Access Control List (ACL)
A strict set of rules configured on a server or firewall that dictates exactly which IP addresses or networks are permitted to connect to your email infrastructure and send or receive data.
Halon Pro Tip
Don't just rely on standard firewalls. Your MTA should utilize dynamic ACLs that can automatically drop connections from known malicious IP blocks in real-time, significantly reducing the processing load on your downstream spam and malware scanners.
Halon Pro TipDon't just rely on standard firewalls. Your MTA should utilize dynamic ACLs that can automatically drop connections from known malicious IP blocks in real-time, significantly reducing the processing load on your downstream spam and malware scanners.
Account Takeover (ATO)
A severe security breach where a cybercriminal gains unauthorized access to a legitimate employee's email account, often using it to launch internal phishing campaigns, intercept invoices, or steal sensitive data. Often combined with changes to Mailbox Rules.
Halon Pro Tip
Because ATO emails originate from a genuinely authenticated internal account, standard SPF/DKIM checks will pass. Protecting your organization requires an MTA capable of deep behavioral analysis, detecting unusual login locations or sudden spikes in outbound sending volume to freeze the compromised account instantly.
Halon Pro TipBecause ATO emails originate from a genuinely authenticated internal account, standard SPF/DKIM checks will pass. Protecting your organization requires an MTA capable of deep behavioral analysis, detecting unusual login locations or sudden spikes in outbound sending volume to freeze the compromised account instantly.
Advanced Attachment Analysis
A multi-layer inspection process that applies static code analysis, structural parsing, and behavioral evaluation to email attachments before delivery. Unlike single-engine antivirus scanning, it combines methods to catch obfuscated malware, embedded scripts, and novel threats with no known signature.
Halon Pro Tip
No single scanning engine catches everything, and attackers know which engines most gateways use. Layering static analysis, antivirus, and behavioral sandboxing in a single pipeline means a threat that slips past one layer still faces several more.
Halon Pro TipNo single scanning engine catches everything, and attackers know which engines most gateways use. Layering static analysis, antivirus, and behavioral sandboxing in a single pipeline means a threat that slips past one layer still faces several more.
Advanced Persistent Threat (APT)
A prolonged, highly sophisticated cyberattack where an intruder establishes an undetected presence in a network, often entering via a spear-phishing email, to steal sensitive data over months or years.
Halon Pro Tip
APTs utilize "low and slow" tactics to evade standard volume-based security triggers. Combating them for email requires integrating your MTA directly with a centralized SIEM, feeding it comprehensive SMTP logs and threat intelligence to identify subtle anomalies over time.
Halon Pro TipAPTs utilize "low and slow" tactics to evade standard volume-based security triggers. Combating them for email requires integrating your MTA directly with a centralized SIEM, feeding it comprehensive SMTP logs and threat intelligence to identify subtle anomalies over time.
ARC (Authenticated Received Chain)
A protocol that preserves the original email authentication results when a message is forwarded or processed by an intermediary, such as a mailing list. Without ARC, legitimate forwarded mail often fails DMARC because the sending IP no longer matches the original sender.
Halon Pro Tip
If your organization receives significant forwarded or mailing list traffic, ARC support is essential. Your inbound MTA should validate incoming ARC seals and stamp its own when forwarding, keeping the authentication chain intact.
Halon Pro TipIf your organization receives significant forwarded or mailing list traffic, ARC support is essential. Your inbound MTA should validate incoming ARC seals and stamp its own when forwarding, keeping the authentication chain intact.
Archiving & E-Discovery
The automated process of securely capturing, indexing, and storing all inbound, outbound and internal emails. This ensures historic communications can be quickly retrieved for legal audits, compliance checks, or internal investigations.
Halon Pro Tip
Compliance laws often mandate that financial and healthcare organizations retain unaltered records of communications. A modern MTA can integrate with your archiving platform in real-time, sending it a secure, immutable copy of every message before the user can alter or delete it.
Halon Pro TipCompliance laws often mandate that financial and healthcare organizations retain unaltered records of communications. A modern MTA can integrate with your archiving platform in real-time, sending it a secure, immutable copy of every message before the user can alter or delete it.
Attachment Sandbox Pre-Filtering
A risk-scoring stage that decides which attachments need full sandbox detonation before delivery. Instead of detonating every file, which adds latency and cost, it evaluates file type, sender reputation, and static indicators first, escalating only the genuinely suspicious.
Halon Pro Tip
Sending every attachment to a cloud sandbox is slow and expensive at scale. A well-tuned pre-detonation stage keeps delivery times acceptable for normal mail, while ensuring high-risk files still receive thorough behavioral analysis.
Halon Pro TipSending every attachment to a cloud sandbox is slow and expensive at scale. A well-tuned pre-detonation stage keeps delivery times acceptable for normal mail, while ensuring high-risk files still receive thorough behavioral analysis.
Attachment Sandboxing
A security mechanism that isolates suspicious email attachments (like PDFs or Office documents) in a secure, virtualized environment to observe their behavior and detonate potential malware before allowing safe attachments into the network.
Halon Pro Tip
Attackers often use evasive malware that bypasses traditional scanners. Integrating an advanced sandboxing solution directly into your inbound MTA flow ensures that even hidden, zero-day threats are safely analyzed in real-time without causing massive delivery delays for legitimate mail.
Halon Pro TipAttackers often use evasive malware that bypasses traditional scanners. Integrating an advanced sandboxing solution directly into your inbound MTA flow ensures that even hidden, zero-day threats are safely analyzed in real-time without causing massive delivery delays for legitimate mail.
Attachment Type Policy (Extension and MIME Controls)
A security control that decides which attachment types are permitted, blocked, or quarantined based on file extension, declared MIME type, and whether the two match. Attackers routinely disguise dangerous files with innocent-looking extensions, so validating actual content type is essential.
