Advanced Spam Protection

Cloud App Security leverages Content Scanning to provide advanced spam protection, as a complement to the email protection service on your email gateway side, to further protect your email service, that is, Exchange Online or Gmail, users from BEC, ransomware, advanced phishing, and other high-profile attacks. It uses the following components to implement heuristic policies when detecting unwanted content, or blocking, or automatically allowing an email message:

  • Trend Micro Antispam Engine

  • Trend Micro spam pattern files

Trend Micro updates both the engine and pattern files frequently and makes them available for download. Cloud App Security automatically downloads these components through a scheduled update.

The Antispam engine uses spam signatures and heuristic rules to filter email messages. It scans email messages and assigns a spam score to each one based on how closely it matches the rules and patterns from the pattern file. It then compares the score to the user-defined spam detection level, and sends the result to Cloud App Security. When the spam score exceeds the detection level, Cloud App Security takes action against the email message based on the spam category that the message falls into. You cannot modify the method that the Antispam engine uses to assign spam scores, but can adjust the detection levels used by Cloud App Security to decide what is spam and what is not spam.

In addition, Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats. For more information, see About Writing Style DNA.

About Writing Style DNA

Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats.

By leveraging writing style analysis that comes with Writing Style DNA, Cloud App Security scans the written email messages of a desired individual to learn their particular writing style, and then trains a writing style model on the email system for authorship identification. This writing style model is a set of properties or features explored with automated methods that uniquely identify the way an individual composes email messages. Cloud App Security then uses the model to compare with the incoming email messages claimed to be sent from the individual in protected mailboxes to identify the authorship.

Note:

In this release, writing style analysis applies to email messages written in English, Japanese, German, French, and Spanish.

This requires Cloud App Security to train and analyze the specific writing style model of each high profile user. As users' writing style models may change over time, it is also necessary to keep updating them to fine-tune email filtering. Therefore, once enabled with this feature, Cloud App Security starts training writing styles of high profile users to build up usable personal models, and improves them once there are new written email messages.

Configuring Advanced Spam Protection

  1. Select Enable Advanced Spam Protection.
  2. Optionally select Allow Trend Micro to collect suspicious email information to improve its detection capabilities..
  3. Configure Rules settings.
    Option Description

    Apply to

    Select the scope of email messages that Advanced Spam Protection applies to.

    • All messages

    • Incoming messages

      Note:

      Incoming messages means that this policy applies only to incoming email messages sent from non-internal domains.

    Detection Level

    Select a detection level. Options include:

    • High: This is the most rigorous level of spam detection. Cloud App Security monitors all email messages for suspicious files or text, but there is greater chance of false positives. False positives are those email messages that Cloud App Security filters as spam when they are actually legitimate email messages.

    • Medium: Cloud App Security monitors at a high level of spam detection with a moderate chance of filtering false positives.

    • Low: This is most lenient level of spam detection. Cloud App Security only filters the most obvious and common spam messages, but there is a very low chance that it will filter false positives.

    Enhanced BEC Detection

    Go to Administration > Global Settings > High Profile Users or Internal Domains, and specify high profile users or internal domains as necessary.

    Note:

    This enables Cloud App Security to further check email messages claimed to be sent from most frequently forged users or domains, apply fraud checking criteria to identify forged messages, and take actions on the BEC attacks.

  4. Configure Writing Style Analysis for BEC settings.
    Note:

    This feature provides an enhanced way for Cloud App Security to train the writing style models of high profile users to detect probable BEC attacks. Additional configurations are required.

    Before configuring writing style analysis settings, go to Administration > Global Settings to configure:

    Configure the Writing Style Analysis for BEC settings. For details, see Configuring Writing Style Analysis for BEC.

  5. Configure Approved/Blocked Sender List.
    1. Select Enable the approved sender list.
    2. Specify a sender email address to exclude from scanning and click Add >.
      Note:

      Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.

      To approve all senders from a domain, type *@domain, for example, *@example.com. This only applies to spam message scanning.

    3. Optionally click Import to import sender email addresses in batches.
    4. Select Enable the blocked sender list.
    5. Specify a sender email address to block without scanning, and click Add >.
      Note:

      Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.

      To block all senders from a domain, type *@domain, for example, *@example.com. This only applies to spam message scanning.

    6. Optionally click Import to import sender email addresses in batches.
    7. Go to Action to set an action for the blocked sender list.
    • For Gmail, Label email and Delete are supported.

    • For other services, Quarantine and Delete are supported.

  6. Configure Action settings for each spam category.
    • Exchange Online policies

    Option Description

    Tag subject

    Cloud App Security adds keywords before email message subject (Spam: <subject> ) to inform the user that an action occurred. The email message is delivered to the intended recipient, but the tag informs them that the original content was infected.

    Delete

    Cloud App Security deletes the entire email message.

    Quarantine

    Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    Move to Junk Email folder

    Cloud App Security moves the email message to the user's Junk Email folder.

    • Gmail policies

    Option Description

    Delete

    Cloud App Security deletes the entire email message.

    Move to Spam

    Cloud App Security applies Gmail's system label "Spam" to the email message and the message only displays in the user's Spam label.

    Label email

    Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    Cloud App Security categorizes spam email messages into:

    • BEC

    • Phishing

    • Ransomware

    • Malicious spam: Spam messages that carry malicious attacks of other types such as command and control (C&C), malware, and bank Trojan.

    • Other spam: For example, unsolicited commercial email messages or unsolicited bulk email messages.

