How It Works

The system creates bait email addresses, publishes them in strategic locations, and then monitors outbound email traffic from the organization’s message servers. If a message server attempts to send an outbound email to one of these bait addresses, it means the server—or an account on it—has been compromised. An attacker who harvested the bait address is now trying to use it, revealing the breach.

When a bait address is detected in outbound traffic, the system takes remedial action from a set of responses: block the message, lock the account, run a security scan, authenticate the sender, validate the message, or generate a warning—in any combination. The system also tracks the number of attempts and total email volume to trigger escalating responses.

The architecture supports multiple gateway systems across the sender and recipient infrastructure, enabling detection across complex, distributed email environments.

What Makes It Different

• Outbound monitoring: watches messages leaving the organization rather than incoming traffic, catching compromised accounts and servers from the inside.
• Bait-and-detect methodology: publishes bait addresses where only an attacker would find them, creating tripwires that reveal unauthorized access.
• Autonomous remediation: takes immediate action (block, lock, scan, authenticate, validate, warn) without waiting for human intervention.
• Threshold-based escalation: tracks attempt counts and email volume to escalate responses as the threat intensifies.

Why It Matters

The average data breach takes months to detect through traditional monitoring. This technology can detect compromised accounts almost immediately—by watching for outbound messages to addresses that should never appear in legitimate traffic. When a bait address shows up in outgoing mail, the system knows the sending account or server has been breached and acts instantly.