Viewing Detected Messages

Gain intelligence about the context of a spear-phishing attack by investigating a wide array of information facets. Review the email headers to quickly verify the email message origin and how it was routed. Investigate attacks trending on your network by correlating common characteristics (examples: email subjects that appear to be your Human Resource department or fake internal email addresses). Based on the detections, change your policy configuration and warn your users to take preventive measures against similar attacks.

Procedure

Go to Detections → Detected Messages.
Specify the search criteria.

See Detected Message Search Filters.
Click Search.

All email messages matching the search criteria appear.

View the results.

Header

Description

Investigate the email message to learn more about potential threats.

For details, see Investigating a Detected Message.

Received

View the date and time that the suspicious email message first passes TippingPoint Advanced Threat Protection for Email.

Note

There is a short delay between when TippingPoint Advanced Threat Protection for Email receives an email message and when the email message appears in the Detected Messages tab.

Risk Level

View the level of potential danger exhibited in a suspicious email message. For details, see Detected Risk.

Recipients

View the detected message recipient email addresses.

Sender

View the sending email address of the detected message.

Email Subject

View the email subject of the suspicious email message.

View the number of email messages with embedded malicious links.

View the number of email messages with malicious file attachments.

Threat

View the name and classification of the discovered threat. For details, see Threat Type Classifications.

Action

View the final result after scanning and analyzing the email message. The result is the executed policy action.

Note

In BCC mode and SPAN/TAP mode, the action is always Monitoring only.

Detected Message Search Filters

The following table explains the search filters for querying suspicious messages. To view the detected messages, go to Detections → Detected Messages.

Note

Search filters do not accept wildcards. TippingPoint Advanced Threat Protection for Email uses fuzzy logic to match search criteria to email message data.

Filter

Description

Risk level

Select the email message risk level. For details about risk levels, see Email Message Risk Levels.

Action

Select an action from the list.

For details, see Configuring the Actions.

Note

In BCC mode and SPAN/TAP mode, the action is always Monitoring only.

Recipients

Specify recipient email addresses. Use a semicolon to separate multiple recipients.

Period

Select a predefined time range or specify a custom range.

Sender

Specify the sender email address. Only one address is allowed.

Links

Specify a URL.

Threat type

Select a threat type from the list. For details, see Threat Type Classifications.

Message ID

Specify the unique message ID.

Example: 950124.162336@example.com

Source IP

Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities.

A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.

Note

Source IP is the only search filter that requires an exact-string match. TippingPoint Advanced Threat Protection for Email does not use fuzzy logic to match search results for the source IP address.

Threat name

Specify the threat name provided by Trend Micro. The dashboard widgets and the Detections tab provide information about threat names.

For information about threat discovery capabilities, see Scanning / Analysis.

Subject

Specify the email message subject.

Attachment

Specify attachment file names. Use a semicolon to separate multiple file names.

Password-protected file

Select email messages that contain a password-protected file.

$('#title').html($('meta[name=description]').attr('content'));