Knogin
[Developers]

Email Intelligence

A finance team member receives what looks like an urgent payment request from the CEO, complete with the correct email signature and a plausible rationale for bypassing standard approval. By the time the wire transfer cl

Back to All Modules
Category: IntelligenceLast Updated: Feb 9, 2026
intelligencereal-timegeospatial

Overview#

A finance team member receives what looks like an urgent payment request from the CEO, complete with the correct email signature and a plausible rationale for bypassing standard approval. By the time the wire transfer clears, the organisation has lost a significant sum to a business email compromise attack. Argus Email Intelligence exists to catch that attack at the inbox, not after the fact. It analyses the authentication chain, checks sender reputation, flags the urgency language pattern, and alerts the security team before the user clicks reply.

The platform provides advanced email forensics and phishing analysis for security operations centres, incident response teams, fraud investigators, and digital forensics specialists. Hours of manual header interpretation become automated, accurate, and actionable threat intelligence.

Key Features#

Phishing Detection and Analysis#

Multi-layered phishing detection with high accuracy across credential harvesting, malware delivery, and BEC attacks. Low false positive rate through combined analysis of headers, content, URLs, and sender reputation. SPF, DKIM, and DMARC authentication validation reveals spoofing attempts. URL analysis covers real-time reputation checking, redirect chain following, and landing page inspection. Brand impersonation detection identifies lookalike domains, logos, and messaging patterns.

Email Header Forensics#

Instant parsing of complex email headers revealing the complete routing path. Authentication result analysis shows SPF, DKIM, and DMARC pass/fail status with clear explanations. Tampering indicator detection identifies modified headers and forged origination. Relay path analysis traces the email through every server hop from origin to destination.

Business Email Compromise Detection#

CEO fraud pattern recognition detects impersonation of executives and authority figures. Invoice manipulation detection identifies altered payment instructions and bank details. Wire transfer scam identification flags urgent payment requests with unusual characteristics. Account takeover pattern analysis detects compromised legitimate accounts being used for fraud.

Attachment and Content Analysis#

Multi-engine malware scanning with sandboxing, static analysis, and behavioural detection. Macro analysis for Office documents identifies malicious code execution and obfuscation techniques. File type verification detects mismatched extensions and disguised executables. PDF analysis detects embedded scripts, malicious links, and exploit payloads.

Thread Reconstruction#

Automatic assembly of conversation timelines across multiple mailboxes and accounts. Recovery and inclusion of deleted and archived messages to build complete communication histories. Participant mapping shows all parties including BCC recipients. Timeline visualisation of email exchanges with key event highlighting and anomaly flagging.

Use Cases#

Phishing Investigation. Analyse suspicious emails to determine threat type, identify threat actor infrastructure, assess organisational exposure across all recipients, and take containment actions including URL blocking, credential reset coordination, and security awareness notifications.

Business Email Compromise. Detect and investigate CEO fraud, vendor impersonation, and invoice manipulation schemes targeting financial transfers. Trace the attack chain from initial compromise through attempted fraud, identify all targeted personnel, and coordinate with financial institutions.

Insider Threat Email Analysis. Examine email communications for policy violations, data exfiltration to personal accounts, and unauthorised disclosures. Build evidence timelines supporting disciplinary or legal action.

Incident Response. Rapidly triage email-borne threats, determine the scope of compromise, identify all affected users, and coordinate remediation. Generate detailed incident reports for management and regulatory notification.

Integration#

  • Integrates with major email platforms for automated ingestion and analysis of suspicious messages
  • Connects with threat intelligence feeds for enriched indicator analysis and campaign correlation
  • Links to case management for seamless investigation workflows and evidence preservation
  • Supports evidence export for legal proceedings and regulatory reporting requirements
  • Works with SIEM and SOAR platforms for automated response orchestration and playbook execution
  • Feeds into organisational threat dashboards for executive visibility and trend analysis
  • Compatible with endpoint detection systems for correlated threat investigation across email and endpoints

Open Standards#

  • SPF (RFC 7208), DKIM (RFC 6376), DMARC (RFC 7489): The platform evaluates the full sender authentication chain, SPF pass/fail, DKIM signature validity, and DMARC enforcement status, as primary signals in phishing detection and header forensics; results are stored per-domain and surfaced in threat scoring.
  • Internet Message Format (RFC 5322) and MIME (RFC 2045/2046): Raw .eml files are parsed against the RFC 5322 message structure, extracting Message-ID, In-Reply-To, References, and routing headers; multipart MIME parts (text/plain, text/html, Content-Disposition attachments) are walked recursively to reconstruct email content and thread context using the message/rfc822 content type.
  • STIX 2.1 (OASIS): Email indicators are represented and exchanged as STIX 2.1 Cyber Observable email-addr:value patterns within STIX SDO bundles, enabling bidirectional conversion between platform entities and the STIX object model including TLP marking definitions.
  • TAXII 2.1 (OASIS): The platform polls and publishes STIX 2.1 indicator bundles via TAXII 2.1 collections (application/taxii+json;version=2.1), allowing email threat intelligence to be shared with or received from external threat intelligence platforms.
  • Traffic Light Protocol (TLP): All email intelligence artefacts carry a TLP classification (WHITE through RED) aligned to the FIRST TLP 2.0 specification, controlling which parties may receive shared indicators extracted from phishing investigations.
  • GraphQL (June 2018 specification): All email profile queries and mutations are exposed exclusively through a Strawberry GraphQL API, enabling structured, type-safe access to email intelligence data from SOC tooling and the investigation frontend.
  • OAuth 2.0 (RFC 6749): The Microsoft Graph email ingestion connector authenticates using the OAuth 2.0 client credentials flow to acquire access tokens scoped to https://graph.microsoft.com/.default, enabling automated ingestion of suspicious messages from monitored mailboxes.

Last Reviewed: 2026-02-09 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.