      Note:

      Optionally select Pass all the messages sent from internal domains if detected as other spam to help reduce false positives if some internal email messages are detected by Cloud App Security as other spam but you treat them as normal messages based on your organization's security policies.

    For details about how advanced spam protection filtering actions apply, see Advanced Spam Protection Filtering Action Criteria.

  7. Configure Notification settings.
    Option Description

    Notify administrator

    Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.

    Notification threshold sets limits on messages to send. Threshold settings include:

    • Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).

    • Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.

    • Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.

    Notify User

    Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.

    Note:

    When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

  8. Click Save or select another policy configuration on the left navigation to continue with additional rules.

Configuring Writing Style Analysis for BEC

  1. Select Enable writing style analysis.

    Cloud App Security automatically starts retrieving email messages written by high profile users from the configured email addresses and analyzing them to train the writing style model for each user. To view the training progress, go to Administration > Global Settings > High Profile Users.

    To train the writing style model of each high profile user added for your email service, that is, Exchange Online or Gmail, you must enable writing style analysis in at least one Advanced Threat Protection policy for that service. If you disable writing style analysis in all policies of that service, the training process is paused and will be resumed when writing style analysis is enabled in at least one policy.

    Important:

    Cloud App Security only scans email messages to train the particular writing style model for each high profile user, and does NOT collect any actual email message or its content.

  2. Select an action.
    • Exchange Online policies

    Option Description

    Tag subject

    Cloud App Security adds keywords before the email message subject (Probable BEC attack: <subject> ) to inform the recipient that an action occurred. The email message is delivered to the intended recipient, but the tag informs them that the original content may be a BEC attack.

    Add disclaimer

    Cloud App Security adds a disclaimer message to display at the beginning of the email body to inform the recipient that an action occurred. The email message is delivered to the intended recipient, but the disclaimer informs them that the original content may be a BEC attack.

    The disclaimer cannot exceed 512 characters.

    For details about the token in the disclaimer, see Token List.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    Delete

    Cloud App Security deletes the entire email message.

    Quarantine

    Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services.

    • Gmail policies

    Option Description

    Label email

    Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    Delete

    Cloud App Security deletes the entire email message.

    An incoming email message that hits the writing style analysis criteria is subject to the action configured here, regardless of the setting for BEC in Action.

    If writing style analysis is enabled in more than one policy of an email service, the action configured in the policy with a higher priority applies.

    If you want an email address related to a high profile user to skip from scanning for writing style verification, add the email address in the High Profile User Exception List.

  3. Optionally select Notify supposed sender to decide whether to send a notification message to the high profile user who is expected to be the real sender of the email message.
    • Optionally select Attach the original email message to decide whether to add the original email message as an attachment when notifying the supposed sender.

      Note:

      This option does not apply when Action is set to Delete or Quarantine.

    • Optionally select Allow the supposed sender to provide feedback to decide whether to add a feedback option in the notification message.

      The supposed sender can click Yes or No to confirm whether the sender has actually sent the email message. This does not affect the configured action taken on the email message, but helps Trend Micro improve its writing style analysis capabilities.

  4. Optionally select Notify administrator.

    A message specifically designed for writing style analysis violation will be sent to notify the administrator that Cloud App Security detected a probable BEC attack through email and took action on the email message. Whether or not the administrator receives the notification message is subject to the settings here, regardless of the setting in Notification.

    • Optionally click Edit notification to modify the message content as necessary. For details about the tokens, see Token List.

    • Optionally select Attach the original email message to decide whether to add the original email message as an attachment when notifying the administrator.

      Note:

      This option does not apply when Action is set to Delete or Quarantine.

Advanced Spam Protection Filtering Action Criteria

Advanced Spam Protection filtering action criteria for Exchange Online are described as follows:

  • For the BEC, phishing, ransomware, and malicious spam categories, the default action is Quarantine, and that for other spam is Move to Junk Email folder.

  • After Cloud App Security takes the Move to Junk Email folder action against an email message, the email message will still be sent to other scanning filters for further processing.

  • If an email message hits multiple spam categories, Cloud App Security combines the actions set for each of these categories and takes only the action with the highest priority. The actions come with the following priorities from high to low: Delete, Quarantine, Move to Junk Email folder, Tag subject, Pass.

  • If an email message is moved to or restored from the Junk Email folder by a user, Cloud App Security will scan and process the message when a new manual scan starts.

  • If an email message is moved to the Junk Email folder by Cloud App Security after the Move to Junk Email folder action is taken, Cloud App Security will not scan and process the message again.

  • If an email message is moved to the Junk Email folder by Exchange Online, Cloud App Security processes it and still takes action against it as long as the action set for the corresponding spam category takes precedence over Move to Junk Email folder.

Advanced Spam Protection filtering action criteria for Gmail are described as follows:

  • For the BEC, phishing, ransomware, and malicious spam categories, the default action is Label email, and that for other spam is Move to Spam.

  • After Cloud App Security takes the Move to Spam action against an email message, the email message will still be sent to other scanning filters for further processing.

  • If an email message hits multiple spam categories, Cloud App Security combines the actions set for each of these categories and takes only the action with the highest priority. The actions come with the following priorities from high to low: Delete, Label email, Move to Spam, Pass.

  • If an email message is moved to the Spam label by Gmail, Cloud App Security processes it and still takes action against it as long as the action set for the corresponding spam category takes precedence over Move to Spam.