Skip to main content
Email Security is an automated phishing-triage pipeline for Microsoft 365 tenants. It connects to a client’s mailbox through Microsoft Graph, reads incoming messages, parses their authentication headers (SPF/DKIM/DMARC plus Defender and Inky signals), and scores each message for risk against a per-client trust profile. Borderline messages are escalated to a Claude-powered analyst for a second opinion, and based on the final score the pipeline allows, logs, escalates, or quarantines the message — automatically opening a helpdesk ticket for anything that needs a human.

When to use it

  • You manage M365 mailboxes and want automated phishing/spoofing triage on top of Defender.
  • You want lookalike-domain and vendor-impersonation detection tuned to each client’s known-good senders.
  • You want suspicious mail to auto-create helpdesk tickets instead of waiting for user reports.
  • You want AI judgment on borderline emails where header signals are inconclusive.

How it works

1

Poll the mailbox

Every ~5 minutes NEXOS CORE pulls recent messages (with full headers) from each enabled client’s M365 mailbox via Graph, skipping already-processed mail.
2

Parse and score

It parses authentication results and sender details, then scores 0–100 using auth failures, header mismatches, Defender/Inky flags, lookalike detection (typosquats and homoglyphs), and the client’s approved/blocked/trusted-sender lists.
3

AI second opinion

Borderline (“caution-band”) messages go to Claude for a structured verdict (safe / suspicious / malicious, with indicators), which adjusts the score. An AI failure is non-fatal — the original score stands.
4

Act

Allow/log low-risk mail; escalate opens a high-priority security ticket; block quarantines the message (moves it to Junk) and opens a critical ticket. Every decision is recorded as a reviewable event.

Setup

Each client needs an active Microsoft 365 connection (email_accounts with app credentials) and email security enabled. Auth uses the Graph client-credentials flow, and the app registration needs mailbox read and move permissions. Scoring quality depends on populated trusted-sender / vendor / approved-domain lists per client.

Good to know

  • Quarantine moves the message to Junk Email — it’s not a full Defender quarantine.
  • It’s polling, not real-time (~5-minute interval), so very high-volume mailboxes could see a short delay.
  • Company matching is by the sender domain — mail from an unrecognized external sender lands in the caution band and gets an AI review.