Phishivox
← All Documentation

Enterprise Gateway

Deploy real-time email protection across your organization with automated scanning, URL rewriting, and quarantine management.

Overview

The Phishivox Enterprise Gateway provides organization-wide email security through API-based integration with Microsoft 365, Google Workspace, and on-premises Exchange. Unlike traditional MX gateways that route all email through a third party, Phishivox connects via native APIs — deploying in under 5 minutes with zero DNS changes and zero risk to email delivery.

Key capabilities

  • Real-time scanning — Every inbound email is automatically analyzed through the 6-layer detection pipeline within seconds of delivery.
  • URL rewriting — All links are rewritten to pass through the Phishivox proxy, enabling time-of-click protection that catches URLs that become malicious after delivery.
  • Quarantine management — Phishing emails are automatically moved to a quarantine folder. Admins can review, release, or permanently delete.
  • Warning & justification — Suspicious links show a contextual warning page. Users who proceed must write a justification that is logged for compliance.
  • Click audit trail — Every URL click, every warning, every justification is logged with timestamp, IP, user agent, and outcome.
  • Multi-model AI — Enterprise uses Claude Haiku for fast triage and Claude Sonnet for deep analysis on suspicious emails, with GPT-5.1 as fallback.

5-Minute Deployment Guide

Phishivox Enterprise connects to your email provider via API. No MX record changes, no DNS modifications, no risk to email flow.

Prerequisites

  • A Phishivox Enterprise account (contact admin@phishivox.com)
  • Microsoft 365 Global Administrator or Exchange Administrator role (for M365 integration)
  • Google Workspace Super Admin role (for Google integration)

Step 1: Connect your email provider

  1. Log in to Phishivox and navigate to Gateway → Settings.
  2. Click Connect Microsoft 365 (or Google Workspace).
  3. You will be redirected to the Microsoft (or Google) admin consent screen.
  4. Review the requested permissions and click Accept.
  5. You will be redirected back to Phishivox with a success confirmation.

Permissions requested

Phishivox requests application-level Mail.ReadWrite and Mail.Send permissions. Mail.ReadWrite is needed to read email content for scanning and to rewrite URLs. Mail.Send is used only to update email body content (URL rewriting), not to send new emails.

Step 2: Verify the connection

After connecting, the Gateway Settings page shows your connection status as “Active.” Within minutes, new emails arriving in your organization will begin appearing in the Gateway Dashboard.

Step 3: Configure policies

Set your auto-quarantine threshold, URL rewriting scope, and notification preferences in Gateway → Settings. See the Settings & Policies section below.

That's it

Your organization is now protected. Phishivox automatically scans every inbound email, rewrites URLs for time-of-click protection, and quarantines confirmed phishing.

How Detection Works

Every email passes through 6 independent detection layers. Each layer scores the email from 0.0 (clean) to 1.0 (malicious). A weighted combiner merges all scores into a single verdict with a confidence rating.

This transparency is unique to Phishivox. No other email security vendor publishes how their detection engine works. We believe explainability builds trust.

The 6-layer pipeline

  1. Rule Engine — 27 rule functions covering sender spoofing, lookalike domains, urgency language, BEC patterns, OAuth phishing, QR phishing, and more. Each rule outputs specific findings with evidence.
  2. URL Scanner — Structural analysis (IP-based URLs, suspicious TLDs, excessive subdomains, embedded credentials) plus VirusTotal and Google Safe Browsing reputation checks.
  3. Header Forensics — Verifies SPF, DKIM, and DMARC authentication. Flags failed authentication, excessive routing hops, and suspicious mail servers.
  4. Attachment Analysis — Checks for dangerous file types, double extensions, macro-enabled documents, MIME/extension mismatches, and looks up file hashes against VirusTotal.
  5. ML Classifier — XGBoost model trained on 12 structural features. Detects phishing patterns invisible to rule-based systems.
  6. AI Analysis — Deep language analysis using Claude AI detects social engineering, intent manipulation, and brand impersonation at the semantic level.

Verdicts

Safe (score < 0.30)

No significant threats detected. URLs are rewritten for time-of-click protection but no other action is taken.

Suspicious (0.30 - 0.65)

Warning signs detected. URLs show contextual warnings when clicked. Admin is notified.

Phishing (score >= 0.65)

High-confidence phishing. Email is moved to quarantine. User and admin are notified.

Spam

Unsolicited commercial email. Optionally moved to junk folder based on your policy settings.

Sender Trust Score

Phishivox uses a Sender Trust Score (0.0 – 1.0) to reduce false positives on legitimate email. When a sender passes email authentication and comes from a known brand domain, phishing rule weights are automatically discounted.

How trust is computed

SignalTrust Contribution
SPF authentication passes+0.25
DKIM authentication passes+0.25
DMARC authentication passes+0.20
Sender domain is a known brand (30+ brands)+0.20
List-Unsubscribe header present+0.10

A fully authenticated email from Amazon (SPF pass + DKIM pass + DMARC pass + known domain) scores trust = 0.90. Phishing rule weights are reduced by up to 90%, so phrases like “verify your account” score 0.008 instead of 0.08. An unauthenticated freemail sender scores trust = 0.0 — full rule weights apply.

