Email Threat Defense: Hands-On Lab Guide

Introduction

Every day, threat actors craft increasingly sophisticated email attacks that bypass traditional filtering. According to the FBI Internet Crime Report 2023, phishing accounts for 10% of all complaints while business email compromise (BEC) represents 22% of financial losses, totaling $2.9 billion. These numbers make one thing clear: organizations need more than basic spam filters to protect their users. Email threat defense has become a critical layer in any enterprise security architecture, especially for organizations running cloud email platforms like Microsoft 365.

In this comprehensive hands-on guide, you will learn how to deploy and configure Cisco Secure Email Threat Defense (ETD) from the ground up. We will cover the activation process, the machine learning detection engines that power ETD, how to integrate with Office 365 using journaling and Graph API, how to configure policies based on threat categories, and how to leverage the API for automation. Whether you are studying for a security certification or deploying ETD in production, this guide gives you the practical knowledge you need to protect your mail platform against the latest attacks.

Here is what we will cover:

• What Cisco Secure Email Threat Defense is and why it matters
• The machine learning detectors that identify attack techniques
• Real-world attack examples and how ETD catches them
• Activating and configuring your ETD account
• Deploying ETD with Office 365 using journaling
• Configuring Exchange Online connectors and Graph API
• Setting up ETD policies and threat categories
• Working with the ETD dashboard and API
• Authentication options and identity provider integration
• Frequently asked questions

What Is Cisco Secure Email Threat Defense?

Cisco Secure Email Threat Defense is a cloud-native email security solution designed to detect and remediate advanced email threats that target organizations using cloud email platforms such as Microsoft 365. Unlike traditional gateway-based email security that sits in the mail flow path and relies on signature-based detection, ETD layers multiple machine learning (ML) and natural language processing (NLP) engines to analyze the intent behind every message.

ETD works by ingesting email traffic from your cloud email platform and running it through a series of specialized detectors. Each detector identifies a specific attack technique or behavioral signal. The combination of these detector outputs reveals the true intent of the message, whether it is a legitimate business communication or a carefully crafted phishing attempt.

How ETD Differs from Traditional Email Gateways

Feature	Traditional Email Gateway	Email Threat Defense
Deployment	Inline (MX record change)	API-based or journaling
Detection Method	Signatures, reputation, rules	Machine learning, NLP, behavioral analysis
Threat Focus	Known spam, malware	BEC, phishing, account compromise, scams
Remediation	Block at gateway	Post-delivery remediation via Graph API
Integration	Standalone appliance	Cloud-native, integrates with Office 365

It is important to note that ETD can also work alongside a Cisco Secure Email Gateway (SEG). In this deployment model, the SEG handles traditional MX-based filtering at the perimeter, while ETD provides an additional detection layer using its ML-powered detectors and can remediate messages that have already been delivered to user mailboxes.

Pro Tip: Journaling is the preferred method of ETD deployment, though both journaling and API-based ingestion work effectively. The choice depends on your organization's requirements for message visibility and remediation capabilities.

How Does Email Threat Defense Use Machine Learning to Detect Attacks?

At the core of Email Threat Defense is a sophisticated layering of detections built on machine learning. Rather than relying on a single monolithic engine, ETD uses the concept of mini-engines or detectors that each identify specific techniques and behaviors using ML and NLP. The combination of these detectors working together reveals the true intent of a message.

The Detection Engine Architecture

ETD employs a wide array of specialized detectors, each targeting a specific attack signal. Here is a breakdown of the key detectors organized by the threat categories they serve:

BEC (Business Email Compromise) Detectors:

• Individual Name Imposter -- Detects when an attacker impersonates a known individual within the organization by using their name but sending from an external address
• Identity and Relationship Checker -- Analyzes the identity claims in the message against known communication patterns
• Relationship Mapping -- Builds a model of who communicates with whom in the organization and flags anomalous communication pairs
• Email Account Compromise -- Identifies signals that a legitimate account may have been taken over
• Sudden Burst Detector -- Flags when an account suddenly sends an unusual volume of messages, which can indicate compromise
• Payroll Scams -- Specifically targets fraudulent requests to change direct deposit or payroll information
• Victim Impersonation Detector -- Detects when an attacker pretends to be the victim themselves

Phishing Detectors:

• Recently Registered Domain -- Flags messages from domains that were recently registered, a common tactic in phishing campaigns
• Link Masquerade -- Identifies when the displayed URL text does not match the actual hyperlink destination
• Dash-Phishing Detector -- Catches domains that use dashes to mimic legitimate domain names
• Victim-specific URL -- Detects URLs crafted to target a specific individual or organization
• Open Redirect Detector -- Identifies the abuse of legitimate open redirect functionality to mask malicious destinations

Deception Detectors:

• Brand Impersonation -- Detects when an attacker mimics a well-known brand in the message content or sender information
• Unusual Masquerade -- Identifies unusual patterns in how the sender presents themselves
• External Department Detector -- Flags when an external sender claims to be from an internal department
• Fake Reply Detector -- Catches messages that fabricate a reply chain to establish false credibility
• Email Address Masquerade -- Detects when the display name or address is crafted to look like a trusted contact

Non-BEC Scam Detectors:

• Cryptocurrency Payment Request -- Flags messages demanding payment in cryptocurrency, commonly associated with extortion scams
• Zero-Trust Sender Mismatch Detector -- Identifies discrepancies between the claimed sender identity and the actual sending infrastructure

General Signal Detectors:

• Call to Action and Urgency -- Identifies language designed to pressure the recipient into taking immediate action
• Message Indicators -- Analyzes various message attributes for suspicious patterns
• Rare Communication -- Flags messages from senders who have never or rarely communicated with the recipient

How Detectors Work Together

The power of ETD is not in any single detector but in how they combine. When a message arrives, multiple detectors analyze it simultaneously. Each detector contributes a signal, and the system correlates these signals to determine the overall threat classification. A message might trigger the "Recently Registered Domain" detector and the "Call to Action and Urgency" detector independently, but when both fire together along with "Link Masquerade," the system can confidently classify it as a phishing attempt.

This layered approach is what makes ETD effective against novel attacks that have never been seen before. Traditional signature-based systems can only catch known threats, but by analyzing behavioral signals and techniques, ETD can identify the intent behind a message even when the specific payload or sender has no prior reputation data.

Real-World Attack Examples: How Email Threat Defense Catches Threats

Understanding how ETD detects threats becomes much clearer when you examine real-world attack examples. Let us walk through two common attack types and see how ETD's detectors identify them.

Example 1: Payroll Fraud Attack

Consider the following fraudulent email:

From: Tracy Metz <officemail00x@gmail.com>
Subject: Payroll Direct Deposit Change Update

Hi,

I've recently switched banks and would like to update my new banking
information, change my current Payroll/Benefit Info to my new account.
Will the change be effective for the next pay date..?

Regards,
Tracy Metz
Sent from my iPhone

A second variant of the same attack pattern:

From: Joshua Baker <z0000u0000z@gmail.com>
Sent: Sunday, July 11, 2024 10:12:07 AM
Subject: Direct Deposit Update

Hi

I have changed my bank and I do like to change my Paycheck Direct
Deposit information, would the change be effective for the next
pay date?

Thanks
Joshua Baker

ETD Detection Signals:

1. Unknown / new sender with odd sender structure -- Both officemail00x@gmail.com and z0000u0000z@gmail.com are clearly not legitimate corporate email addresses. The random character patterns in the local part of the address trigger the sender analysis detectors.
2. Payroll request from an external sender -- The Payroll Scams detector identifies that this is a request to modify direct deposit information, and it is coming from an external email address rather than an internal HR or payroll system.
3. Call to action -- Both messages include a clear request to change account information, with implied urgency about the next pay date.

The combination of these three signals allows ETD to classify both messages as BEC/payroll fraud with high confidence, even though the messages contain no malicious links or attachments that a traditional gateway would catch.

Example 2: Extortion Scam

Here is another common attack pattern:

From: <iradapoxo@mail.eamale.com>
Subject: Payment from your account.
Date: 19 Aug 2024 00:15:43 -0600

Greetings!

I have to share bad news with you. Approximately few months ago
I have gained access to your devices, which you use for internet
browsing. After that, I have started tracking your internet
activities.

Here is my bitcoin wallet: 12djMjPKd6Bv2BaXUNVuAjnuusKA66qCkX

You have less than 48 hours from the moment you opened this email
(precisely 2 days).

Things you need to avoid from doing:
*Do not reply me (I have created this email inside your inbox and
generated the return address).

Everything will be done in a fair manner!

