❶ What is Slash?
Slash is Riot’s solution that protects your employees against sophisticated and targeted phishing attacks that bypass native Google or Microsoft filters.
Slash integrates alongside your email platform (Gmail or Outlook) and relies on large language models (LLMs) to analyze the context and intent of every incoming email. When an email is considered suspicious, a detection banner is injected directly into the body of the message to alert the employee.
👉 The three key features:
Email protection: real-time analysis of all incoming emails.
In-situ alerting: the banner appears directly inside the employee’s mailbox, without requiring any context switching.
Impersonation protection: when Slash suspects that an employee is being impersonated, Albert automatically asks the concerned person for confirmation through a secure channel (Slack, Teams, or Google Chat).
👍 Good to know: Slash complements your existing defenses without interfering with them. It works alongside Microsoft Defender, Mimecast, Proofpoint, or any other upstream filter because it relies on Gmail/Outlook APIs and acts directly inside the user’s mailbox.
❷ How does detection work?
Slash relies on a hybrid model combining two complementary approaches:
Contextual metadata analysis: evaluation of domain security, URLs, headers, and estimation of external sender trustworthiness based on previous communication frequency.
Semantic analysis: powered by large language models (LLMs), it identifies typical phishing scenarios from the context and tone of the message.
👉 Detected phishing scenarios:
Employee impersonation — the sender pretends to be an internal employee in order to manipulate the recipient into performing a sensitive action.
Service impersonation — the email imitates a well-known online service (DocuSign, Microsoft, etc.) to steal credentials.
Extortion attempt — a threatening message demanding payment while claiming to possess compromising information.
Partner payment fraud (warning) — an attempt to impersonate a business partner to request payment or change banking details.
Suspicious indicators (warning) — the email contains technical signals associated with phishing without matching a precise scenario.
👍 Good to know: unlike many solutions, Slash does not trigger an alert for every new sender. Only emails considered potentially malicious generate a banner, preventing employees from being overwhelmed by unnecessary alerts and preserving the value of the signal.
❸ The detection banner
From the employee’s perspective, Slash alerts appear directly inside the email body as an interactive banner.
Each banner contains:
A contextual explanation: a short description explaining the reason for the alert (suspicious tone, urgency, domain inconsistency, suspicious URL, impersonated service, etc.). This helps employees understand the risk and progressively build stronger security reflexes.
Three actions directly accessible from the banner.
❹ The three actions available from the banner
👉 Report
The email is immediately moved to spam for the employee who reported it.
A ticket is created in Inbox (or updated if another employee already reported the same email).
If the Block Threat option is enabled in Inbox and the ticket is confirmed as malicious, the email is moved to spam for all employees who received it, and future emails from the same attack are blocked upon arrival.
👉 I trust this sender (Look safe)
The banner disappears and the employee can reply normally to the email.
Slash remembers that the sender’s domain is considered safe for this employee only — other employees will still see the banner if contacted by the sender.
👉 Learn more (Ask Albert)
A conversation with Albert opens in a new window.
Albert explains why the email appears suspicious and why the employee should avoid replying or clicking on links.
❺ Internal impersonation protection workflow
Slash offers an automatic verification workflow when impersonation of an internal employee is detected. This feature can be enabled in the Slash settings (Auto Impersonation Protection option).
👉 How does it work?
When internal impersonation is suspected, Albert automatically contacts the impersonated employee through a secure channel (Slack, Teams, or Google Chat) to verify the legitimacy of the email:
If the employee confirms impersonation (“No, I’m being impersonated”): the email is immediately moved to spam across all affected mailboxes, and a closed ticket is created in Inbox for tracking purposes.
If the employee confirms legitimacy (“Yep, that was me”): the banner is removed and the email remains in the inbox. No ticket is created.
👍 Good to know: unlike other scenarios where employees must manually report the email from the banner, the impersonation workflow is fully automatic. Albert launches the verification process without waiting for any user action.
❻ Compatibility
Slash requires the mailbox to be hosted on Gmail or Outlook because we use their APIs to inject banners. Once injected, the banner displays correctly across all mail clients, including:
Apple Mail (macOS, iOS)
Outlook desktop, web, and mobile
Gmail web and mobile (Android, iOS)
Any other desktop or mobile client
Slash analysis does not introduce any delay to email delivery.
👍 Key takeaways
Slash is an additional security layer that complements your existing defenses (Defender, Mimecast, Proofpoint, etc.).
Detection relies on a hybrid model: metadata + semantic analysis (LLMs).
The banner offers three clear actions: Report, Trust sender, Learn more.
The internal impersonation workflow is automatic and triggers verification through Slack, Teams, or Google Chat.