Why this matters

Before Sender Trust, a legitimate Amazon Pay payment reminder scored 0.39 (Suspicious). After Sender Trust, the same email scores 0.02 (Safe). Actual phishing from unauthenticated senders scores even higher than before.

URL Protection (Time-of-Click)

All URLs in emails processed by the gateway are rewritten to pass through the Phishivox proxy at shield.phishivox.com. When a user clicks a link, the URL is re-scanned in real-time before the user is redirected.

Why time-of-click matters

Many phishing URLs are clean when the email is delivered and become malicious hours later. By re-scanning at click time, Phishivox catches threats that every delivery-time-only scanner misses.

What users see

  • Clean URL (score < 0.30) — Transparent redirect. The user sees nothing — they land on the destination instantly.
  • Suspicious URL (0.30 – 0.65) — A warning page appears showing the risk assessment, specific findings, and a justification form. The user can go back or proceed.
  • Malicious URL (score ≥ 0.65) — Blocked entirely. The user sees an explanation of why the link is dangerous. No option to proceed.

Admin controls

  • Rewrite scope — All emails (recommended) or only emails scoring above a threshold.
  • Bypass policy — Allow admins to disable warning bypass for high-risk URLs (score > 0.80).
  • Trusted domains — Skip rewriting for internal/approved domains.

Warning & Justification

When a user clicks a suspicious URL, they see a branded warning page explaining the risk. This is a feature unique to Phishivox — competitors like Proofpoint and Mimecast only block or allow with no middle ground.

What the warning page shows

  • The original destination URL and domain
  • Risk score and verdict
  • Specific findings (e.g., “Domain registered 3 days ago”, “Domain resembles paypal.com”)
  • A “Go Back to Safety” primary button
  • A “Proceed Anyway” secondary button (requires justification)

Justification requirements

To proceed past the warning, users must:

  1. Check “I understand the risk and want to proceed”
  2. Write a justification (minimum 20 characters) explaining why they need to visit the link
  3. Click “Proceed Anyway”

The justification, along with the user's email, IP address, user agent, timestamp, and the URL's risk score at click time, is permanently logged in the audit trail.

Compliance value

This creates a documented audit trail showing that users were warned, acknowledged the risk, and provided a business justification. This is valuable evidence for SOC 2, ISO 27001, and regulatory audits.

Quarantine Management

Emails scoring above the auto-quarantine threshold (default: 0.65) are automatically moved to a designated quarantine folder in your email provider.

Admin actions

  • Review — Preview email content, view scan results, and see which detection layers flagged the email.
  • Release — Move the email back to the recipient's inbox. An audit entry is created recording who released it and why.
  • Delete — Permanently remove the email from the quarantine. Irreversible.
  • Bulk operations — Select multiple quarantined emails for batch release or deletion.

Policies

  • Auto-quarantine threshold — Configurable score threshold. Default is 0.65 (Phishing verdict).
  • Retention period — How long quarantined emails are kept before auto-deletion. Default: 30 days.
  • User notifications — Optionally notify users when their emails are quarantined. Configurable: immediate, hourly digest, or daily digest.

Click Audit & Compliance

Every URL click across your organization is logged in the audit trail, regardless of whether the URL was clean, suspicious, or malicious.

What gets logged

FieldDescription
Clicked byEmail address of the user who clicked
Original URLThe actual destination URL
Verdict at click timeReal-time scan result (may differ from delivery-time verdict)
Action takenRedirected, warned, or blocked
JustificationText provided by the user (if they proceeded past a warning)
ProceededWhether the user continued to the destination or went back
IP addressSource IP of the click
User agentBrowser/device information
TimestampExact date and time of the click (UTC)

Export

The click audit log can be exported to CSV from the Gateway Dashboard for integration with your compliance reporting tools.

Phishing Simulation

Test your organization's phishing awareness by sending simulated phishing emails to employees. Track who clicks, measure awareness levels, and export results for targeted cybersecurity training.

How It Works

  1. Choose from 5 built-in templates (BEC, password expiry, delivery scam, invoice fraud, Microsoft security alert) or create your own custom template.
  2. Add recipients by pasting email addresses, or import from your M365 directory.
  3. Send a test email to yourself first to verify the template looks realistic.
  4. Launch the campaign — simulation emails are sent through your org's M365 tenant (or via Resend fallback).
  5. When employees click the simulated phishing link, their click is logged and they see an educational landing page.

Campaign Dashboard

Real-time metrics show how many emails were sent, opened, and clicked. The campaign detail page breaks down results per recipient with exact timestamps.

Training Assignment

Export a CSV of all employees who clicked the simulated phishing link. Use this list to assign targeted cybersecurity awareness training to the employees who need it most.