One more thing... Don't get caught in similar kind of situations
anymore in future! My advice - keep changing all your passwords
on a frequent basis

ETD Detection Signals:

1. Unknown / new sender with odd sender structure -- The sender address iradapoxo@mail.eamale.com is from an unfamiliar domain with a suspicious structure.
2. Request for payment -- The message explicitly demands payment from the recipient.
3. Bitcoin wallet -- The Cryptocurrency Payment Request detector identifies the bitcoin wallet address as a payment demand mechanism commonly associated with extortion.
4. Call to action / Urgency -- The 48-hour deadline creates artificial urgency designed to pressure the recipient into acting before thinking critically.

These four signals together result in a clear classification as an extortion scam. The message contains no malicious links or attachments, making it invisible to traditional detection methods, but ETD's behavioral analysis catches it immediately.

Pro Tip: Pay close attention to the sender address structure in both examples. Attackers frequently use free email services with randomized local parts. Training your users to recognize these patterns is an important complement to automated detection.

How to Activate Your Email Threat Defense Account

The first step in deploying ETD is activating your account. This process establishes your ETD instance and connects it to your organization's identity.

Step 1: Obtain the Welcome Letter

When you provision ETD, you receive a welcome letter that contains critical information for your deployment:

• The login URL for your specific ETD instance or region
• Your username for accessing the ETD management console
• Information for setting up Email Threat Defense
• Contact information for customer success support

Pro Tip: The welcome letter is not mandatory to proceed with activation, but it provides the specific instance URL for your region and useful setup guidance. Keep it accessible throughout the deployment process.

Step 2: Create Your Security Cloud Sign-On Account

ETD uses Cisco Security Cloud Sign On for authentication. If you do not already have a Security Cloud Sign On account, you need to create one before you can access ETD. This is a unified identity platform that provides access to multiple security products.

The sign-up process involves:

1. Navigate to the Security Cloud Sign On registration page
2. Provide your organizational email address
3. Complete the account verification process
4. Set up multi-factor authentication as required

Step 3: Access the ETD Console

Once your Security Cloud Sign On account is active, you can log in to the ETD console using the URL provided in your welcome letter. The console is where you will configure all aspects of your ETD deployment, from Office 365 integration to policy settings.

Configuring Email Threat Defense with Office 365: Deployment Options

ETD integrates with Microsoft Office 365 through two primary deployment modes. Understanding both options is essential for choosing the right approach for your environment.

Deployment Mode 1: Direct Integration (Journaling + Graph API)

In this mode, ETD connects directly to your Office 365 environment without requiring a Cisco Secure Email Gateway:

Internet --> Office 365 --> Journal Rule --> Email Threat Defense
                        --> Graph API    --> Email Threat Defense

The components of this deployment are:

• MX Record: Points to Office 365 as usual; no MX record changes are required
• Journal Rule: Configured in Exchange Online to send copies of messages to ETD for analysis
• Graph API: Provides ETD with the ability to access and remediate messages in user mailboxes

This is the simpler deployment model and is ideal for organizations that do not have an existing Cisco Secure Email Gateway.

Deployment Mode 2: Integration with Cisco Secure Email Gateway

For organizations that already use a Cisco SEG, ETD can receive message data through the Threat Connector:

Internet --> Cisco SEG --> Office 365
                      \--> Threat Connector --> Email Threat Defense
                                            --> Graph API

In this mode:

• The MX record points to the Cisco SEG
• The SEG performs its traditional filtering
• The Threat Connector forwards message metadata and content to ETD for ML-based analysis
• ETD can still use Graph API for post-delivery remediation
• Journal Rules can also be used alongside the Threat Connector

This layered approach gives you the best of both worlds: traditional gateway protection plus ML-powered behavioral analysis.

Deployment Aspect	Direct Integration	With Cisco SEG
MX Record Change	No	Points to SEG
Message Ingestion	Journaling	Threat Connector + Journaling
Pre-delivery Filtering	Office 365 native	Cisco SEG
Post-delivery Remediation	Graph API	Graph API
Best For	Cloud-only email	Hybrid environments

Pro Tip: Journaling is the preferred method of ETD deployment. It provides comprehensive message visibility and works reliably regardless of your email architecture. Both deployment modes support journaling, and it can be used alongside other ingestion methods.

How to Configure Exchange Online Journaling for Email Threat Defense

Journaling is the mechanism by which Office 365 sends copies of email messages to ETD for analysis. Configuring journaling is one of the most critical steps in deploying ETD because it determines which messages ETD can see and analyze.

