Skip to main content

The short version

Email security tools scan inbound emails for phishing links, malware, and suspicious senders. Petra monitors Microsoft 365 activity to detect when an attacker has actually compromised an account. These are two different layers of defense. If a phishing email lands in a user’s inbox and nobody clicks it, email security did its job by flagging it. Petra has nothing to flag because no account was compromised.
Spotted a phish that slipped through and want it gone before anyone clicks? You can pull it from a single tenant or sweep it across every tenant you manage. See Cross-Tenant Phish Removal.

What email security does

Email security tools (Defender, Proofpoint, Abnormal, IRONSCALES, etc.) sit in the mail flow and inspect messages before or as they arrive:
  • Block or quarantine emails with known-malicious links or attachments
  • Flag suspicious senders, spoofed domains, or social engineering patterns
  • Alert when a user clicks a phishing link
  • Scan attachments for malware
Their job is to stop the phishing email from reaching the user, or to alert you when one gets through.

What Petra does

Petra is an identity threat detection and response (ITDR) tool. It monitors Microsoft 365 activity logs, not email content:
  • Detects when an attacker successfully logs into an account
  • Identifies session hijacking, token theft, and AiTM (adversary-in-the-middle) attacks
  • Tracks what an attacker does after compromise: email access, inbox rule creation, lateral movement, data exfiltration
  • Responds automatically by locking the account, revoking sessions, and removing persistence mechanisms
Petra’s job starts where email security’s job ends. Email security tries to prevent the phishing email from succeeding. Petra detects when an attacker gets in despite those defenses.

The common question

“My email security tool caught a phishing email, but Petra didn’t alert. Why not?”
A phishing email landing in an inbox is not an account compromise. The email security tool flagged the email itself. Petra monitors for the outcome of a successful attack: an attacker logging in, accessing data, or setting up persistence. If the user didn’t click the link, or clicked it but didn’t enter credentials, or entered credentials but MFA blocked the attacker, then no compromise occurred. Petra correctly did not alert.

When Petra does alert

Petra alerts when it detects evidence that an attacker has gained access to an account:
  • Logins from attacker infrastructure (datacenter IPs, hosting providers, known-malicious proxies)
  • Session anomalies indicating token theft or AiTM
  • Malicious inbox rules created to hide attacker activity
  • Unauthorized email access or sent messages
  • App consent grants from suspicious sources
  • Lateral movement to other accounts in the tenant

When Petra does not alert

Petra does not alert on:
  • Phishing emails arriving in a user’s inbox
  • Failed login attempts or password sprays that did not succeed
  • A user clicking a phishing link (unless it leads to a successful compromise)
These are signals that email security and endpoint tools handle. Petra focuses on what happens after the perimeter is breached.

How they work together

Email security and ITDR are complementary. Think of them as two checkpoints:
  1. Email security tries to stop the attack before it starts by blocking the phishing email or alerting on a clicked link.
  2. Petra catches attacks that get past email security, endpoint protection, and MFA. When an attacker successfully compromises an account, Petra detects it, investigates the full scope, and responds.
No email security tool catches everything. Attackers constantly evolve their techniques to bypass filters. When a phishing email does get through and leads to a compromise, Petra is the layer that detects and stops the attacker.
For more on how Petra detects and responds to compromises, see What is Petra Response and Investigate What the Attacker Did.