Grouped by Detection Method
- Count of Outbound Emails per Source User/System
- Count of Inbound Emails per Source User/System
- Count of Outbound Emails per Destination User
- Count of Inbound Emails per Destination User
- Count of Unique Destination Users per Source User/System
- Known-Bad SMTP User Agent
- Inbound Emails Using Internal Email Address as Source or Reply-to
- Email Attachments with Cosecutive Spaces or Extensions (e.g. .docx.exe)
- Outbound Email to Known-Bad Addresses
- Typosquatting Company Domains
- Newly Observed SMTP User Agent
- Newly Observed Destination Email Domain
- Newly Observed Source Email Domain
- High Entropy Domain Name Observed
- Source User, Direction=Outbound where Source User Count exceeds threshold
- Source System, Direction=Outbound where Source System Count exceeds threshold
- Source User, Direction=Inbound where Source User Count exceeds threshold
- Source System, Direction=Inbound where Source System Count exceeds threshold
- Destination SMTP Server, Direction=Outbound where Destination SMTP Server Count exceeds threshold
- Subject=Non-Delivery Report where Count exceeds threshold
- Email server logs
- Email secure gateway logs
- Endpoint Email client logs