Cortex Advanced Email Security module overview - Learn how to onboard, configure, and operate the Email Security module. - Administrator Guide - Cortex XDR - Cortex

Cortex Advanced Email Security module overview - Learn how to onboard, configure, and operate the Email Security module. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-04

Prerequisite

The following are prerequisites for using the Cortex XDR Advanced Email Security module.

REQUIREMENT	DESCRIPTION
Setup and Permissions	Ensure Analytics is activated before enabling the Cortex Advanced Email Security module.
Licenses and Add-ons	Cortex Advanced Email Security add-on.

REQUIREMENT

DESCRIPTION

Setup and Permissions

Ensure Analytics is activated before enabling the Cortex Advanced Email Security module.

Licenses and Add-ons

Cortex Advanced Email Security add-on.

The Cortex Advanced Email Security module provides a scalable detection, investigation, and response layer over cloud-hosted email environments. It connects directly to supported email platforms via secure API integrations to ingest rich message-level and identity-related telemetry.

Unlike legacy approaches that rely on inline enforcement, this module operates passively, requiring no mail flow changes, and is optimized for modern, distributed email infrastructures. After the module is connected, it continuously collects data across messages, artifacts (e.g., links, attachments), user identities, and authentication metadata. This data is processed through a multi-layered analysis engine designed to surface early-stage threats, campaign patterns, and high-risk behaviors.

This document provides detailed technical guidance for onboarding, configuring, and operating the module. It is intended for security administrators and operators with access to email platform APIs, and familiarity with foundational email security concepts for example, SPF/DKIM/DMARC, MIME structure, phishing tactics.

Key capabilities and functional highlights

The Cortex Advanced Email Security module is composed of the following core components:

The detection engine combines traditional heuristics, rule-based logic, and large language model (LLM) analysis for deeper message understanding.

Heuristic and behavior-based rules: Covers impersonation, display name spoofing, domain lookalikes, BEC-style behavior, suspicious attachment types, and link patterns.
LLM-powered message analysis: Uses large language models to detect intent, linguistic anomalies, tone manipulation, urgency patterns, and topic impersonation. This enables identification of sophisticated phishing emails that bypass static indicators.
Policy controls: Enables admins to adjust detection thresholds, suppress known benign behaviors, or configure alert generation on specific categories, for example, URL reputation hits, newly registered domains.

The Email Investigation agent is an AI-powered agent available with the Advanced Email Security module that enables you to investigate user-reported phishing and suspicious emails through a conversational interface. It leverages LLM capabilities to analyze email metadata, understand why messages were flagged, assess threat indicators, and recommend appropriate next steps for triage, investigation, or remediation.

To open the agent, click the Agentic Assistant button on the top right of any screen and select the Email Investigation agent. Use the agent to ask questions relating to email security.

Here are some of the benefits of using the Email Investigation agent:

AI-powered analysis of user-reported phishing and suspicious emails
Conversational investigation interface
Direct invocation from anywhere in the product
Automated assessment of email threat indicators (sender, recipients, attachments, links, headers)
Contextual understanding of why emails were flagged
Recommended next steps for triage, investigation, or remediation

Supported email platforms and services

The module supports cloud-native email platforms that expose secure APIs for mailbox telemetry, user directory access, and optional remediation actions.

Supported integration capabilities include:

Read-access to user mailboxes
Header and authentication metadata
Access to reported phishing addresses
Mailbox/user scoping via directory service
Remediation permissions (delete, move, tag)

Unsupported environments:

On-premise Exchange or SMTP-only deployments
Hybrid email architectures with incomplete API visibility
IMAP/POP-based collection (protocol-only)

For detailed setup instructions and platform-specific capabilities, refer to the Deployment and Configuration section.

Supported regions

The module is available in the following regions:

Australia (AU)
Canada (CA)
France (FA)
Germany (DE)
India (IN)
Japan (JP)
Netherlands (EU)
Singapore (SG)
South Korea (KR)
United Kingdom (UK)
United States (US)