Halon Pro Tip
Never rely on file extensions alone, as they are trivially easy to fake. Your gateway should validate the true MIME type of every attachment and treat any extension-to-content mismatch as an immediate high-risk flag.
Halon Pro TipNever rely on file extensions alone, as they are trivially easy to fake. Your gateway should validate the true MIME type of every attachment and treat any extension-to-content mismatch as an immediate high-risk flag.
BEC (Business Email Compromise)
A highly targeted cyberattack where a scammer impersonates an executive or trusted vendor to trick employees into transferring funds, altering payroll, or revealing sensitive data.
Halon Pro Tip
BEC attacks rarely contain malicious links or attachments, meaning legacy antispam scanners won't catch them. Protecting your network requires advanced inbound filtering that uses machine learning to detect behavioral anomalies, impersonated sender names, and urgent financial language.
Halon Pro Tip BEC attacks rarely contain malicious links or attachments, meaning legacy antispam scanners won't catch them. Protecting your network requires advanced inbound filtering that uses machine learning to detect behavioral anomalies, impersonated sender names, and urgent financial language.
BIMI (Brand Indicators for Message Identification)
A branding and marketing standard that allows domains with strict DMARC policies to display their verified brand logo next to their messages in the recipient's inbox when using supported clients, proving the email is legitimate.
Halon Pro Tip
BIMI is the visual reward for achieving robust email security. Implementing it requires a Verified Mark Certificate (VMC) and a DMARC policy set to "quarantine" or "reject." By enforcing these strict inbound policies, you protect your users from spoofing while increasing brand visibility.
Halon Pro Tip BIMI is the visual reward for achieving robust email security. Implementing it requires a Verified Mark Certificate (VMC) and a DMARC policy set to "quarantine" or "reject." By enforcing these strict inbound policies, you protect your users from spoofing while increasing brand visibility.
Botnet
A vast network of hijacked, internet-connected devices (computers, servers, IoT devices) controlled by a cybercriminal to launch massive, coordinated attacks, including flooding networks with spam or phishing emails.
Halon Pro Tip
When a botnet targets your infrastructure, brute-force volume can overwhelm basic servers. You need a highly performant, cloud-native MTA that can instantly block or rate-limit abusive connections at the edge, dropping the malicious traffic before it consumes your processing bandwidth.
Halon Pro Tip When a botnet targets your infrastructure, brute-force volume can overwhelm basic servers. You need a highly performant, cloud-native MTA that can instantly block or rate-limit abusive connections at the edge, dropping the malicious traffic before it consumes your processing bandwidth.
Brand Monitoring
Continuous surveillance of the internet and email ecosystem for unauthorized use of your domain, brand identity, or visual assets. In email security this includes lookalike domain registrations, typosquatting, and unauthorized senders surfacing in DMARC reports.
Halon Pro Tip
DMARC aggregate reports tell you about unauthorized senders using your exact domain, but not about cybercriminals registering convincing lookalikes. Combine DMARC with external brand monitoring so you can identify and take down impersonation infrastructure early.
Halon Pro Tip DMARC aggregate reports tell you about unauthorized senders using your exact domain, but not about cybercriminals registering convincing lookalikes. Combine DMARC with external brand monitoring so you can identify and take down impersonation infrastructure early.
Content Disarm and Reconstruction (CDR)
A proactive security technology that strips all active, executable code (like macros or scripts) out of an incoming document and rebuilds a clean, safe version of the file for the user.
Halon Pro Tip
CDR closes the gap that detection-based tools can't — the unknown threat. Because it rebuilds files rather than inspecting them, it doesn't need to recognise a threat to stop it.
Halon Pro Tip CDR closes the gap that detection-based tools can't — the unknown threat. Because it rebuilds files rather than inspecting them, it doesn't need to recognise a threat to stop it.
Credential Harvesting
A specific type of phishing attack designed to steal usernames and passwords. These emails often mimic fake login pages for Microsoft 365, Google Workspace, or banking portals.
Halon Pro Tip
Because credential harvesting sites are often spun up and torn down in hours, static blocklists miss them. Real-time URL scanning and visual analysis are necessary to detect and block these ephemeral fake login pages.
Halon Pro Tip Because credential harvesting sites are often spun up and torn down in hours, static blocklists miss them. Real-time URL scanning and visual analysis are necessary to detect and block these ephemeral fake login pages.
Cyber Threat Intelligence (CTI)
Actionable data collected from across the globe about emerging cyber threats, malicious IPs, new malware strains, and attacker methodologies.
Halon Pro Tip
A secure email gateway is only as good as the intelligence feeding it. Halon Protect allows you to easily script integrations with multiple premium CTI feeds via API, layering threat intelligence to ensure your inbound filters are always up-to-the-minute.
Halon Pro Tip A secure email gateway is only as good as the intelligence feeding it. Halon Protect allows you to easily script integrations with multiple premium CTI feeds via API, layering threat intelligence to ensure your inbound filters are always up-to-the-minute.
DANE (DNS-based Authentication of Named Entities)
An email security standard that uses DNSSEC-signed DNS records to bind a receiving server's TLS certificate to its domain. This lets sending MTAs verify they have reached the intended recipient over an authenticated, encrypted connection, reducing exposure to interception and downgrade attacks.
Halon Pro Tip
Opportunistic TLS alone can be silently downgraded by an attacker on the path. Publishing DANE TLSA records, alongside MTA-STS, gives sending servers a cryptographic signal that strict TLS is required, and several regulated sectors now reference it as best practice for sensitive mail.
Halon Pro Tip Opportunistic TLS alone can be silently downgraded by an attacker on the path. Publishing DANE TLSA records, alongside MTA-STS, gives sending servers a cryptographic signal that strict TLS is required, and several regulated sectors now reference it as best practice for sensitive mail.
