Skip to content

Email Intelligence guide

Email Intelligence adds mail-observed domain signals to Have I Been Squatted. Connected providers send normalized email telemetry facts, which are matched against monitored domains and lookup results. The feature is designed for earlier domain discovery, especially when abusive sender domains appear in mail before they appear in registration, certificate, or passive DNS workflows.

Email Intelligence currently supports Microsoft 365 and Google Workspace ingestion. Microsoft 365 also supports Watchdog, an optional response capability that can add sender blocks to the Microsoft Tenant Allow/Block List.

Microsoft 365 Email Intelligence integration

  • Email telemetry ingestion: Poll Microsoft Defender Advanced Hunting or Google Workspace Gmail audit logs for domain-level mail facts
  • Provider attribution: Mark lookup results as discovered through email telemetry, including provider and evidence source
  • Dashboard analysis: Review recent message observations, sender domains, recipient domains, matched monitored domains, and email-sourced lookup results
  • Event review: Inspect normalized email events by day, including direction, hashed message identifiers, sender domains, recipient domains, matched domains, and response records
  • Microsoft 365 Watchdog: Optionally add high-confidence sender-domain blocks to Exchange Online through the Tenant Allow/Block List

Email Intelligence stores privacy-bounded facts rather than raw mailbox data. Stored events include provider, observation time, event type, direction, sender domains, recipient domains, matched monitored domains, and hashed provider identifiers.

The ingestion pipeline intentionally excludes raw provider payloads, message subjects, local parts, full email addresses, message bodies, and full uniform resource locators (URLs). Message and event identifiers are hashed before storage.

Provider-specific behavior:

  • Microsoft 365: Reads Microsoft Defender Advanced Hunting EmailEvents fields for timestamp, message identifiers, direction, sender domains, and recipient domains. Microsoft URL observations are not part of the current ingestion path.
  • Google Workspace: Reads Google Workspace Admin software development kit (SDK) Reports application programming interface (API) Gmail delivery audit events. Candidate domains can come from sender and header fields, plus link-domain audit fields when Google exposes them, but stored events remain domain-level facts.

Open Integrations > Microsoft 365 Email Intelligence.

Enable one or both capabilities:

  • Email ingestion: Uses Microsoft Defender Advanced Hunting. Requires ThreatHunting.Read.All.
  • Watchdog: Uses Exchange Online application access to create sender blocks. Requires Exchange.ManageAsApp.

Choose Connect tenant or Reauthorize, then complete the Microsoft administrator consent flow. The toggles in Have I Been Squatted control which capabilities run after connection.

When Watchdog is enabled, review the Protected domains list before connecting or saving. Domains in this list are never pushed into the Tenant Allow/Block List, even if a lookup result or rule later marks them as malicious.

Open Integrations > Google Workspace Intelligence.

Enable Gmail audit logs, then connect with a Google Workspace administrator account. The Open Authorization (OAuth) flow requests Admin SDK Reports audit access for Gmail delivery events. Reconnect if the integration status indicates permission loss, no usable refresh token, or a source authorization error.

Google Workspace ingestion contributes email-observed domains and dashboard events. Watchdog response is currently Microsoft 365 only.

Email ingestion proposes candidate domains from provider telemetry. Have I Been Squatted then applies conservative matching before adding email attribution to lookup results:

  1. Monitored domains and their subdomains are not treated as suspicious candidates.
  2. Existing lookup results are updated first, so email evidence is attached to the current result when possible.
  3. New candidates are matched against monitored domains by recipient-domain ownership or a unique close-domain match.
  4. Ambiguous matches are skipped instead of being assigned to the wrong monitored domain.
  5. A completed lookup must exist for the monitored domain before new email-sourced results can be inserted.

When a candidate is accepted, the result appears alongside normal lookup results with an email source marker.

Lookup result with Microsoft Defender email source

The result can still use the normal rules engine, tags, alerts, exports, and investigation workflows. The main difference is provenance: the domain was observed in connected mail telemetry.

Open Email Intelligence from the application sidebar to review the operational view.

The dashboard summarizes the last 14 days:

  • Message observations: Normalized email message events ingested from connected providers
  • Sender domains: Distinct header and envelope sender domains observed in telemetry
  • Matched monitored domains: Monitored domains touched by recipient, sender, or near-domain evidence
  • Quarantine pushes: Microsoft Watchdog sender-block records, when Watchdog is active

The dashboard also shows direction mix, matched monitored domains, sender identity concentration, recipient footprint, and recent email-observed lookup results. Email-sourced lookup rows link back to the relevant monitored-domain lookup results.

The events view shows normalized event facts for a selected Coordinated Universal Time (UTC) day.

Email Intelligence events view

Each row includes:

  • Observed: Time the provider reported the event
  • Provider: Microsoft or Google
  • Message SHA256: SHA-256 hash of the provider message identifier, when available
  • Direction: Inbound, outbound, internal, or unknown
  • Sender: Header From domain and envelope Mail From domain, when available
  • Recipients: Recipient domains observed in provider telemetry
  • Matched: Monitored domains associated with the event
  • Action: Message observation or Microsoft Watchdog quarantine push record

Use this view when validating whether the integration is producing data, investigating spikes, or checking why a monitored domain appears in the dashboard.

Watchdog is a Microsoft 365 response capability. It does not block every email-observed domain. It evaluates lookup results after enrichment, then creates a Microsoft sender block only when the result passes safety checks and high-confidence heuristics.

Watchdog skips:

  • Domains tagged as owned, ignored, or false positive
  • The monitored domain itself
  • Domains configured as protected
  • Domains that do not meet the current high-confidence rule
  • Domains already present as allowed or blocked in the Tenant Allow/Block List

Current high-confidence conditions require a recent registration and at least one strong signal, such as high phishing classification, selected risky registrar evidence, or a mail exchange (MX)-only mail setup matching the configured provider heuristic. Sender blocks expire after 30 days by default. A single run is capped at 100 pushed sender blocks.

  • Confirm at least one email provider is connected and enabled.
  • For Microsoft 365, confirm ingestion is enabled and the integration has ThreatHunting.Read.All.
  • For Google Workspace, confirm Gmail audit logs are enabled and the source status is connected or no-data.
  • Confirm monitored domains have completed lookups. Email candidates are attached to existing monitored-domain workflows.
  • Allow for provider ingestion delay. The service polls a bounded recent window rather than reading mail synchronously.
  • Confirm Watchdog is enabled for Microsoft 365.
  • Confirm Exchange.ManageAsApp is present.
  • Confirm the candidate is not owned, ignored, false positive, monitored, or protected.
  • Confirm the lookup result passes the high-confidence heuristic.
  • Check whether the domain is already allowed or blocked in the Microsoft Tenant Allow/Block List.

Deactivate the integration in Have I Been Squatted to stop ingestion and Watchdog processing. To remove provider-side access completely, also revoke the application grant in Microsoft Entra Enterprise Applications or Google Workspace admin settings.