
Large volumes of graymail distracts users from taking the time to identify truly malicious emails, and security teams waste time on triaging all types of graymail reported to the organization's abuse mailbox. With Armorblox automatic graymail detection policy, security teams save valuable time and resources that would otherwise be spent sorting through large volumes of unwanted emails.

How do you manage emails that are neither wanted nor unwanted by end users? These emails can include newsletters, cold sales emails, and other mass messaging blasts that a user may have once opted in to receive, but may no longer be interested in. While these types of emails are not necessarily malicious, graymail can still be a nuisance to both end users and security teams. And especially so to executives within an organization who receive a disproportionate share of these unwanted emails.
Security teams waste time on triaging graymail reported to abuse mailbox
One of the main challenges with graymail is the high volume of email communications coming into the organization as well as being reported by end users; wasting valuable time for security teams and individuals who must manually sort through and delete these emails for the organization. End users who make it a habit to report any email that may be suspicious to the organization’s abuse mailbox not only create alerts for real threats, but also flood it with graymail that may be more annoying than harmful – making it that more likely that a real threat can go through unnoticed.
Large volumes of graymail distracts users from taking the time to identify truly malicious emails
End users who quickly scan emails with the goal to get to zero unread can easily mistake a malicious email for a genuine communication or outreach, potentially exposing their system to a cyber attack. End users are likely to engage with emails that they believe are genuine, placing a greater chance on them responding to a recon email from a potential attacker, disguised as a common outreach or solicitation email. Organizations that rely on end users to identify and report malicious emails are at an increased security risk. mistaken for a genuine email or spam.
It is imperative for security teams to accurately detect and classify legitimate email communications from graymail to malicious email threats, and automate away tedious, manual work. Armorblox understands and addresses these issues through accurately detecting and classifying types of graymail end users across the organization face on a daily basis.
Accurate Detection and Classification of types of Graymail
With the increased amount of malicious email and spam targeting enterprises, it is not enough to turn email security tools “all the way to the right” – as this only exacerbates the problem. With Armorblox automatic graymail detection policy, security teams save valuable time and resources that would otherwise be spent sorting through large volumes of unwanted emails.
Armorblox natural language understanding (NLU) and machine learning models understand the content and context of each email, to automatically classify each piece of graymail that comes into the organization. Types of graymail are identified based on email workflows and machine learning models –based on both global and customer models. These language-based classifications enable security teams to quickly find and review emails within a category and set custom remediation actions based on graymail type. Graymail is automatically identified, classified, and remediated based on the actions set by Admins, allowing security teams to focus on more important tasks, such as identifying and addressing genuine security threats.
There are three main categories Armorblox automatically classifies graymail into:
- Marketing and Promotional Content: Emails that may have been wanted previously, but are now seen as a nuisance, emails selling or promoting for personal gain
- Scams: Emails disguised as legitimate email communications looking for a response prior to executing an attack, suspicious emails that contain bad URLs, links to fake sites
- Reaching Out: Emails that are unwanted solicitation for products or services, sent to find and persuade individuals to take an action for the sender’s personal gain
Because Armorblox has a natural language engine that is automatically looking for workflows that might be compromised within an organization, the graymail is also automatically categorized into these different workflow categories with incident tags, giving security teams an instant appreciation of which workflows attackers find attractive to compromise their organization.
Without Armorblox automatic graymail detection policy, the results are: blocking legitimate emails, and interrupting business workflows by slowing down organization productivity. Rather than sending everything to quarantine by default, advanced email security platforms like Armorblox that utilize NLU and custom ML models understand the intent of the email sender and recipient to automate the identification of malicious versus legitimate emails. With this sophisticated understanding, advanced email security platforms triage and ensure that legitimate emails are delivered to end users’ inboxes with confidence. Security teams can also configure Armorblox to send graymail to any folder created in a user’s mailbox, and customize it by active group if needed.
Eliminate Manual Time Wasted for Employees with Armorblox
Through the precise detection and accurate classification of graymail, Armorblox not only saves valuable time for security teams, but also reduces the amount of unwanted emails end users have to manually spend time dealing with on a daily basis – improving not only employee productivity, but also reducing frustration for end users.
On average, an organization is faced with 100x more volume of graymail compared to other malicious email threats (BEC, account compromise, supply chain fraud, spear phishing). Armorblox automatic graymail detection policy auto-remediates the 100, so your security teams can focus on the one that needs human review.
Without Armorblox, security teams can find themselves with hundreds of hours of productivity lost each month focused on manually remediating graymail. Let’s say it takes on average 5 seconds per each graymail received in order for one individual to manually look at and decide which remediation action is best for that single email. If an organization gets on average about 30,000 pieces of graymail per week, and it takes an individual 5 seconds to review and remediate each graymail. It would take a total of 41 hours and 40 minutes each week in order to remediate every single graymail, on an organizational level.
Detecting graymail is an important task for security teams, and Armorblox automatic graymail detection policies not only gives valuable time back to security teams, but also improves efficiency, reduces the risk of security threats from being overlooked, and enhances the overall user experience.
How Armorblox Accurately Classifies Graymail (Examples in the Wild)
Accurately detecting and stopping today’s unwanted graymail can be a challenge for native email security and inline solutions, as many are sent by valid email addresses that pass email authentication checks (DMARC, DKIM, and SPF). Furthermore, these emails do not often contain malicious links or attachments, meaning legacy solutions that rely on these attack vectors to detect unwanted mail will allow these annoying interruptions to flow into the inboxes of end users.
Below are examples of the types of graymail Armorblox detects and automatically remediates.

Fig 1: Graymail automatically classified as “Marketing and Promotional Content”
Above we see a type of graymail that Armorblox automatically classifies as Marketing and Promotional Content, and remediates this email – preventing end users from having to interrupt their day by manually moving this email out of his or her inbox. For end users that travel frequently, it is common for an email to be required prior to gaining access to airport WiFi, especially a major travel hub like Atlanta. This end user benefits from gaining access to the WiFi when traveling through the Atlanta airport, but does not need his or her day to be interrupted by marketing emails from Atlanta Rewards.

Fig 2: Graymail automatically classified as “Scams”
In the above example we see a fake applicant email targeting a professor at a University. Although a professor may not respond to an email of this sort, as stated in the email above, professors have a busy schedule and can do without having to manually review and remove this email from his or her inbox. Armorblox automatically identifies and classifies the above type of graymail as Scams, so that end users do not have to waste precious time with recon emails that may seem harmless at first glance.
Fig 3: Graymail automatically classified as “Reaching Out”
Above we see a type of graymail that Armorblox automatically classifies as Reaching Out – automatically removing this email from the inbox of end users across the company. As stated in the email above, this is not the first time a representative at this company has reached out. Annoying, unwanted solicitations waste precious time for end users and security teams. Armorblox gives this valuable time back by automatically classifying and removing unwanted emails such as the above, so that employees can focus on proactive tasks and meaningful email communications.
Please note that sensitive information has been obscured from the above screenshots for privacy reasons.