Data Exfiltration
The unauthorized transfer, copying, or theft of sensitive data from an internal network to an outside location, often carried out by a malicious insider or a compromised account via email.
Halon Pro Tip
Preventing data exfiltration requires looking at outbound traffic just as closely as inbound. Implement strict DLP (Data Loss Prevention) rules on your MTA to automatically flag, block, or encrypt outbound emails containing sensitive payloads like credit card numbers or proprietary code.
Halon Pro Tip Preventing data exfiltration requires looking at outbound traffic just as closely as inbound. Implement strict DLP (Data Loss Prevention) rules on your MTA to automatically flag, block, or encrypt outbound emails containing sensitive payloads like credit card numbers or proprietary code.
Dictionary Attack
An automated attack method where hackers try to guess valid email addresses on your domain by rapidly testing thousands of common names and dictionary words (e.g., admin@, john@, info@).
Halon Pro Tip
Dictionary attacks waste your server's resources and fill your logs with useless data. Your MTA should be configured to aggressively temporarily ban (tarpit or drop) IPs that generate an unusually high number of "recipient rejected" errors in a short timeframe.
Halon Pro Tip Dictionary attacks waste your server's resources and fill your logs with useless data. Your MTA should be configured to aggressively temporarily ban (tarpit or drop) IPs that generate an unusually high number of "recipient rejected" errors in a short timeframe.
Directory Harvest Attack (DHA)
Similar to a dictionary attack, a DHA is designed to map out a company's entire valid email directory by exploiting the bounce messages generated when sending to non-existent addresses.
Halon Pro Tip
To thwart DHAs, ensure your inbound servers do not blindly verify internal email addresses during the initial SMTP handshake to untrusted connections. Rate-limit unknown senders who attempt to blast your directory.
Halon Pro Tip To thwart DHAs, ensure your inbound servers do not blindly verify internal email addresses during the initial SMTP handshake to untrusted connections. Rate-limit unknown senders who attempt to blast your directory.
DKIM (DomainKeys Identified Mail)
An email authentication method that uses cryptographic signatures to verify the integrity and origin of a message. The sending server signs outgoing mail with a private key, which the receiving servers validate against a public key published in DNS.
Halon Pro Tip
Sign at the MTA level so every outbound message carries a valid DKIM signature, regardless of the sending application. This also lets you rotate keys and apply per-domain signing policies centrally.
Halon Pro Tip Sign at the MTA level so every outbound message carries a valid DKIM signature, regardless of the sending application. This also lets you rotate keys and apply per-domain signing policies centrally.
DKIM2
The proposed successor to DKIM, currently under development at the IETF. It addresses known weaknesses in the original standard, including stronger cryptographic agility, better protection of header fields, and resistance to signature replay attacks.
Halon Pro Tip
Plan now rather than react later. Audit your current DKIM signing infrastructure and confirm your MTA platform has a clear roadmap for DKIM2 support, so key management is not a scramble when the standard arrives.
Halon Pro Tip Plan now rather than react later. Audit your current DKIM signing infrastructure and confirm your MTA platform has a clear roadmap for DKIM2 support, so key management is not a scramble when the standard arrives.
DLP (Data Loss Prevention)
A set of tools and policies designed to prevent sensitive information (like credit card numbers, intellectual property, or patient records) from intentionally or accidentally leaving a network via email.
Halon Pro Tip
Modern DLP requires a highly scriptable MTA that can scan outbound attachments and message bodies in real-time. Halon Protect allows you to build custom, granular rules to block, quarantine, or automatically encrypt sensitive data before it hits the open internet.
Halon Pro Tip Modern DLP requires a highly scriptable MTA that can scan outbound attachments and message bodies in real-time. Halon Protect allows you to build custom, granular rules to block, quarantine, or automatically encrypt sensitive data before it hits the open internet.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
A policy framework built on SPF and DKIM that lets domain owners control how receiving servers treat unauthenticated mail. It defines three enforcement modes (none, quarantine, reject), requires alignment with the visible From address, and enables aggregate and forensic reporting.
Halon Pro Tip
Moving straight to reject is the most common DMARC mistake and causes legitimate mail to be dropped. Start in none mode, review aggregate reports, fix every misalignment, and advance through quarantine before enforcing reject.
Halon Pro Tip Moving straight to reject is the most common DMARC mistake and causes legitimate mail to be dropped. Start in none mode, review aggregate reports, fix every misalignment, and advance through quarantine before enforcing reject.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
The ongoing practice of collecting and analyzing DMARC aggregate (RUA) and forensic (RUF) reports to understand how your domain's mail is authenticated worldwide. It is the foundation for finding unauthorized senders and advancing safely to stricter enforcement.
Halon Pro Tip
DMARC reporting is not a one-time setup. It is continuous intelligence about who is sending mail on your behalf. Never advance to quarantine or reject without first spending weeks in none mode reviewing aggregate reports.
Halon Pro Tip DMARC reporting is not a one-time setup. It is continuous intelligence about who is sending mail on your behalf. Never advance to quarantine or reject without first spending weeks in none mode reviewing aggregate reports.
DMARCbis
The active IETF revision of the DMARC specification, replacing RFC 7489. It clarifies alignment rules, tightens reporting requirements, and refines policy inheritance, addressing ambiguities in the original standard.
Halon Pro Tip
You do not need to wait for DMARC to be finalized to take action. Review the current draft against your existing DMARC policies and reporting setup so any required adjustments are small and planned.
Halon Pro Tip You do not need to wait for DMARC to be finalized to take action. Review the current draft against your existing DMARC policies and reporting setup so any required adjustments are small and planned.
DNSSEC (Domain Name System Security Extensions)
A set of DNS extensions that adds cryptographic signatures to DNS records, allowing receiving resolvers to verify that a response is authentic and has not been tampered with in transit. Without DNSSEC, DNS responses can be spoofed or poisoned, redirecting mail or web traffic to attacker-controlled infrastructure.
