Web Reputation Services

With one of the largest domain-reputation databases in the world, Trend Micro web reputation technology tracks the credibility of web domains by assigning a reputation score based on factors including website's age, historical location changes and indications of suspicious activities discovered through malware behavior analysis, such as phishing scams that are designed to trick users into providing personal information. To increase accuracy and reduce false positives, Trend Micro Web Reputation Services assigns reputation scores to specific pages or links within sites instead of classifying or blocking entire sites, since often, only portions of legitimate sites are hacked and reputations can change dynamically over time.

Attackers may use phishing websites that disguise as legitimate websites to steal user credentials that provide access to your network. To enhance its capability of spotting these credential phishing websites, Cloud App Security integrates with dynamic URL scanning and applies it to URLs classified as untested by Trend Micro Web Reputation Services. By crawling the web pages of these URLs in real time, Cloud App Security determines whether the pages contain malicious patterns and takes pre-configured actions to keep users from zero-day phishing attacks.

Cloud App Security also leverages artificial intelligence (AI)-based computer vision to protect cloud service users against credential phishing attacks. It uses this advanced technology to recognize key elements of a valid cloud service logon page to help prevent users from submitting credentials to untrusted sites and help them get rid of account compromise.

In this release, for a URL detected as a credential phish, Cloud App Security takes the action configured by the administrator under Action on this URL.

Web Reputation Risk Levels

The following table explains the Web Reputation risk levels. View the table to understand why a URL is classified as dangerous, highly suspicious, or suspicious.

Risk Level

Description

Dangerous

The URL is verified to be fraudulent or known sources of threats.

Highly suspicious

The URL is suspected to be fraudulent or possible sources of threats.

Suspicious

The URL is associated with spam or possibly compromised.

Untested

The URL has not been tested by Trend Micro yet. While Trend Micro actively tests web pages for safety, users may encounter untested pages when visiting new or less popular websites. Blocking access to untested pages can improve safety but can also prevent access to safe pages.

Safe

The URL contains no malicious software and shows no signs of phishing.

Configuring Web Reputation

  1. Select Enable Web Reputation.
  2. Configure Rules settings.
    Option Description

    Apply to

    (Exchange Online and Gmail only) Select the scope of email messages that Web Reputation applies to.

    • All messages

    • Incoming messages

      Note:

      Incoming messages means that this policy applies only to incoming email messages sent from non-internal domains.

    Security Level

    Select Security Level and then the security level that Web Reputation applies to.

    Trend Micro considers a URL a web threat if its reputation score falls within a defined threshold, and safe if its score exceeds the threshold.

    Cloud App Security has three security levels that determine whether it will apply the configured action to a URL with a certain risk level. For details about the risk levels, see Web Reputation Risk Levels.

    • High: Blocks pages that are:

      • Dangerous

      • Highly suspicious

      • Suspicious

      • Untested

    • Medium: Blocks pages that are:

      • Dangerous

      • Highly suspicious

    • Low: Blocks pages that are:

      • Dangerous

    Message Attachments

    (Exchange Online and Gmail only) Select whether to scan message attachment content for suspicious URLs.

  3. (Exchange Online and Gmail only) Configure Approved Sender List.
    1. Select Enable the approved sender list.
    2. Specify a sender email address to exclude from scanning and click Add >.
      Note:

      Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.

    3. Optionally click Import to import sender email addresses in batches.
  4. Configure Approved/Blocked URL List.
    1. Select Enable the approved URL list.
    2. Select Add internal domains to the approved URL list to exclude your internal domains from scanning.
    3. Specify a URL to exclude from scanning and click Add >.
      Note:

      Be aware that regular expressions are not supported.

      For URLs with query parameters, Cloud App Security uses exact match. Wildcard characters are not supported.

      For URLs without query parameters, wildcard characters only in the *.example.com and *.example.com/example/* formats are supported.

      For Gmail, only URLs without query parameters are supported.

    4. Optionally click Import to import URLs in batches.
    5. Select Enable the blocked URL list.
    6. Specify a URL to block without scanning and click Add >.
      Note:

      The approved URL list takes precedence over the blocked URL list. If a URL is added into both lists, it will be treated as an approved URL.

      Be aware that regular expressions are not supported.

      For URLs with query parameters, Cloud App Security uses exact match. Wildcard characters are not supported.

      For URLs without query parameters, wildcard characters only in the *.example.com and *.example.com/example/* formats are supported.

      For Gmail, only URLs without query parameters are supported.

    7. Optionally click Import to import URLs in batches.
    8. Go to Action to set an action for the blocked URL list.
      • For Gmail, Label email and Delete are supported.

      • For the other services, Quarantine and Delete are supported.

  5. Configure Action settings.

    Cloud App Security protects services by executing specified actions on email messages or files that match scanning conditions. The action depends on the performed scan, the affected service, and the configured actions for that scan.

    • Exchange Online policies
    Option Description

    Tag subject

    Cloud App Security adds keywords before email message subject (Suspicious URL: <subject> ) to inform the user that an action occurred. The email message is delivered to the intended recipient, but the tag informs them that the original content was infected and was replaced.

    Delete

    Cloud App Security deletes the entire email message.

    Quarantine

    Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    • SharePoint Online and OneDrive for Business policies
    Option Description

    Delete

    Cloud App Security deletes the file and replaces it with a replacement text file.

    Quarantine

    Cloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services.

    Pass

    Cloud App Security records the detection in a log and the file is unchanged.

    Advanced Options

    Specify text to replace the original file content when a file is quarantined or deleted.

    • Box, Dropbox and Google Drive policies
    Option Description

    Delete

    Cloud App Security deletes the file and replaces it with a replacement text file.

    Quarantine

    Cloud App Security moves the file to a restricted access folder, removing it as a security risk to protected services.

    Pass

    Cloud App Security records the detection in a log and the file is unchanged.

    Advanced Options

    Specify text to replace the original file content when a file is quarantined.

    • Gmail policies
    Option Description

    Label email

    Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox.

    Delete

    Cloud App Security deletes the entire email message.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    Optionally select the Take action on URLs that have not been tested by Trend Micro Web Reputation Services check box to apply the configured action to the URLs not yet tested by Trend Micro, for example, new born URLs or shortened URLs.

  6. Configure Notification settings.
    Option Description

    Notify administrator

    Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.

    Notification threshold sets limits on messages to send. Threshold settings include:

    • Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).

    • Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.

    • Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.

    Notify User

    Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.

    SharePoint Online, OneDrive for Business, Box, Dropbox and Google Drive: Specify message details that notify the user who uploaded a file that Cloud App Security detected a security risk and took action on their file.

    Note:

    When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

  7. Click Save or select another policy configuration on the left navigation to continue with additional rules.