This study addresses the limitations of traditional email filtering methods in detecting social engineering attacks that exploit human trust rather than software vulnerabilities. The authors propose a two-stage “filter-then-verify” framework: first, an inductive graph neural network models the email communication network to identify structurally anomalous messages; second, a co-attention ModernBERT model performs semantic contextual verification on flagged emails to significantly reduce false positives. This approach uniquely integrates structural anomaly detection with semantic validation, enabling effective defense against both multi-stage external attacks and insider threats. Evaluated on an enhanced Enron dataset, the structural filtering stage achieves a recall of 86%, and after BERT-based refinement, the overall precision exceeds 92%.

Social engineering attacks exploit human trust rather than software vulnerabilities, making them difficult to detect using conventional filters. We propose a two-stage filter-then-verify framework combining inductive Graph Neural Networks (GNNs) for structural anomaly detection with a co-attention ModernBERT model for content verification. The GNN identifies anomalous sender-receiver patterns, while BERT analyzes message context to reduce false positives. Using the Enron dataset augmented with realistic synthetic campaigns, we show that the framework achieves 86% recall in structural filtering and over 92% precision after BERT refinement, effectively detecting both external attacks and insider threats. Our results demonstrate that combining structural and content analysis allows practical, scalable detection of multi-stage social engineering attacks in email networks.