What is threat intelligence in email?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email from what looks like your bank. The sender address is almost right. The link almost matches. And somewhere, a security team has already seen that exact attack pattern targeting three other organizations this week. That knowledge, shared in time, is threat intelligence.
Threat intelligence in email is information about active or emerging attacks that helps defenders make better decisions. It covers phishing campaigns that are live right now, the infrastructure attackers use to send them (servers, domains, IP addresses), how attacks are designed to bypass filters, and the specific signals that identify them.
Those signals have a formal name: indicators of compromise, or IOCs. In plain English, an IOC is a fingerprint left by an attack. It might be a specific IP address that's been sending phishing emails, a domain registered two days ago that mimics a real brand, or a particular string in an email header that shows up across multiple malicious campaigns. When a security filter blocks an email because it "matches a known threat," it's usually matching against a list of IOCs.
Where does this intelligence actually come from? A few places:
- Security vendors that run global email filters and collect signal from millions of inboxes (think Spamhaus or Barracuda)
- Industry sharing groups like ISACs, where organizations in the same sector swap attack data
- Government agencies in some countries that publish advisories about active campaigns
- Internal detection from your own mail logs, abuse reports, and security incidents
- Open-source feeds that publish IOCs publicly
How you actually use this depends on your size. A small team might simply subscribe to a reputable blocklist that's fed by threat intelligence behind the scenes. They never see the raw data, but their mail gateway blocks known-bad senders automatically. A mid-size org might pull in a threat reputation API to check incoming domains against a live database before delivery. An enterprise security team might have a full SOC (Security Operations Center) that ingests multiple intelligence feeds, correlates them, and uses them to investigate incidents and tune their defenses in near real time.
The key thing threat intelligence does is cut reaction time. Without it, your filters are catching attacks they've already seen. With good intelligence, you're blocking the same attack pattern before it ever reaches your users, because someone else saw it first and shared the signal.
If you want to go deeper on how this sharing actually works between organizations, the next question in this series covers exactly that.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.