WhiteMail
Back to blog
·WhiteMail Security Team#explainer#glossary#detection

Security terms explained — what makes an email 'malicious': IOCs, anomalies, behavior, and intent

Security tools all claim to find "malicious" email, but they mean different things by it. Underneath are four distinct questions, in roughly increasing order of how hard they are to evade — and modern attacks are built to survive the first three.

The four questions

  • IOC (Indicator of Compromise)does this match something already known to be bad? A blocklisted domain, a known-malicious file hash, a flagged sending IP. Fast and precise, but only ever as good as the list, and useless against anything new.
  • Anomalyis this statistically unusual? A login from a new country, a first-time sender, an odd sending time. Anomalies surface novelty, but most novelty is harmless, so on their own they generate noise.
  • Behaviordoes this deviate from an established pattern? A vendor whose banking details suddenly change mid-relationship; a colleague who has never asked for a gift-card purchase doing so now. Behavioral detection needs context — a model of what "normal" was — and that is where it gets powerful.
  • Intentwhat is this message actually trying to make someone do? Move money, enter a credential, bypass a security step, act before checking. Intent is read from the meaning of the message, not its metadata.

Why the order matters

Each question is harder to dodge than the one before. An attacker can trivially avoid IOCs by using fresh infrastructure. They can blend into anomalies by behaving statistically normally. They can sometimes stay within expected behavior — VEC is precisely behavior that looks established because it rides a real account.

But they cannot remove the intent without removing the attack. If the email needs you to move money or surrender a credential, that goal is present no matter how clean the indicators, how unremarkable the statistics, how authentic the account. Intent is the one question the attacker cannot answer "innocently" while still succeeding.

How this maps to WhiteHat

This is why WhiteHat does not rely on any single question. SA-02 covers infrastructure indicators, SA-01 models sender behavior and identity, SA-03 examines links, and SA-04 reads intent — and the orchestrator reconciles them into one verdict. The deeper questions catch what the shallow ones miss, and the shallow ones add precision where they apply.

The shift the whole industry is living through, in one sentence: from matching what is known-bad to investigating what a message intends.


See all four questions answered at once for a real message in the Analyze console.