When to use it
- You manage M365 mailboxes and want automated phishing/spoofing triage on top of Defender.
- You want lookalike-domain and vendor-impersonation detection tuned to each client’s known-good senders.
- You want suspicious mail to auto-create helpdesk tickets instead of waiting for user reports.
- You want AI judgment on borderline emails where header signals are inconclusive.
How it works
Poll the mailbox
Every ~5 minutes NEXOS CORE pulls recent messages (with full headers) from
each enabled client’s M365 mailbox via Graph, skipping already-processed mail.
Parse and score
It parses authentication results and sender details, then scores 0–100 using
auth failures, header mismatches, Defender/Inky flags, lookalike detection
(typosquats and homoglyphs), and the client’s approved/blocked/trusted-sender
lists.
AI second opinion
Borderline (“caution-band”) messages go to Claude for a structured verdict
(safe / suspicious / malicious, with indicators), which adjusts the score. An
AI failure is non-fatal — the original score stands.
Setup
Each client needs an active Microsoft 365 connection (email_accounts with
app credentials) and email security enabled. Auth uses the Graph
client-credentials flow, and the app registration needs mailbox read and move
permissions. Scoring quality depends on populated trusted-sender / vendor /
approved-domain lists per client.
Good to know
- Quarantine moves the message to Junk Email — it’s not a full Defender quarantine.
- It’s polling, not real-time (~5-minute interval), so very high-volume mailboxes could see a short delay.
- Company matching is by the sender domain — mail from an unrecognized external sender lands in the caution band and gets an AI review.
