ManagedMethods Email Security: Technical Capabilities Overview
1. Overview
ManagedMethods (MM) provides a cloud-native email security layer deployed on top of Google Workspace or Microsoft 365. It operates through direct API integration with Google/Microsoft infrastructure, enabling real-time detection, policy enforcement, and remediation against a broad range of threats, including phishing, spam, malware, and content policy violations across all email directions: incoming, outgoing, and internal (student-to-student).
2. Email Direction Classification
MM classifies every email into one of three directional categories, which control which scanning engines and policies are applied:
Direction | Definition |
Incoming | Sender domain is outside the organization's configured user domains |
Outgoing | Sender is internal; at least one recipient is outside the organization's domains |
Internal | Both sender and all recipients are within the organization's domains |
This classification is applied per-message at processing time using the organization's configured domain list. Policies and risk definitions can be scoped to any combination of these directions. For example, phishing and spam detection is focused on externally originated threats and are thus limited to incoming email only, avoiding false positives on internal or outgoing traffic.
3. Real-Time Processing Architecture
MM hooks into Gmail's Google Cloud Pub/Sub notification system. When a new message is delivered to a monitored mailbox, Google pushes a notification to MM in real time. MM then:
Retrieves the full message via the Gmail API (RFC 5322 format)
Extracts headers, body, and attachments
Runs the full scanning pipeline synchronously
Evaluates all applicable policies
Executes any triggered remediation actions — immediately, or on a configured delay
This pipeline runs per-message with no batching. Each message is processed as soon as the Pub/Sub notification is received. Duplicate notifications are deduplicated before processing to prevent double-execution of remediation actions.
Historical scanning is also supported via Gmail's History API, which allows MM to catch up on messages delivered during any gap in notification coverage, using paginated changelog retrieval.
4. Content Scanned Per Email
MM extracts and scans the following fields from every email:
MM extracts and scans the following fields from every email:
Subject line — inspected against policy conditions and risk patterns
Message body — full text content (HTML stripped to plain text for analysis)
Attachment content — binary files are parsed using a content analysis library to extract text before scanning
URLs — extracted from both body and attachments; scanned independently for threat indicators
Email headers — sender, recipients, message ID, timestamps
5. Risk Scanning: Keywords and Regular Expressions
5.1 Risk Definitions and Patterns
MM's content scanning is built around Risk Definitions, each of which contains one or more Risk Patterns. A Risk Pattern is the atomic unit of detection and supports:
Keywords — a set of words or phrases matched case-insensitively using word-boundary-aware regular expressions
Regular expressions (regex) — one or more full regex patterns matched against the scanned content
Context words — optional trigger terms; when configured, a pattern only fires if a context word is found within a configurable character window of the keyword/regex match
Sanitization patterns — regex patterns applied to content before matching, stripping known false-positive strings (e.g., common formatting artifacts, known-safe sequences)
Match threshold — the minimum number of individual keyword/regex matches required before the risk definition is considered triggered
Multiple Risk Patterns can be grouped under a single Risk Definition, enabling compound detection logic.
5.2 Risk Categories
Risk Definitions are organized into categories:
Safety
Profanity and obscene language (bullying, common, LGBTQ, racial, sexual)
Self-harm content (strict and moderate thresholds)
Substance abuse and vaping references
Toxic behavior (threats, insults, identity attacks)
FERPA and IEP compliance keywords
Aggressive behavior
Security
Phishing indicators
Spam classification
PII — US Social Security Numbers, Driver's Licenses, Passports, Phone Numbers
PCI — Credit card numbers (with Luhn check-digit validation)
Custom
Fully administrator-defined keyword sets and regex patterns
5.3 Direction Scoping
Each Risk Definition can be scoped to specific email directions (incoming, outgoing, internal) per monitored account. This means, for example, a PII risk can be configured to fire only on outgoing email while a self-harm keyword risk fires on internal student-to-student messages.
6. Phishing Detection
MM's phishing detection is a dedicated pipeline applied to incoming email. It operates independently from general content risk scanning.
Detection Signals
URL threat analysis — URLs extracted from message body and attachments are evaluated against a sourced database (currently phishtank and webrisk, but subject to change in the future) of known phishing urls.
Pattern-based classification — phishing-specific Risk Definitions using keyword and regex matching on message body content (added by the user).
Spam/phishing risk type — a dedicated spam/phishing classification evaluates subject, body, and headers using an LLM on multiple indicators to determine if an email is likely a phishing attempt (beta).
Phishing Scan States
Every incoming email receives a phishing scan status:
Status | Meaning |
NON_PHISHING | Scanned, no threat found |
PHISHING | Confirmed phishing indicator |
SPAM_PHISHING | Flagged by spam/phishing classifier |
IGNORED | Manually excluded from phishing enforcement |
FEEDBACK_NON_PHISHING | Reclassified clean by administrator |
FEEDBACK_PHISHING | Reclassified as phishing by administrator |
Administrators can submit feedback to reclassify messages, and exclusion rules can be applied to suppress phishing detection for specific senders, recipients, or subject patterns.