Halon Pro Tip
DNSSEC is a prerequisite for advanced email security standards like DANE, which binds TLS certificates to domains via signed DNS records. Sign your sending and receiving domains with DNSSEC and validate signatures on inbound DNS lookups so SPF, DKIM, DMARC, and MX results cannot be silently manipulated.
Halon Pro Tip DNSSEC is a prerequisite for advanced email security standards like DANE, which binds TLS certificates to domains via signed DNS records. Sign your sending and receiving domains with DNSSEC and validate signatures on inbound DNS lookups so SPF, DKIM, DMARC, and MX results cannot be silently manipulated.
Email Header Analysis
The deep technical inspection of the hidden routing information attached to an email. Security professionals use header analysis to trace the true origin of a message and identify forged sender identities.
Halon Pro Tip
Sophisticated spoofing attacks manipulate specific header fields (like the "Reply-To" or specific routing hops). Your inbound infrastructure must programmatically parse the entire header chain, not just the visible "From" address, to spot inconsistencies indicating a forgery.
Halon Pro Tip Sophisticated spoofing attacks manipulate specific header fields (like the "Reply-To" or specific routing hops). Your inbound infrastructure must programmatically parse the entire header chain, not just the visible "From" address, to spot inconsistencies indicating a forgery.
Encryption (TLS - Transport Layer Security)
The cryptographic protocol that scrambles email data while it is in transit between servers, preventing hackers or surveillance tools from reading the contents of your messages as they travel across the internet.
Halon Pro Tip
While "opportunistic TLS" is the industry baseline, it is not foolproof. For true compliance in regulated industries, your infrastructure must support strict TLS enforcement (via MTA-STS or DANE) to guarantee that a sensitive email is never downgraded to plain text.
Halon Pro Tip While "opportunistic TLS" is the industry baseline, it is not foolproof. For true compliance in regulated industries, your infrastructure must support strict TLS enforcement (via MTA-STS or DANE) to guarantee that a sensitive email is never downgraded to plain text.
End-to-End Encryption (E2EE)
A secure communication method where only the communicating users can read the messages. The data is encrypted on the sender's device and decrypted only on the recipient's device, meaning even the email provider cannot read it.
Halon Pro Tip
Standard SMTP does not natively provide E2EE (it only encrypts the transit tunnel via TLS). If your organization requires E2EE for maximum compliance, you must rely on specialized client-side protocols like S/MIME or PGP.
Halon Pro Tip Standard SMTP does not natively provide E2EE (it only encrypts the transit tunnel via TLS). If your organization requires E2EE for maximum compliance, you must rely on specialized client-side protocols like S/MIME or PGP.
Exploit Kit
A malicious toolkit used by cybercriminals to scan a victim's system for software vulnerabilities (like an outdated browser or PDF reader) and silently drop a malware payload when the user clicks a seemingly harmless link in an email.
Halon Pro Tip
Because exploit kits weaponize legitimate-looking web pages, standard URL filtering often fails. Rely on Time-of-Click URL rewriting so the destination is re-scanned the exact moment the user interacts with it.
Halon Pro Tip Because exploit kits weaponize legitimate-looking web pages, standard URL filtering often fails. Rely on Time-of-Click URL rewriting so the destination is re-scanned the exact moment the user interacts with it.
False Negative
When an inbound security filter incorrectly assumes a malicious email (like phishing or malware) is safe, allowing it to successfully land in an employee's inbox.
Halon Pro Tip
False negatives are the most dangerous outcome in email security. Minimizing them requires moving beyond single-vendor antivirus engines and layering multiple threat detection technologies - including machine learning and behavioral analysis - directly into your MTA.
Halon Pro Tip False negatives are the most dangerous outcome in email security. Minimizing them requires moving beyond single-vendor antivirus engines and layering multiple threat detection technologies - including machine learning and behavioral analysis - directly into your MTA.
False Positive
When an inbound security filter is too aggressive and incorrectly flags a completely safe, legitimate business email as spam or malware, quarantining or rejecting it.
Halon Pro Tip
High false positive rates erode trust in the platform and push users to bypass it. Pair filtering with a clear quarantine and release workflow: notify recipients, allow self-service review for low-risk verdicts, allowlist verified senders, and feed every release back into reputation scoring so the same legitimate sender is not held twice.
Halon Pro Tip High false positive rates erode trust in the platform and push users to bypass it. Pair filtering with a clear quarantine and release workflow: notify recipients, allow self-service review for low-risk verdicts, allowlist verified senders, and feed every release back into reputation scoring so the same legitimate sender is not held twice.
Greylisting
A defense mechanism where an inbound mail server temporarily rejects emails from unknown senders with a "try again later" message. Legitimate servers will automatically retry and succeed; impatient spam botnets usually drop the connection and move on.
Halon Pro Tip
While highly effective against cheap spam blasts, greylisting introduces a 5-to-15 minute delivery delay that is unacceptable for urgent corporate communications. It should only be applied conditionally to suspicious, low-reputation IP addresses or senders, not as a blanket rule.
Halon Pro Tip While highly effective against cheap spam blasts, greylisting introduces a 5-to-15 minute delivery delay that is unacceptable for urgent corporate communications. It should only be applied conditionally to suspicious, low-reputation IP addresses or senders, not as a blanket rule.
Heuristic Analysis
A security scanning method that detects previously unknown viruses or malware by examining the code for suspicious properties, rather than relying on a known list of virus signatures.
Halon Pro Tip
Heuristics are critical for catching zero-day threats. Ensure your email security gateway employs advanced heuristic engines to evaluate the actual intent of an attachment, rather than just checking if it matches an old threat database.
