboxes, logs the remediation scope, and notifies your Okta SSO administrator if the message contained credential-harvest links. The full audit trail is available immediately.
Built for mid-market IT and security teams with 200 to 2,500 employees
Phishaver is designed for IT and security teams at companies running Google Workspace or Microsoft 365 as their primary email platform, with between 200 and 2,500 employees and one to four dedicated security staff. These teams have real spear-phishing exposure but do not have the analyst capacity to run a full managed security service provider engagement for email threat intelligence.
The right fit is a team that already has Proofpoint or Mimecast in place for commodity threat blocking and wants behavioral detection coverage for the spear-phishing campaigns those tools miss. Phishaver does not replace the gateway—it adds a contextual inspection layer above it.
Phishaver is not the right fit for enterprise-tier organizations with in-house SOC teams of ten or more analysts already running full Proofpoint or Mimecast managed services, or for individual consumers or personal email accounts.
Works with your existing security stack.
Phishaver connects to the email platforms, identity providers, and security operations tools your team already uses. No rip-and-replace, no new alert source to monitor — Phishaver feeds into your existing workflows.
Google Workspace
Microsoft 365
Okta SSO
Proofpoint
Mimecast
Cofense PhishMe
KnowBe4
Splunk SIEM
PagerDuty
See Phishaver running on your actual email traffic.
Request access and we’ll connect Phishaver to your Google Workspace or Microsoft 365 tenant, run a 30-day pilot, and show you exactly what your current gateway is missing — with zero changes to your mail routing and no impact to your users until you decide to act on an alert.