In operations we need to have a bot user who can relay certain messages into tickets (via email). These tickets will often be limited to WMF-NDA and thus the @emailbot user needs to be in WMF-NDA to access them. This is a bot controlled by the ops team. There is no direct login and the certificate is hidden in the SRE private repo.
UPDATE
Talked to Rob and due to the really sensitive nature of things he is thinking #opsen is the more appropriate grouping.