How weak signals become strong conclusions.
OpenEFA® Signals Series | March 31, 2026
A single anomaly rarely tells you much. A sender you haven't seen before. A slightly unusual time of day. A link to a domain registered last week. Individually, none of these are conclusive. Together, they can reveal an attack in progress.
This is the foundational principle behind OpenEFA®'s scoring engine: correlation transforms ambiguity into clarity. Instead of relying on any single detection rule to make a binary decision, OpenEFA evaluates dozens of signals simultaneously and looks for patterns of convergence that reveal what no individual signal can.
Traditional email security operates on a straightforward model: define a rule, match a pattern, take an action. If the sender is on a blocklist, reject the message. If the attachment matches a known malware hash, quarantine it. If the subject line contains a known phishing phrase, flag it.
This approach works well for known threats. It fails entirely for novel attacks, and it fails in a specific, predictable way: every rule has a threshold, and attackers learn to stay just below it.
Consider a business email compromise attempt. The sender's domain is legitimate (it was registered two months ago and has built a small sending history). The content contains no malicious links or attachments. The language is professional. The SPF, DKIM, and DMARC records all check out. No single rule fires because no single rule has been violated.
But the message is still an attack. Detecting it requires understanding that the combination of factors — not any one factor — is what reveals the risk.
OpenEFA's correlation engine operates across three distinct dimensions, each providing a different lens on the same message:
These are the infrastructure-level indicators that describe how a message was sent. Authentication results (SPF, DKIM, DMARC), sending IP reputation, DNS configuration age and history, TLS negotiation behavior, header consistency, and routing path analysis. Technical signals are precise and objective, but they only describe infrastructure — not intent.
These describe what the message is doing in the context of the sender's established patterns. Sending time relative to historical norms, message frequency, recipient patterns, attachment habits, language style consistency, and communication cadence. Behavioral signals are powerful because they measure deviation from a baseline — and deviation is often the earliest indicator of compromise or impersonation.
These describe the meaning of the message within its environment. Is there a financial request? An urgency indicator? A request to bypass normal procedures? A reference to a real event (like an upcoming payment deadline) that could be weaponized? Contextual signals connect the technical and behavioral layers to real-world risk.
No single dimension is sufficient. A message can be technically perfect and behaviorally normal but contextually dangerous. Or technically suspicious but behaviorally consistent and contextually benign. The truth lives in the intersection.
The most straightforward form of correlation is reinforcement — when multiple independent signals point in the same direction.
Consider a message where:
Each signal in isolation is explainable. Each has a legitimate reason it could appear in a normal message. A traditional single-rule system would likely let most of these pass individually.
But the probability that all five of these signals would co-occur in a legitimate message is extremely low. OpenEFA's correlation engine recognizes this convergence and escalates the risk score accordingly. The signals reinforce each other, and the combined confidence far exceeds what any individual signal could provide.
This is not simple addition. The correlation engine applies weighted, non-linear scoring that accounts for how signals interact. Five weak signals from different dimensions create a stronger conclusion than five weak signals from the same dimension, because cross-dimensional agreement is harder to fake.
Reinforcement is the straightforward case. Contradiction is where correlation becomes truly powerful — and truly difficult.
Signal contradiction occurs when some indicators suggest safety while others suggest danger. This is not an edge case. It is the normal state for sophisticated attacks.
A compromised account, for example, produces a set of signals that fundamentally contradict each other:
A system that weights technical signals too heavily will miss this entirely. The authentication is perfect, so the message must be safe. A system that weights behavioral signals too heavily might over-flag, generating false positives on legitimate messages that happen to deviate from normal patterns.
OpenEFA's correlation engine handles contradiction by evaluating the pattern of contradiction itself. When technical signals strongly indicate safety but behavioral signals strongly indicate risk, that specific combination is itself a signal — and it's one of the most reliable indicators of account compromise or sophisticated impersonation.
The engine doesn't simply average the scores. It recognizes that certain contradictions are more meaningful than others and adjusts accordingly.
The advantages of correlation-based detection compound over time:
An attacker can optimize against a single rule. They can learn the spam score threshold and craft messages that fall just below it. They can register domains early enough to avoid age-based filters. They can warm up sending IPs to build reputation. But optimizing against dozens of correlated signals simultaneously — across three independent dimensions — is exponentially harder. Every evasion tactic that addresses one signal tends to create anomalies in another.
Single-rule systems face a constant tension: set the threshold too low and you miss attacks; set it too high and you block legitimate mail. Correlation breaks this trade-off. Because multiple signals must converge before a message is flagged, individual signals can use lower thresholds without generating noise. A new domain alone doesn't trigger action. A new domain combined with anomalous timing, unfamiliar language patterns, and a financial request does.
Single rules are written for known attack patterns. Correlation detects unknown attacks because it measures convergence of anomalies rather than matching specific patterns. An entirely new attack technique will still produce anomalies across multiple dimensions — and those anomalies will still correlate. The engine doesn't need to know what the attack is to know that something is wrong.
Not every message requires the same level of scrutiny. When signals are clear and consistent — either clearly safe or clearly dangerous — the engine can make fast decisions with high confidence. When signals are mixed or ambiguous, the engine can escalate to deeper analysis or human review. This adaptive approach allocates security resources where they're most needed.
Consider a message that arrives at a financial services firm:
From: A known vendor contact (authenticated, DMARC-aligned)
Subject: "Updated banking details for Q2 invoices"
Content: Professional, well-written, references real project names and invoice numbers
Request: Update ACH routing to a new bank account before next payment cycle
A traditional system sees a fully authenticated message from a known sender with no malicious content. It passes every individual check.
OpenEFA's correlation engine sees a different picture:
No single signal is conclusive. The correlation across all three dimensions is. The message is flagged for review, and the accounts payable team verifies through an out-of-band channel that the vendor's account was compromised.
Multi-Signal Correlation is the foundation on which every other OpenEFA signal operates. Individual signals — reply chain integrity, sender profiling, authentication analysis, content inspection — each provide valuable data points. But their true power emerges only when they are evaluated together, in context, across dimensions.
The core principle: certainty is not found in any single signal. It is found in the convergence of many.
Attackers can defeat any one defense. They cannot simultaneously defeat a system that watches everything, correlates everything, and understands that the pattern matters more than any individual data point.
That is the difference between rule-based detection and intelligence-driven security.