Halon Pro Tip Heuristics are critical for catching zero-day threats. Ensure your email security gateway employs advanced heuristic engines to evaluate the actual intent of an attachment, rather than just checking if it matches an old threat database.
Homograph Attack (Lookalike Domain)
A deception technique where an attacker registers a domain that looks visually identical to a trusted brand, often by swapping in Cyrillic or Greek letters (e.g., swapping a standard "a" for a visually identical Cyrillic "а" to create apple.com).
Halon Pro Tip
Humans cannot spot these differences with the naked eye. Your inbound filtering must programmatically convert and analyze Internationalized Domain Names (Punycode) to detect and quarantine lookalike domains before they trick your staff.
Halon Pro Tip Humans cannot spot these differences with the naked eye. Your inbound filtering must programmatically convert and analyze Internationalized Domain Names (Punycode) to detect and quarantine lookalike domains before they trick your staff.
Honeypot (Spam Trap - Inbound)
A decoy email address created by an organization specifically to attract spam, phishing, and malware. Because this address is never used for legitimate business, any incoming mail is likely to be spam or malicious.
Halon Pro Tip
Inbound honeypots are excellent tools for gathering your own real-time threat intelligence. By routing honeypot traffic to isolated analysis environments, you can automatically extract malicious IPs and URLs to immediately update your organization's internal blocklists.
Halon Pro Tip Inbound honeypots are excellent tools for gathering your own real-time threat intelligence. By routing honeypot traffic to isolated analysis environments, you can automatically extract malicious IPs and URLs to immediately update your organization's internal blocklists.
Incident Response (IR)
The organized, systematic approach a company takes to manage and remediate a cyberattack or security breach after it has occurred.
Halon Pro Tip
When an employee reports a phishing email, speed is critical. A modern MTA should provide powerful API access, allowing your security team to instantly execute "search and destroy" scripts to purge the malicious email from every other inbox in the company.
Halon Pro Tip When an employee reports a phishing email, speed is critical. A modern MTA should provide powerful API access, allowing your security team to instantly execute "search and destroy" scripts to purge the malicious email from every other inbox in the company.
Indicators of Compromise (IoC)
Forensic evidence (such as a specific malicious IP address, a virus signature, a bad URL, or an unusual MD5 file hash) that indicates a network has been breached or an attack is underway.
Halon Pro Tip
Your email security platform should automatically ingest daily IoC feeds from global cybersecurity databases. By scanning all inbound and outbound SMTP traffic against these IoCs, you can instantly block known bad actors from communicating with your staff.
Halon Pro Tip Your email security platform should automatically ingest daily IoC feeds from global cybersecurity databases. By scanning all inbound and outbound SMTP traffic against these IoCs, you can instantly block known bad actors from communicating with your staff.
Insider Threat
A security risk that originates from within the organization. This could be a disgruntled employee intentionally stealing data or a careless employee accidentally emailing a confidential spreadsheet to the wrong person.
Halon Pro Tip
Defending against insider threats requires treating internal, outbound email with the same scrutiny as inbound email. Deep content inspection and automated DLP policies are mandatory to prevent sensitive data from leaving the corporate perimeter.
Halon Pro Tip Defending against insider threats requires treating internal, outbound email with the same scrutiny as inbound email. Deep content inspection and automated DLP policies are mandatory to prevent sensitive data from leaving the corporate perimeter.
Macro Malware
Malicious code embedded inside the automated "macro" features of standard office documents (like Microsoft Word or Excel). When the user opens the file and clicks "Enable Content," the malware silently installs.
Halon Pro Tip
Macro malware is incredibly common in fake invoice scams. Instead of relying on users to make smart choices, utilize a Secure Email Gateway that sandboxes attachments or strips active macros from all external documents (CDR) before delivering the file.
Halon Pro Tip Macro malware is incredibly common in fake invoice scams. Instead of relying on users to make smart choices, utilize a Secure Email Gateway that sandboxes attachments or strips active macros from all external documents (CDR) before delivering the file.
Mail Bombing / Email Flooding
A targeted denial-of-service attack that floods a specific email address or mail server with thousands of messages in a short period. The goal is to crash the server, delay legitimate mail, or bury a critical security alert, like a password reset, under junk.
Halon Pro Tip
Without intelligent rate limiting, a mail bomb can saturate your infrastructure in seconds. Your MTA must detect and throttle abnormal per-sender volumes at the edge, before they reach your downstream filtering stack.
Halon Pro Tip Without intelligent rate limiting, a mail bomb can saturate your infrastructure in seconds. Your MTA must detect and throttle abnormal per-sender volumes at the edge, before they reach your downstream filtering stack.
Mailbox Rules Abuse
The misuse of legitimate email rule features by an attacker who has already compromised a mailbox. Common patterns include silent auto-forwarding, deleting security alerts, and diverting conversations to hidden folders, all designed to maintain undetected access.
Halon Pro Tip
Malicious mailbox rules are one of the most reliable signs of an active account takeover. Your platform must log every rule change, and rules created from unusual IPs or outside business hours should trigger immediate investigation.
Halon Pro Tip Malicious mailbox rules are one of the most reliable signs of an active account takeover. Your platform must log every rule change, and rules created from unusual IPs or outside business hours should trigger immediate investigation.
Malware & Ransomware
Malicious software disguised as legitimate email attachments or links. Once a user interacts with the payload, it can steal data or lock down entire corporate networks, demanding a ransom to restore access.
Halon Pro Tip
Relying on a single antivirus engine is a risk. A robust inbound security architecture layers multiple scanning engines and utilizes zero-day threat intelligence to neutralize sophisticated payloads before they reach the employee's inbox.
Halon Pro Tip Relying on a single antivirus engine is a risk. A robust inbound security architecture layers multiple scanning engines and utilizes zero-day threat intelligence to neutralize sophisticated payloads before they reach the employee's inbox.