Templates

  • CEO Wire Transfer (Hard) — BEC attack requesting urgent payment
  • IT Password Expiry (Medium) — Fake password reset with countdown
  • FedEx Delivery (Easy) — Package delivery failure notice
  • Vendor Invoice (Medium) — Fake invoice with payment link
  • Microsoft 365 Alert (Hard) — Suspicious sign-in from another country

Creating Custom Templates

You can create your own simulation templates tailored to your organization's industry, tools, and common attack scenarios. Custom templates use HTML for the email body and support these personalization placeholders:

  • {{TRACKING_URL}}Required. The trackable link that logs clicks. Place this in your CTA button or anchor tag.
  • {{FIRST_NAME}} — Recipient's first name (extracted from display name or email). Falls back to "Team Member".
  • {{COMPANY_NAME}} — Your organization's name as set in Phishivox. Falls back to "Your Company".
  • {{EMAIL}} — Recipient's full email address.

Example 1: IT Software Update

Subject: Mandatory: Install critical security update by EOD

Body HTML:

<div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;"> <p>Hi {{FIRST_NAME}},</p> <p>Our IT team has released a <strong>critical security patch</strong> that must be installed on all company devices by end of day today.</p> <p>Please download and install the update immediately:</p> <p style="text-align: center; margin: 24px 0;"> <a href="{{TRACKING_URL}}" style="background: #0066cc; color: white; padding: 12px 32px; border-radius: 6px; text-decoration: none; font-weight: bold;"> Download Security Patch </a> </p> <p style="color: #666; font-size: 13px;"> Failure to install this patch may result in restricted network access. </p> <p>IT Security Team<br>{{COMPANY_NAME}}</p> </div>

Example 2: HR Benefits Enrollment

Subject: Action Required: Open enrollment closes Friday

Body HTML:

<div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;"> <p>Dear {{FIRST_NAME}},</p> <p>This is a reminder that open enrollment for 2026 benefits closes this Friday at 5:00 PM.</p> <p>If you haven't selected your benefits yet, please do so now to avoid losing coverage:</p> <p style="text-align: center; margin: 24px 0;"> <a href="{{TRACKING_URL}}" style="background: #16a34a; color: white; padding: 12px 32px; border-radius: 6px; text-decoration: none; font-weight: bold;"> Select My Benefits </a> </p> <p style="color: #666; font-size: 13px;"> Questions? Contact HR at hr@{{COMPANY_NAME}}.com </p> <p>Human Resources<br>{{COMPANY_NAME}}</p> </div>

Example 3: Shared Document (Plain Text Style)

Subject: John shared "Q2 Budget Review.xlsx" with you

Body HTML:

<div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;"> <p>{{FIRST_NAME}},</p> <p>John from Finance shared a document with you:</p> <p><strong>Q2 Budget Review.xlsx</strong></p> <p><a href="{{TRACKING_URL}}" style="color: #0066cc;"> Open in OneDrive </a></p> <p style="color: #999; font-size: 12px;"> This link will expire in 7 days. </p> </div>

Tips for Effective Simulation Templates

  1. Match your org's real tools — If your company uses Slack, create a "Slack notification" template. If you use Jira, create a "Jira ticket assigned" template.
  2. Use urgency but keep it believable — "by end of day" is more realistic than "in 1 hour or your account is deleted."
  3. Test difficulty levels — Start with "easy" templates (obvious red flags) and progress to "hard" (very convincing) over multiple campaigns.
  4. Always include {{TRACKING_URL}} — Without it, there's no way to track who clicked.
  5. Set the right difficulty rating — This helps you analyze results by difficulty and track improvement over time.

Access control

Simulations are available to org admins only. All campaigns include an X-Phishivox-Simulation: true header and are fully audit-logged.

Dashboard & Analytics

The Enterprise Gateway Dashboard provides a real-time view of your organization's email security posture.

Metrics

  • Emails scanned today — Total inbound emails processed by the gateway.
  • Threats caught — Number of phishing, suspicious, and spam emails detected.
  • URLs rewritten — Total links protected with time-of-click scanning.
  • Quarantined — Emails currently in quarantine awaiting review.

Trend charts

View threat trends over 7, 30, or 90 days. Identify patterns such as phishing campaigns targeting specific users or departments.

Top targeted users

See which users receive the most phishing attempts. Use this data to prioritize security awareness training.

Settings & Policies

Configure the gateway behavior for your organization from Gateway → Settings.

Available settings

SettingDefaultDescription
Auto-quarantine threshold0.65Emails scoring above this are quarantined automatically
URL rewriting scopeAll emailsRewrite all URLs or only in emails above a score threshold
Warning bypassEnabledAllow users to proceed past warnings with justification
Admin alertsPhishing onlyEmail alerts for phishing detections, suspicious, or all events
User notificationsDaily digestHow users are notified about quarantined emails
Trusted domainsNoneDomains to skip scanning (e.g., your own internal domain)
Quarantine retention30 daysHow long quarantined emails are kept before auto-deletion