Understanding Exchange Online Journaling

Exchange Online journaling creates a copy of every email message (or messages matching specific criteria) and delivers that copy to a designated journal recipient. In the case of ETD, the journal recipient is an address provided by your ETD instance. This means ETD receives a copy of every message flowing through your Office 365 environment without modifying the original mail flow.

Setting Up the Journal Rule

To configure journaling in Exchange Online for ETD:

1. Log in to the Exchange Admin Center in your Microsoft 365 admin portal
2. Navigate to the Compliance Management or Mail Flow section, depending on your admin center version
3. Create a new journal rule that sends copies of messages to the ETD journaling address
4. Configure the scope of the rule to cover the mailboxes or groups you want ETD to monitor
5. Activate the rule and verify that journal messages begin flowing to ETD

The journal rule ensures that ETD has visibility into all email traffic, including internal messages if configured to do so. This is essential for detecting threats like account compromise, where a legitimate internal account is used to send malicious messages.

Verifying Journaling is Working

After configuring the journal rule, you should verify that messages are being received by ETD:

1. Send a test message between monitored mailboxes
2. Log in to the ETD console
3. Check the dashboard for the test message appearing in the message log
4. Verify that the message has been analyzed and categorized

Configuring the Exchange Online Connector and Microsoft Graph API

Beyond journaling, ETD requires additional Exchange Online configuration to enable SMTP routing and mailbox remediation capabilities.

Exchange Online Connector Configuration

The Exchange Online connector handles SMTP routing between Office 365 and ETD. This connector ensures that journal messages and other communications between Office 365 and ETD are properly routed and authenticated.

When configuring the connector:

• Define the connector type and direction (from Office 365 to ETD)
• Configure the destination address provided by your ETD instance
• Set up TLS encryption for the connection
• Test the connector to verify message delivery

Microsoft Graph API Integration

The Microsoft Graph API integration is what gives ETD its mailbox remediation capability. While journaling provides ETD with visibility into email traffic, the Graph API allows ETD to take action on messages that have already been delivered to user mailboxes.

With Graph API configured, ETD can:

• Move malicious messages from user inboxes to quarantine or junk folders
• Delete messages that are confirmed threats
• Add warnings to messages that are suspicious but not confirmed malicious
• Search mailboxes for additional instances of a threat after it has been identified

Setting up the Graph API integration requires:

1. Register an application in Microsoft Entra ID (formerly Azure AD)
2. Grant the application the necessary API permissions for mail access
3. Configure the application credentials in ETD
4. Authorize the connection between ETD and your Office 365 tenant
5. Test remediation by manually triggering an action on a test message

Pro Tip: The Graph API integration is what transforms ETD from a detection-only tool into a full remediation solution. Without it, ETD can identify threats but cannot automatically remove them from user mailboxes. Always configure both journaling and Graph API for maximum protection.

How to Configure Email Threat Defense Policies

Once ETD is connected to your Office 365 environment and ingesting messages, the next step is configuring policies that determine how ETD responds to different threat categories.

Understanding ETD Threat Categories

ETD classifies messages into categories based on the signals detected by its ML engines. Policy configuration allows you to define what action ETD should take for each category. The key areas covered by ETD policy configuration include:

• What flows to scan -- Define which message flows ETD should analyze (inbound, outbound, internal)
• ETD integration with Office 365 -- Configure how deeply ETD integrates with your mail environment
• Actions based on categories -- Set automatic remediation actions for each threat category

Configuring Category-Based Actions

For each threat category that ETD detects, you can configure a specific action:

Threat Category	Recommended Action	Description
BEC	Auto-remediate	High-confidence detection; remove from mailbox
Phishing	Auto-remediate	Credential theft risk; remove immediately
Scam	Quarantine	Non-BEC financial scams; review before action
Graymail	Tag/warn	Unwanted but not malicious; user can decide

The policy engine allows granular control over how aggressive your response should be for each category. Organizations typically start with more conservative settings (notify and log) and gradually increase automation (auto-remediate) as they build confidence in ETD's accuracy.

Moving Between Authentication Modes

ETD supports configuration changes between no-auth and auth modes. This flexibility allows you to:

• Start in no-auth mode for initial testing and evaluation
• Switch to authenticated mode for production deployment
• Adjust authentication requirements based on your security posture

This is particularly useful during initial deployment when you want to observe ETD's detection capabilities before enabling automated remediation.

