Threat Types, Intents, and Dispositions for Emails
Discover how emails are categorized in the External Abuse Mailbox module and what those categories reveal about how bad actors are attempting to exploit your customers. Understanding the categories helps you recognize threats and gain insight into the tactics attackers use.
Knowing how each threat is evaluated enables security teams to evaluate, prioritize, and take action against malicious emails. For more about how to do that, see Managing Reported Emails.
Threat Types
These indicate what element of an email may be malicious.
Appears on: Dashboard, Targeted Malicious Findings
| Threat Type | Definition | Example |
| Phishing Link | Fake URLs designed to steal sensitive info by mimicking legitimate sites. | Link that seems to be for a bank, perhaps using a similar domain name, with instructions to use it to log into their account. |
| Scam Link | Links leading to fraudulent sites that trick users into payments, fake downloads, or personal data theft. | Link to a site claiming recipient has won a prize and asking them to enter their credit card details to claim it. |
| Malicious Intent | Deceptive emails designed to manipulate or scam, even without obvious phishing links or malware.
|
Email promoting a financial opportunity that will turn out to be fraudulent. |
| Malware Attachment | Harmful files (PDF, ZIP, DOCX, EXE) designed to steal data or disrupt systems. | Attachment that appears to be an invoice but instead installs spyware. |
| Malicious Phone Number | Scam-related phone numbers used for fraud, phishing, or impersonation. | Fake support number urging recipient to call to “cancel a charge.” |
Intent Categories
These identify what tactics the threat actor is using in their attempt to trick the recipient.
Appears on: Targeted Malicious, Email Details
| Intent | Definition | Example |
| Account Compromise | Emails that warn of impending account trouble (like suspension or expiration) or claim an urgent need to update details, ultimately aiming to steal credentials or personal data. | Recipient is told their account will be locked unless they follow a link to “fix” the issue. The link goes to a fake login page that collects their credentials. |
| Purchase | Messages about orders, renewals, or subscription requests designed to trick recipients into sharing payment info or falling for fake transaction scams. | Fake order confirmation asking the recipient to confirm their billing information on a site that steals their payment details. |
| Baiting | Enticing offers (promotions, discounts, gift cards) that lure recipients into revealing information or clicking harmful links, often by promising something tempting. | Too-good-to-be-true offer (like guaranteed investment returns) that sends the recipient to a malicious site. |
| Spam | Bulk unsolicited messages, sometimes requesting donations or dealing with finances, that clutter inboxes and may lead to fraudulent or irrelevant content. | Repetitive or irrelevant messages (such as asking for donations) that serve no legitimate purpose and may expose recipients to risks. |
| Support | Phony tech support or help desk messages that urge recipients to call for assistance, often with the goal of stealing personal or financial details. | Email claiming the recipient’s device is having technical problems and urging them to call a helpline. On the call, the scammer requests remote access to their computer. |
| Sensitive Information | Requests that pressure recipients to hand over billing details, credit card numbers, or personal info for deceptive purposes such as identity theft. | Email directing the recipient to confirm personal data via a form that steals their credit card numbers, social security information, or other private details. |
Email Dispositions
These indicate the finding about the threat and what action will therefore be taken.
Appears on: Dashboard, Targeted Malicious Findings, All Email Submissions, Takedown Visibility Center
- Clean – No evidence of maliciousness. No enforceable content. Any trademarks used are considered fair use.
- Suspicious – Contains elements resembling a brand’s legitimate domain or URL, but there is no active or enforceable content.
- Malicious – Evidence of maliciousness in the finding, such as content that points customers to a phishing page.