Man-in-the-Middle (MitM) Attack
A cyberattack where a hacker secretly intercepts and potentially alters the communication between two parties who believe they are speaking directly to each other.
Halon Pro Tip
Standard emails traveling over unencrypted channels are highly vulnerable to MitM attacks. Enforcing strict TLS encryption and email authentication across your infrastructure is the baseline requirement to ensure data integrity in transit.
Halon Pro Tip Standard emails traveling over unencrypted channels are highly vulnerable to MitM attacks. Enforcing strict TLS encryption and email authentication across your infrastructure is the baseline requirement to ensure data integrity in transit.
MTA-STS (MTA Strict Transport Security)
A security standard that enables domain owners to explicitly declare that receiving servers must only connect to them using secure, authenticated TLS connections.
Halon Pro Tip
MTA-STS solves the inherent vulnerability of standard encryption by preventing downgrade attacks. If you are an inbound receiver, your infrastructure must be capable of seamlessly querying and respecting MTA-STS policies to protect incoming traffic from interception.
Halon Pro Tip MTA-STS solves the inherent vulnerability of standard encryption by preventing downgrade attacks. If you are an inbound receiver, your infrastructure must be capable of seamlessly querying and respecting MTA-STS policies to protect incoming traffic from interception.
Passkeys
A modern authentication credential based on FIDO2 and WebAuthn that replaces passwords with a cryptographic key pair. The private key stays on the user's device, and authentication is confirmed locally with biometrics or a PIN, making passkeys resistant to phishing and credential theft.
Halon Pro Tip
Passkeys cannot be phished or reused, eliminating the most common route into corporate email accounts. Where your administration console and webmail support them, mandate passkey authentication for administrator accounts as a top-priority upgrade.
Halon Pro Tip Passkeys cannot be phished or reused, eliminating the most common route into corporate email accounts. Where your administration console and webmail support them, mandate passkey authentication for administrator accounts as a top-priority upgrade.
PGP / OpenPGP (Pretty Good Privacy)
An end-to-end email encryption and signing standard based on a web-of-trust key model rather than centrally issued certificates. Senders encrypt the message body with the recipient's public key and optionally sign it with their own, so only the holder of the matching private key can read it and tampering is detectable.
Halon Pro Tip
PGP and S/MIME solve the same problem with different trust models, and most organizations end up supporting whichever their partners and regulators already use. Where PGP is required, handle key lookup, signing, and decryption at the gateway so users get end-to-end protection without managing keyrings on every device.
Halon Pro Tip PGP and S/MIME solve the same problem with different trust models, and most organizations end up supporting whichever their partners and regulators already use. Where PGP is required, handle key lookup, signing, and decryption at the gateway so users get end-to-end protection without managing keyrings on every device.
Phishing
A fraudulent attempt to trick users into revealing login credentials, financial details, or personal data by sending bulk emails that mimic legitimate, trusted organizations like banks or software providers.
Halon Pro Tip
While user training is helpful, human error is inevitable. Your first line of defense must be at the infrastructure level. Halon Protect enables real-time URL rewriting and advanced content scanning to neutralize phishing links in transit.
Halon Pro Tip While user training is helpful, human error is inevitable. Your first line of defense must be at the infrastructure level. Halon Protect enables real-time URL rewriting and advanced content scanning to neutralize phishing links in transit.
Phishing Simulation
A controlled exercise in which an organization sends realistic but harmless simulated phishing emails to its own staff, to measure susceptibility, identify high-risk users, and test the effectiveness of awareness training. Results refine training content and target repeat-risk users.
Halon Pro Tip
Before running any phishing simulation, coordinate with your email security team to allowlist the simulation platform at your gateway. If simulated messages are blocked or quarantined, your results will be inaccurate and your training built on bad data.
Halon Pro Tip Before running any phishing simulation, coordinate with your email security team to allowlist the simulation platform at your gateway. If simulated messages are blocked or quarantined, your results will be inaccurate and your training built on bad data.
Polymorphic Malware
Highly evasive malicious software that automatically alters its identifiable features (its code makeup or file hash) every single time it is sent, specifically designed to evade signature-based antivirus scanners.
Halon Pro Tip
Traditional antivirus may completely miss polymorphic threats. You should deploy advanced behavioral sandboxing and heuristic analysis to evaluate what the file attempts to do upon execution, rather than just looking at what it is.
Halon Pro Tip Traditional antivirus may completely miss polymorphic threats. You should deploy advanced behavioral sandboxing and heuristic analysis to evaluate what the file attempts to do upon execution, rather than just looking at what it is.
Post-Delivery Remediation
The process of acting on messages already delivered to user inboxes once a threat is identified retrospectively. Actions include searching for and purging copies, moving them to quarantine, and notifying recipients, with a full audit trail for compliance.
Halon Pro Tip
The longer a malicious message sits in an inbox, the more likely a user is to interact with it. Your platform should expose a rich API and detailed message tracking so a search-and-destroy operation runs in minutes, not hours.
Halon Pro Tip The longer a malicious message sits in an inbox, the more likely a user is to interact with it. Your platform should expose a rich API and detailed message tracking so a search-and-destroy operation runs in minutes, not hours.
Quarantine
A secure holding area for messages flagged as malicious or policy-violating. It operates at two levels: admin quarantine for high-risk verdicts like malware and phishing, where only administrators can release; and user quarantine for spam and bulk mail, where end users may self-manage.
Halon Pro Tip
The most critical quarantine mistake is letting end users release their own malware or phishing messages. Enforce strict, verdict-based release controls, restricting high-risk categories to administrators, and log every release action for audit.
Halon Pro Tip The most critical quarantine mistake is letting end users release their own malware or phishing messages. Enforce strict, verdict-based release controls, restricting high-risk categories to administrators, and log every release action for audit.
