Many corporate inboxes receive large quantities of email from varied and unpredictable external servers. For some inboxes, it is both expected and intended because they have public-facing addresses, and most of the mail they receive from external senders is usually characterized by benign intent. For others, such as those belonging to company executives, messages sent by external senders are much more likely to be malicious, irritating, or both.

Both types of inbox receive large quantities of unsolicited email, which by nature of being unsolicited is prone to be flagged as anomalous by any system of anomaly detection. The challenge is to enable a system to understand when anomalies are “expected” for certain inboxes but not for others. Where autonomous response systems are used, this understanding can be used to adjust the response: a less-severe response for inboxes that expect unsolicited or anomalous (but non-threatening) mail and a more-severe response for those that do not.

An existing anomaly-detection system already assigns threat scores to individual emails. We analyzed the distribution of threat scores for both types of inbox and found that a more random spread for public-facing inboxes, and threat scores were concentrated at the higher end of the scale for the executives’ inboxes.

We created a classifier that can analyze every inbox in an environment—by analyzing existing threat scores, assigning the scores to categories, and logging them over time. Counts are fed into a probability function that maintains a score for each inbox, thereby estimating the likelihood it should receive unsolicited mail. Following a period of learning in a live environment, this classifier was able to identify the public-facing mailboxes with very few false positives. By incorporating this classifier into the existing autonomous response system, better-tailored actions can now be taken against unsolicited emails.

‍