Redefining Grey Email Remediation with Intent-Based Detection

Malicious URLs, attachments leading to phishing or malware, and conversational payloads such as Business Email Compromise (BEC) represent some of the most concerning attack vectors facing organizations today.

In addition to these high-risk threats, organizations must also contend with the overwhelming volume of grey emails and spam that reach employee inboxes daily. Grey emails typically include newsletters, product updates, promotional offers, and event invitations. While not overtly malicious, these messages negatively impact organizations in two key ways:

Grey email can lead to a severe loss of productivity in an organization. Explaining with an example, as shown in figure 1.0, in a live production environment, NACE^TM identified 713,250 grey emails over a 90-day period. Assuming an average of 10 seconds spent per grey email, the total productivity loss for the organization amounted to approximately 3,967 hours—a significant cost in time, focus, missing critical messages, creating a clutter in the mail box. 

Figure 1.0 Grey Email Detection in around 90 days 

2.   Distraction Vector for Threats such as Email Bombing.

An email bombing attack is a cyber attack in which a target's email inbox is flooded with an excessive number of emails in a short period. The primary goal is to disrupt, distract, or overwhelm the target by making the inbox unusable or by hiding important communications among the noise. In an Email Bombing attack a threat actor can perform subscription bombing which will lead to flooding emails of users with Grey Emails in a short span of time.  

NACE’s Detection of Grey Email and SPAM

NACE^TM leverages generative and predictive AI technologies—including fine-tuned classifiers, similarity analysis using embeddings, hierarchical and phrase-based topic modeling, a Cross Encoder-based semantic re-ranker, and zero-shot semantic classification using large language models (LLMs). These AI models and technology work together to deeply understand the semantics, thematics, purpose, tone, sentiment, emotion, i.e. overall intent embedded within the email’s subject line, body, and text-based attachments.

Intent analysis also forms a core feature set in detecting Grey Emails within NACE^TM. Text extracted from the email body, subject line, and attachments is passed to NACE’s Intent Analysis Layer, where the system evaluates the semantics and topics embedded in the content. If the detected intent aligns with those commonly observed in grey emails—such as promotional offers, newsletters, re-engagement attempts, personalized messages, fear-of-missing-out (FOMO) etc. —the corresponding semantic features are forwarded to the expert system. 

  Grey Email Detection by NACE^TM

Features derived from SMTP headers—such as the subscribe, unsubscribe headers, directionality etc. are also sent to the expert system. The contextual relationship between these SMTP header features and the inferred intent of the email aids in determining whether an email is  a Grey Email.

Once an email is marked as Grey Email:

• It is automatically moved from the Inbox to the "Inception Promotional" folder.
  
  
• If the user has subscribed to the sender's content, and the email was not sent via a third-party vendor, the verdict can be reclassified from Grey to Clean.
  
  
• This reclassification returns the email to the Inbox and permits future emails from the sender to bypass Grey Email classification, ensuring uninterrupted delivery of subscribed content.

This approach allows for nuanced filtering that balances user’s subscription, sender legitimacy, enhancing both email hygiene and user experience.

Conclusion

NACE^TM is purposefully engineered to detect evasive URLs and attachments that lead to phishing or malware—regardless of whether they are generated by threat actors or AI. It leverages both generative and predictive AI to understand semantics, topics, and the relationships among them—collectively referred to as the intent of an email. This intent forms a core feature set that allows NACE^TM to determine the maliciousness of a message without relying on signals from the exploitation stage or a landing URL.

Unsubscribed grey emails not only impact productivity but can also serve as a distraction vector for attacks such as email bombing, making them suitable candidates for removal from inboxes. NACE’s intent analysis layer—central to its decision-making engine—has been extended to assess the semantics of grey mail. If the semantic conditions are met, the system evaluates the contextual relationship between SMTP headers and the identified intent to render a verdict on whether an email qualifies as grey mail.

Interested in learning more about NACE™? Our security experts are here to help you stop evasive threats, malicious email, and AI-powered attacks.