Rate Limiting (Inbound)
A protective configuration on an MTA that strictly limits the number of connections or emails a specific external IP address can send to your server within a certain timeframe to prevent system overload.
Halon Pro Tip
Without intelligent rate limiting, a targeted DDoS attack or a massive spam botnet can overwhelm your processing power and crash your mail server. Implementing dynamic, adaptive rate limits keeps your infrastructure stable under heavy attack.
Halon Pro Tip Without intelligent rate limiting, a targeted DDoS attack or a massive spam botnet can overwhelm your processing power and crash your mail server. Implementing dynamic, adaptive rate limits keeps your infrastructure stable under heavy attack.
Secure Email Gateway (SEG)
The security layer that sits between the public internet and your corporate email server. It inspects all incoming and outgoing traffic for spam, phishing, malware, and data leaks.
Halon Pro Tip
Legacy SEGs are often rigid black boxes. Modern security operations require a highly flexible, scriptable SEG (like Halon Protect) that allows engineers to write custom routing logic, integrate via API, and adapt to novel threats in real-time. Ensure that strict ACLs are in place for onward delivery and outbounds to\from the destination mail server.
Halon Pro Tip Legacy SEGs are often rigid black boxes. Modern security operations require a highly flexible, scriptable SEG (like Halon Protect) that allows engineers to write custom routing logic, integrate via API, and adapt to novel threats in real-time. Ensure that strict ACLs are in place for onward delivery and outbounds to\from the destination mail server.
Security Awareness Training
An ongoing education program that teaches employees to recognize and respond to email-borne threats such as phishing, social engineering, and malicious attachments. Effective programs are role-based, regularly delivered, and produce measurable behavior change rather than meeting a compliance checkbox.
Halon Pro Tip
Your technical controls will not catch every threat, and attackers know it. Security awareness training is the last line of defense when a malicious message reaches the inbox, so ensure staff know how to recognize and report it.
Halon Pro Tip Your technical controls will not catch every threat, and attackers know it. Security awareness training is the last line of defense when a malicious message reaches the inbox, so ensure staff know how to recognize and report it.
S/MIME (Secure/Multipurpose Internet Mail Extensions)
A widely accepted standard for sending digitally signed and encrypted messages. It ensures the email hasn't been tampered with and guarantees only the intended recipient can read it.
Halon Pro Tip
S/MIME is vital for government and strict corporate compliance, but managing the cryptographic keys manually is a nightmare. Look for infrastructure that can handle gateway-level S/MIME signing and decryption to enforce security without burdening the end-user.
Halon Pro Tip S/MIME is vital for government and strict corporate compliance, but managing the cryptographic keys manually is a nightmare. Look for infrastructure that can handle gateway-level S/MIME signing and decryption to enforce security without burdening the end-user.
SMTP Smuggling
A sophisticated protocol-level exploit that takes advantage of inconsistencies in how different servers handle the "end-of-data" sequence (.). This allows an attacker to "smuggle" a second, spoofed message inside a legitimate email, successfully bypassing SPF and DMARC checks.
Halon Pro Tip
Defeating SMTP smuggling requires a highly precise MTA. Your inbound infrastructure must strictly adhere to RFC specifications for data termination and actively normalize ambiguous line endings, neutralizing the exploit before it can trick your downstream authentication filters.
Halon Pro Tip Defeating SMTP smuggling requires a highly precise MTA. Your inbound infrastructure must strictly adhere to RFC specifications for data termination and actively normalize ambiguous line endings, neutralizing the exploit before it can trick your downstream authentication filters.
SIEM (Security Information and Event Management)
A centralized software solution that aggregates and analyzes security log data from across an organization's entire network (firewalls, endpoints, and email gateways) to identify overarching cyber threats.
Halon Pro Tip
Email is the number one attack vector, meaning your MTA's logs are critical to your security team. Ensure your email infrastructure can stream richly formatted, real-time SMTP logs directly into your SIEM (like Splunk or Datadog) for comprehensive threat hunting.
Halon Pro Tip Email is the number one attack vector, meaning your MTA's logs are critical to your security team. Ensure your email infrastructure can stream richly formatted, real-time SMTP logs directly into your SIEM (like Splunk or Datadog) for comprehensive threat hunting.
Spear Phishing
A highly customized and targeted version of phishing. Instead of a generic blast, the attacker heavily researches a specific individual or department to craft a highly convincing, personalized email.
Halon Pro Tip
Standard spam filters cannot stop spear phishing because the emails look completely normal and often lack suspicious attachments. Defending against this requires deep header analysis, sender profiling, and AI-driven threat detection integrated directly into your inbound routing layer.
Halon Pro Tip Standard spam filters cannot stop spear phishing because the emails look completely normal and often lack suspicious attachments. Defending against this requires deep header analysis, sender profiling, and AI-driven threat detection integrated directly into your inbound routing layer.
SPF (Sender Policy Framework)
A DNS-based email authentication standard that lets domain owners publish the IP addresses authorized to send mail on their behalf. Receiving servers verify the sending IP against this list and can flag or reject anything that does not match.
Halon Pro Tip
SPF only validates the envelope sender, not the visible From address users actually see. Always combine SPF with DKIM and enforce DMARC alignment so authentication results match the address recipients trust.
Halon Pro Tip SPF only validates the envelope sender, not the visible From address users actually see. Always combine SPF with DKIM and enforce DMARC alignment so authentication results match the address recipients trust.
Spoofing
The act of forging the "From" address of an email so that the message appears to come from a trusted colleague, brand, or executive, rather than the actual attacker's address.
Halon Pro Tip
Spoofing is only possible when a receiving server fails to rigorously verify inbound mail. Protecting your users from spoofed domains requires an MTA that enforces strict, inbound SPF, DKIM, and DMARC validation, automatically flagging or rejecting unauthenticated messages.