Working with the Email Threat Defense Dashboard and API

The ETD Dashboard

The ETD dashboard provides a centralized view of your email security posture. From the dashboard, you can:

• View real-time statistics on messages analyzed and threats detected
• Drill down into individual messages to see which detectors fired
• Review the threat classification and confidence level for each message
• Track trends in attack volume and types over time
• Monitor the health of your Office 365 integration

The dashboard is your primary tool for day-to-day monitoring and investigation. When a user reports a suspicious message, the dashboard allows you to quickly search for it, review the detection details, and take remediation action if needed.

API Automation with Postman

For organizations that want to integrate ETD into their existing security operations workflows, ETD provides an API that can be accessed using tools like Postman or integrated into custom scripts and SOAR platforms.

The API enables:

• Automated threat response -- Trigger remediation actions programmatically based on external signals or orchestration logic
• Data export -- Extract threat data for analysis in external SIEM or analytics platforms
• Integration -- Connect ETD with other security tools in your environment for coordinated response
• Custom reporting -- Build reports tailored to your organization's specific requirements

Working with the API extends ETD's value beyond its built-in console, allowing you to incorporate email threat intelligence into your broader security operations.

Pro Tip: Use the API to build automated playbooks that correlate ETD detections with signals from other security tools. For example, if ETD detects a BEC attempt and your endpoint protection tool detects suspicious login activity from the same user, your SOAR platform can automatically escalate the incident and lock the account.

Authentication Options and Identity Provider Integration for Email Threat Defense

A common concern when deploying any cloud security solution is how it integrates with your existing identity and authentication infrastructure. ETD offers flexible authentication options that address the most common customer requirements.

Common Customer Questions About Authentication

Organizations frequently ask three questions about ETD authentication:

1. Can we change the authentication options? -- Yes. ETD supports multiple authentication configurations.
2. Can we use our own MFA and authentication platform? -- Yes. You can integrate your existing identity provider.
3. Can we control the where/who/what? -- Yes. Granular access control is available.

Supported Authentication Providers

ETD integrates with the following identity providers for authentication:

Provider	Type
Auth0	Identity platform
Microsoft Entra ID	Enterprise identity (formerly Azure AD)
Cisco Duo	MFA and access management
Google Identity	Google Workspace identity
Okta	Enterprise identity and SSO
Ping	Enterprise identity federation

This broad support means that regardless of your organization's identity infrastructure, you can integrate ETD with your existing single sign-on (SSO) and multi-factor authentication (MFA) systems. This eliminates the need for separate credentials and ensures that access to ETD is governed by your organization's existing identity policies.

Why Identity Provider Integration Matters

Integrating ETD with your identity provider delivers several benefits:

• Consistent access policies -- The same conditional access rules that govern other applications apply to ETD
• Centralized user management -- Add and remove ETD users through your existing identity platform
• MFA enforcement -- Leverage your existing MFA solution rather than managing separate factors
• Audit trail -- Authentication events are logged in your identity provider's audit system
• Reduced credential fatigue -- Users sign in with their existing corporate credentials

The Scale of Email-Based Attacks: Why Email Threat Defense Matters

To understand why deploying an advanced email threat defense solution is essential, consider the scope of the problem as documented in the FBI Internet Crime Report 2023:

• 10% of all complaints received by the FBI Internet Crime Complaint Center involved phishing as the initial access method
• 22% of all financial losses reported were attributed to Business Email Compromise
• The total financial loss from internet crime reached $2.9 billion

These statistics underscore a critical reality: email remains the primary attack vector for cybercriminals, and BEC attacks are disproportionately costly compared to their volume. A single successful BEC attack can result in hundreds of thousands of dollars in losses, far exceeding the cost of most ransomware incidents.

Traditional email security solutions that rely on signature-based detection and reputation filtering are effective against commodity spam and known malware but struggle with the socially engineered, text-based attacks that characterize BEC and advanced phishing. These attacks contain no malicious attachments, no known-bad URLs, and no detectable payloads. They rely entirely on deception, urgency, and social engineering.

This is precisely the gap that Email Threat Defense fills. By analyzing the behavioral signals, linguistic patterns, and communication anomalies in every message, ETD can detect threats that are invisible to traditional security tools.

