In one example, intelligence is gathered about an attacker that is attempting an attack via a malicious exploit message by exploiting the attacker's belief that the attack is succeeding. A received message (e.g., malicious message) sent from a first message account (e.g., attacker) to a second message account (e.g., intended victim) is received. A security risk associated with the received message is determined. It is determined that the security risk associated with the received message meets one or more criteria. Based on the determination that the security risk associated with the received message meets the one or more criteria, a responsive message is sent in response to the received message from a third message account (e.g., security service) to the first message account. The responsive message includes a content reference identified as referring to a content for a user of the first message account. In response to receiving a request made by the user of the first message account using the content reference, access to a message repository associated with the first message account is requested. Once access is granted, the message repository can be analyzed and intelligence about the first message account can be gathered and reported.