Halon Pro Tip Spoofing is only possible when a receiving server fails to rigorously verify inbound mail. Protecting your users from spoofed domains requires an MTA that enforces strict, inbound SPF, DKIM, and DMARC validation, automatically flagging or rejecting unauthenticated messages.
TLS-RPT (SMTP TLS Reporting)
A reporting standard defined in RFC 8460 that lets domain owners publish an address where senders can report TLS negotiation failures. It surfaces certificate errors, policy mismatches, and downgrade attempts that would otherwise be invisible.
Halon Pro Tip
If you publish an MTA-STS policy, publish a TLS-RPT record alongside it. Without it, you have no visibility into delivery failures caused by your own TLS configuration, and they may be silently breaking legitimate mail.
Halon Pro Tip If you publish an MTA-STS policy, publish a TLS-RPT record alongside it. Without it, you have no visibility into delivery failures caused by your own TLS configuration, and they may be silently breaking legitimate mail.
Two-Factor Authentication (2FA / MFA)
A security process requiring users to provide two different forms of identification to access their email accounts - usually a password combined with a temporary code sent to their phone or an authenticator app.
Halon Pro Tip
While 2FA protects webmail logins, it is equally important to secure your underlying infrastructure. Ensure your MTA requires encrypted, authenticated SMTP connections (SMTP AUTH) combined with strict IP access rules to prevent compromised accounts from hijacking your outbound mail stream.
Halon Pro Tip While 2FA protects webmail logins, it is equally important to secure your underlying infrastructure. Ensure your MTA requires encrypted, authenticated SMTP connections (SMTP AUTH) combined with strict IP access rules to prevent compromised accounts from hijacking your outbound mail stream.
Typosquatting
A malicious tactic where attackers register domains with slight, easily missed typographical errors of popular brands (e.g., using "goggle.com" instead of "google.com") to trick users into clicking phishing links.
Halon Pro Tip
Typosquatting relies on user oversight. Your inbound security gateway must automatically cross-reference all URLs inside incoming emails against newly registered domains and known typosquatting databases, rewriting or blocking them before they reach the inbox.
Halon Pro Tip Typosquatting relies on user oversight. Your inbound security gateway must automatically cross-reference all URLs inside incoming emails against newly registered domains and known typosquatting databases, rewriting or blocking them before they reach the inbox.
URL Rewriting (Time-of-Click Protection)
A security feature that alters all hyperlinks in an incoming email to point to a secure proxy server. When the user clicks the link, the proxy scans the destination website in real-time to ensure it hasn't turned malicious since the email was delivered.
Halon Pro Tip
Attackers frequently send emails with clean links, wait for them to pass through the security gateway, and then change the destination site to a malware payload hours later. URL rewriting is the only effective defense against these delayed-action attacks.
Halon Pro Tip Attackers frequently send emails with clean links, wait for them to pass through the security gateway, and then change the destination site to a malware payload hours later. URL rewriting is the only effective defense against these delayed-action attacks.
Vendor Email Compromise (VEC)
A specialized form of BEC where an attacker compromises the email account of a trusted third-party supplier. The attacker then uses the legitimate supplier's email to send fake invoices with updated bank routing numbers to the targeted company.
Halon Pro Tip
VEC is devastating because the email genuinely comes from your supplier's servers. Detecting it requires advanced behavioral AI that analyzes communication patterns, flagging unexpected changes in payment requests or banking details for manual review.
Halon Pro Tip VEC is devastating because the email genuinely comes from your supplier's servers. Detecting it requires advanced behavioral AI that analyzes communication patterns, flagging unexpected changes in payment requests or banking details for manual review.
Whaling
A highly targeted phishing attack aimed specifically at high-profile, high-access targets within a company, such as the CEO, CFO, or members of the board of directors.
Halon Pro Tip
Because executives have access to the most sensitive data and funds, they are the most valuable targets. Ensure your Secure Email Gateway applies stricter, customized inspection policies including deep attachment sandboxing - to any email sent to or from the C-suite.
Halon Pro Tip Because executives have access to the most sensitive data and funds, they are the most valuable targets. Ensure your Secure Email Gateway applies stricter, customized inspection policies including deep attachment sandboxing - to any email sent to or from the C-suite.
Zero-Day Threat
A highly targeted phishing attack aimed specifically at high-profile, high-access targets within a company, such as the CEO, CFO, or members of the board of directors.
Halon Pro Tip
Because executives have access to the most sensitive data and funds, they are the most valuable targets. Ensure your Secure Email Gateway applies stricter, customized inspection policies including deep attachment sandboxing - to any email sent to or from the C-suite.
Halon Pro Tip Because executives have access to the most sensitive data and funds, they are the most valuable targets. Ensure your Secure Email Gateway applies stricter, customized inspection policies including deep attachment sandboxing - to any email sent to or from the C-suite.
Zero Trust Architecture
A modern cybersecurity framework built on the principle of "never trust, always verify." It assumes that threats exist both inside and outside the network, requiring strict authentication for every user, device, and email connection.
Halon Pro Tip
Applying Zero Trust to email means your MTA cannot blindly trust inbound messages just because they come from a known partner domain. Every single connection must be cryptographically verified, scanned for anomalies, and routed through rigid policy engines before reaching the end user.
Halon Pro Tip Applying Zero Trust to email means your MTA cannot blindly trust inbound messages just because they come from a known partner domain. Every single connection must be cryptographically verified, scanned for anomalies, and routed through rigid policy engines before reaching the end user.
Social Engineering
Because social engineering preys on human emotion (urgency, fear, or helpfulness) rather than using malicious code, it easily bypasses standard tech defenses. Defeating it requires a multipronged approach including Natural Language Processing (NLP) AI, user training and business processes that mitigate the risks.