Attack Type	Traditional Gateway	Email Threat Defense
Spam with malware attachment	Detected	Detected
Known phishing URL	Detected	Detected
BEC with no links or attachments	Often missed	Detected via ML
Payroll fraud via social engineering	Often missed	Detected via behavioral analysis
Extortion with cryptocurrency demand	Sometimes missed	Detected via specialized detectors
Account compromise (legitimate sender)	Missed	Detected via behavioral anomaly

Frequently Asked Questions

What is the difference between Email Threat Defense and Cisco Secure Email Gateway?

Cisco Secure Email Gateway (SEG) is a traditional email security appliance that sits in the mail flow path and filters messages before they reach user mailboxes. It uses signatures, reputation, and content filtering. Email Threat Defense, on the other hand, uses machine learning and NLP to analyze messages for behavioral signals and attack intent. ETD can work alongside SEG via the Threat Connector, providing an additional detection layer for threats that bypass traditional filtering. The two products complement each other: SEG handles high-volume commodity threats at the perimeter while ETD catches sophisticated, socially engineered attacks.

How does Email Threat Defense integrate with Microsoft 365?

ETD integrates with Microsoft 365 through three mechanisms: journaling, Exchange Online connectors, and the Microsoft Graph API. Journaling sends copies of messages to ETD for analysis. Exchange Online connectors handle SMTP routing between Office 365 and ETD. The Graph API provides ETD with mailbox access for post-delivery remediation, allowing it to move or delete malicious messages that have already been delivered to user inboxes.

Can I use my organization's existing identity provider with ETD?

Yes. ETD supports integration with multiple authentication providers including Auth0, Microsoft Entra ID, Cisco Duo, Google Identity, Okta, and Ping. This allows you to use your existing SSO and MFA infrastructure for ETD access, maintaining consistent security policies across your applications.

What types of threats does Email Threat Defense detect?

ETD detects a wide range of email threats including Business Email Compromise (BEC), phishing, payroll fraud, extortion scams, brand impersonation, account compromise, and various non-BEC scams. It uses specialized ML detectors for each threat type, including detectors for cryptocurrency payment requests, recently registered domains, link masquerade, fake reply chains, and unusual sender behavior patterns.

Is journaling or API-based ingestion better for ETD deployment?

Journaling is the preferred method of ETD deployment. It provides comprehensive message visibility by sending copies of all messages to ETD for analysis. API-based ingestion also works effectively, and both methods can be used simultaneously. The choice depends on your specific requirements for message coverage, latency, and integration architecture.

Can ETD automatically remediate threats, or is it detection-only?

ETD can both detect and remediate threats. Detection is powered by the ML engine analyzing messages received through journaling. Remediation is enabled through the Microsoft Graph API integration, which gives ETD the ability to take action on messages in user mailboxes. You can configure automatic remediation for high-confidence threat categories or choose to review detections manually before taking action.

Conclusion

Deploying Cisco Secure Email Threat Defense represents a significant upgrade in your organization's ability to detect and respond to advanced email threats. The layered ML detection approach, with its dozens of specialized detectors working in concert, catches the sophisticated BEC, phishing, and social engineering attacks that traditional gateways miss.

In this guide, we covered the complete deployment workflow: activating your ETD account, integrating with Office 365 through journaling and Graph API, configuring policies based on threat categories, and leveraging the dashboard and API for operations and automation. We also examined real-world attack examples showing how ETD's detectors identify payroll fraud and extortion scams that contain no malicious payloads.

The key takeaways from this guide are:

1. ETD uses layered ML detectors that identify techniques and behaviors, not just signatures. The combination of detector signals reveals attack intent.
2. Journaling is the preferred deployment method for ingesting messages into ETD from Office 365.
3. Graph API integration is essential for post-delivery remediation capabilities.
4. Policy configuration lets you control automated response actions for each threat category.
5. Flexible authentication supports six major identity providers, so ETD fits into your existing identity infrastructure.
6. API access extends ETD's value into your broader security operations workflows.

With email remaining the primary attack vector and BEC accounting for 22% of financial losses in cybercrime, implementing an advanced email threat defense solution is not optional -- it is a fundamental requirement for any organization serious about security. Take the time to deploy ETD properly, tune your policies based on observed detections, and integrate it with your broader security stack for maximum protection.

Visit nhprep.com to explore security courses that will deepen your understanding of email security, threat detection, and enterprise defense architectures.