7. Malware and Attachment Scanning
MM integrates with third-party malware scanning engines for file attachment analysis:
Avira — Primary scanning engine
Malware Classifications
Result | Meaning |
CLEAN / SAFE | No threat detected |
SUSPICIOUS | Potential threat; flagged for review |
MALICIOUS | Confirmed malware |
UNKNOWN_THREAT | Engine could not classify |
ERROR_WHILE_SCANNING | Scan failed |
Hash-Based Deduplication
Previously scanned file hashes (MD5) are cached. Files with known-clean or known-ignored hashes bypass re-scanning, reducing API calls and improving throughput. Administrators can add specific file hashes to an ignore list.
8. Policy Engine
8.1 Policy Conditions
Policies are assembled from combinations of conditions evaluated against each email. Available condition types include:
Condition | Description |
MONITOR_FILE_SOURCE | Email direction (incoming / outgoing / internal) |
MONITOR_RISK | Triggered risk definition |
MONITOR_URL_THREAT_SCAN | URL threat detection result |
MONITOR_MALWARE | Malware scan result |
MONITOR_EMAIL_SUBJECT | Subject line pattern match |
MONITOR_FROM_SPECIFIC_USER | Sender address filter |
MONITOR_TO_SPECIFIC_USER | Recipient address filter |
MONITOR_SHARE_FROM_OUTSIDE_DOMAIN | Sender originates from outside org domain |
All conditions in a policy must match for the policy to trigger (AND logic). Policies are evaluated in priority order, and multiple policies can be active simultaneously.
8.2 Remediation Actions
When a policy is triggered, one or more of the following actions can be executed:
Action | Description |
Delete email | Permanently removes the violating email from the mailbox |
Trash email | Moves the email to the Gmail Trash folder |
Add label | Applies a custom Gmail label to the email for routing or visibility |
Send warning | Dispatches a notification to the sender, recipient, and/or configured admin addresses |
No action (log only) | Records the violation without any remediation |
Actions can be executed immediately (delay = 0) or scheduled with a configurable delay, enabling a review window before destructive actions are taken.
8.3 Execution Tracking
Every policy execution is tracked with a status:
EXECUTED — action completed successfully
SCHEDULED — delayed action queued for future execution
PARTIALLY_EXECUTED — some actions succeeded, others failed
FAILED — action could not be completed
This allows administrators to audit policy enforcement and identify delivery or permission failures.
9. Quarantine
MM maintains a quarantine store for emails removed from circulation by policy enforcement.
Quarantine Operations
Operation | Description |
Quarantine | Email is removed from the mailbox, place in users trash and store record of change in MM's Policy Violations table |
Restore | Email is returned to the original mailbox; duplicate restoration is prevented |
Query | All quarantined emails for a given account or organization can be retrieved |
Quarantine state is tracked per email and per monitored account. Restoration is logged and protected against re-execution.
10. Exclusions and Allowlisting
MM provides granular exclusion rules to suppress false positives:
Sender exclusions — suppress policy or phishing enforcement for specific sender addresses
Recipient exclusions — suppress enforcement for specific recipient addresses
Subject exclusions — suppress enforcement for emails matching specific subject patterns
Phishing-specific exclusions — separate exclusion list scoped only to phishing detection
File name exclusions — suppress attachment scanning for specific file name patterns
Exclusions are scoped per exclusion type (policy-level or phishing-level) and apply to all users within the configured view.
11. Summary: Capability Matrix
Capability | MM |
Real-time scanning (Pub/Sub) | Yes |
Incoming email scanning | Yes |
Outgoing email scanning | Yes |
Student-to-student (internal) scanning | Yes |
Keyword-based detection | Yes |
Regex (pattern)-based detection | Yes |
Context-aware pattern matching | Yes |
Phishing detection | Yes (incoming only) |
Spam detection | Yes (incoming only) |
URL threat scanning | Yes (configurable) |
Anti-malware (third-party engine) | Yes (Cylance2, Avira) |
Attachment content scanning | Yes (Tika-based text extraction) |
Email quarantine | Yes |
Quarantine restore | Yes |
Delete / Trash email actions | Yes |
Gmail label application | Yes |
Admin/user warning notifications | Yes |
Delayed remediation execution | Yes |
Exclusion / allowlist rules | Yes |
Direction-scoped policies | Yes |
PII detection (SSN, DL, Passport, Phone) | Yes |
PCI detection (credit card + Luhn) | Yes |
Custom risk definitions | Yes |
ML-based scanning | Yes (multiple modes) |
Image content scanning | Yes (remote ML) |
Document prepared for technical evaluation purposes. Feature availability may vary by deployment configuration and licensing tier.