OpenEFA^® Signal Framework

How OpenEFA evaluates email risk through context, behavior, and intent.

Modern email threats don't break rules — they blend in. The OpenEFA Signal Framework identifies subtle behavioral, contextual, and intent-based changes that reveal risk before traditional systems ever detect it.

Explore Signals Featured Signal

Featured Signal Preview

Signal: Reply Chain Integrity

Some of the most dangerous attacks hide inside trusted conversations. When a reply doesn't belong in a thread, OpenEFA detects it before damage is done.

Conversation Risk Thread Hijacking Trust Validation

11 Core Signals

Behavior Not rule-only logic

Context Built into scoring

Signal of the Month

Reply Chain Integrity

Reply Chain Integrity is the kind of signal that immediately separates OpenEFA from feature-checklist competitors because it tells a more advanced story: trust can be inherited, and trust can also be abused.

This section rotates monthly and links directly to whichever signal we want to emphasize in campaigns, research posts, or partner material.

View Full Signal

Browse the Signal Library

Each OpenEFA Signal represents a specific behavioral, contextual, or intent-based indicator of risk.

Individually, a signal may appear insignificant. But when multiple signals align, they form a clear picture of intent — revealing threats that would otherwise go undetected.

OpenEFA evaluates these signals simultaneously, correlating them into a unified understanding of every message.

Day 1ConversationThread Risk

Reply Chain Integrity

Some of the most dangerous attacks hide inside trusted conversations by hijacking existing threads.

Read Signal →

Day 2BehaviorAnomaly

Volume & Timing Anomaly

When a sender's natural communication rhythm changes, spikes in timing or volume can reveal automation, misuse, or compromise.

Coming March 25

Day 3BehaviorContent

Content Shift Detection

Sudden changes in message type, tone, or request pattern often indicate phishing attempts or misuse of a legitimate account.

Coming March 26

Day 4AttachmentFirst Contact

First-Time Attachment Behavior

The first time a sender introduces a file or link is a critical context change and deserves deeper inspection.

Coming March 27

Day 5TrustDomain

First Contact Domain

New recipient relationships create new trust boundaries. Many attacks begin with that very first interaction.

Coming March 28

Day 6BehaviorIdentity

Writing Style Deviation

Even when an account is real, changes in language, pacing, and structure can point to impersonation or takeover.

Coming March 29

Day 7Social EngineeringLanguage

Urgency Manipulation

Messages that force haste are often designed to bypass verification and trigger action before critical thinking.

Coming March 30

Day 8CorrelationScoring

Multi-Signal Correlation

One signal may be weak on its own. Multiple weak signals together can reveal a much stronger risk pattern.

Coming March 31

Day 9TrustAuthentication

Authentication vs Behavior Conflict

Modern threats can be fully authenticated. When behavior and identity signals conflict, risk rises fast.

Coming April 1

Day 10AdaptivePrecision

Adaptive Sender Thresholds

Every sender should be evaluated in their own context, using trust and historical behavior rather than generic rules.

Coming April 2

Day 11IntelligenceCollective

Cross-Environment Intelligence

Signals observed in one environment can help identify emerging threats in another before damage spreads.

Coming April 3