# How to read Email Security results?

Stoik Email Security monitors your mailboxes for two types of threats: suspicious emails and compromised accounts. All detected threats are listed in Stoik Protect and reviewed by the Stoik SOC.

### Email threats

Email threats are suspicious or malicious emails detected in your mailboxes. They are listed in **Email > Results > Email threats**.

Each row in the table displays:

* **Subject:** the email subject line
* **Criticality:** Low, Medium, High, or Critical
* **Protected user:** the mailbox that received or sent the email
* **Detection date:** when the email was received
* **Status:** Open or Closed

Click on any email threat to open a side panel with full details.

#### Analysis

The Analysis section explains why the email was flagged. It contains a verdict and a checklist of automated checks.

**Verdict**

A colored banner at the top summarizes the overall assessment. The banner color and headline match the alert's criticality:

<table><thead><tr><th width="173.8203125">Criticality</th><th>Headline</th></tr></thead><tbody><tr><td>🟣 Critical</td><td>Critical fraud attempt detected</td></tr><tr><td>🔴 High</td><td>High-risk fraud attempt detected</td></tr><tr><td>🟠 Medium</td><td>Suspicious activity detected</td></tr><tr><td>🟡 Low</td><td>Minor anomalies detected</td></tr></tbody></table>

A short summary below the headline provides additional context. Email Security alerts are managed by the Stoik SOC: no action is required on your side.

**Automated checks**

Six checks are displayed below the verdict. Each check shows a colored dot indicating the result:

* 🔴 A problem was found
* 🟠 An anomaly was detected
* 🟢 The check passed

<table><thead><tr><th width="239.77734375">Check</th><th>What it does</th></tr></thead><tbody><tr><td>Sender identity</td><td>Verifies if the sender is impersonating a known contact in your organization.</td></tr><tr><td>Communication history</td><td>Verifies if this sender has previously communicated with your organization.</td></tr><tr><td>Fraud detection</td><td>Analyzes the email content for financial fraud signals such as suspicious payment details or altered invoices.</td></tr><tr><td>Content &#x26; tone</td><td>Analyzes the email language for urgency pressure, unusual tone, or suspicious timing.</td></tr><tr><td>Sender reputation</td><td>Checks the sender's domain and email address against known threat databases.</td></tr><tr><td>Email profile</td><td>Analyzes the email headers, routing path, and metadata for anomalies.</td></tr></tbody></table>

Checks that passed (🟢) are collapsed by default. Click "N checks passed" to expand them.

#### Information

The Information section displays the metadata of the flagged email:

* **Detection date** -- when the email was received
* **Protected user** -- the mailbox that received or sent the email
* **Interlocutors** -- the sender or recipients
* **Traffic** -- inbound or outbound
* **Mailbox** -- Microsoft 365 or Google Workspace
* **Type** -- the threat type (e.g. Fraud)
* **Reasons** -- the reasons the email was flagged (e.g. Impersonating user, Suspicious banking info)

#### Status

The Status section shows:

* **Status:** whether the threat is Open or Closed
* **Validity:** True Positive or False Positive
* **Actions:** the actions taken by the SOC (e.g. email deleted, warning banner added)

#### History

The History section is a timeline tracking how the alert was handled:

<table><thead><tr><th width="210.82421875">Step</th><th>Meaning</th></tr></thead><tbody><tr><td>Alert creation</td><td>When the email was originally received.</td></tr><tr><td>Alert confirmation</td><td>When the alert was ingested and confirmed in the Stoik system.</td></tr><tr><td>Alert processing</td><td>When a SOC analyst started investigating the alert.</td></tr><tr><td>Alert closure</td><td>When the alert was resolved and closed.</td></tr></tbody></table>

"Alert creation" and "Alert confirmation" are always shown. "Alert processing" and "Alert closure" appear as the alert progresses. Each step displays the exact date and time, with the most recent event at the top.

{% hint style="info" %}
When Email Security is first activated, emails received up to 90 days before activation are scanned. For these backfilled emails, the gap between "Alert creation" and "Alert confirmation" can be significant. This is expected behaviour.
{% endhint %}

#### Analyst Notes

Some alerts include **analyst notes** written by the Stoik SOC. These notes provide additional context on how the alert was investigated and resolved.

Not all alerts have analyst notes, they are added when the SOC team considers additional context relevant.

#### Email Content

The Email Content section embeds the original flagged email directly in the side panel, so you can see exactly what landed in the inbox and understand the verdict in context.

It includes:

* **Senders** the address(es) the email was sent from
* **Recipients**  the mailbox(es) the email was sent to
* **Subject**  the email subject line
* **Sending date**  when the email was sent
* **Warning banner**  when added by the Stoik SOC, the banner displayed to end users at the top of the email
* **Body**  the full email content, with original formatting, images and links

Click **Expand** to open the email in a larger pop-in for easier reading.

If the email contains **attachments**, they are listed in a dedicated **Attachments** section below. Attachments are safe to download: malicious files are filtered out by Stoik's guardrails.

#### Email Exchange

Some alerts include email exchanges related to the alert handling. When available, these communications are displayed in the side panel, giving you the full context of how the alert was communicated and resolved.

This section only appears when there are related emails.

### Compromised accounts

Compromised accounts are mailboxes showing signs of unauthorized access or suspicious activity. They are listed in **Email > Results > Compromised accounts**.

Click on any compromised account to open a side panel with full details.

#### Information

The Information section displays:

* **Detection date:** when the compromise was detected
* **Reasons:** the reasons the account was flagged as compromised

#### Status

The Status section shows:

* **Status:** whether the alert is Open or Closed
* **Validity:** True Positive or False Positive

#### History

The History section is a timeline tracking how the alert was handled:

<table><thead><tr><th width="235.421875">Step</th><th>Meaning</th></tr></thead><tbody><tr><td>Alert creation</td><td>When the compromise was detected.</td></tr><tr><td>Alert confirmation</td><td>When the alert was ingested and confirmed in the Stoik system.</td></tr><tr><td>Alert processing</td><td>When a SOC analyst started investigating the alert.</td></tr><tr><td>Alert closure</td><td>When the alert was resolved and closed.</td></tr></tbody></table>

"Alert creation" and "Alert confirmation" are always shown. "Alert processing" and "Alert closure" appear as the alert progresses. Each step displays the exact date and time, with the most recent event at the top.

#### Analyst Notes

Some alerts include **analyst notes** written by the Stoik SOC. These notes provide additional context on how the alert was investigated and resolved.

Not all alerts have analyst notes, they are added when the SOC team considers additional context relevant.

#### Email exchange

Some alerts include email exchanges related to the alert handling. When available, these communications are displayed in the side panel, giving you the full context of how the alert was communicated and resolved.

This section only appears when there are related emails


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stoik.io/email-security/how-to-read-email-security-results.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.