One embodiment of a method for detecting a cyber-attack features first and second analyzes. The first analysis is conducted on content of a communication to determine at least a first high quality indicator. The first high quality indicator represents a first probative value for classification. The second analysis is conducted on metadata related to the content to determine supplemental indicator(s). Each of the supplemental indicator(s) is represented by a probative value for classification. The communication is classified as being part of the cyber-attack when the first probative value exceeds a predetermined threshold without consideration of the corresponding probative values for the supplemental indicator(s). In response to the first high quality indicator failing to classify the network communication, using the corresponding probative values associated with the one or more supplemental indicators with at least the first probative value to classify the network communication as being part of the cyber-attack.