POST: Email Archival, Processing and Flagging Stack for Incident Responders
Jeffrey Fairbanks
TL;DR
Phishing remains the dominant cyber threat, and traditional email gateways often lack comprehensive forensic search at affordable cost. The paper introduces POST, a serverless, API-driven pipeline that ingests, parses, analyzes, and flags emails and attachments using YARA static analysis, RF classifiers, and LLM-based NLP with retrieval augmentation. It demonstrates end-to-end capability, scalable ingestion, full-text search across bodies and attachments, and SIEM integration, achieving up to $68.6\%$ cost savings relative to leading gateway solutions. The approach aims to empower incident responders and digital forensics teams, offering scalable, low-maintenance email security tooling suitable for organizations of varying sizes.
Abstract
Phishing is one of the main points of compromise, with email security and awareness being estimated at \$50-100B in 2022. There is great need for email forensics capability to quickly search for malicious content. A novel solution POST is proposed. POST is an API driven serverless email archival, processing, and flagging workflow for both large and small organizations that collects and parses all email, flags emails using state of the art Natural Language Processing and Machine Learning, allows full email searching on every aspect of an email, and provides a cost savings of up to 68.6%.