Web Reputation Services

Procedure

1. Select Web Reputation.
2. Enable Web Reputation.
3. Configure rule settings.

   Setting	Description
   Apply to	(Exchange Online and Gmail only) Select the scope of email messages that Web Scanning applies to. All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains. Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains. Note For details about internal domains, see Configuring the Internal Domain List For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses.
   Security Level	Select Security Level and then the security level that Web Reputation applies to. Trend Micro considers a URL a web threat if its reputation score falls within a defined threshold, and safe if its score exceeds the threshold. Cloud App Security has three security levels that determine whether it will apply the configured action to a URL with a certain risk level. For details about the risk levels, see Web Reputation Risk Levels. High: Blocks pages that are: Dangerous Highly suspicious Suspicious Untested Medium: Blocks pages that are: Dangerous Highly suspicious Low: Blocks pages that are: Dangerous
   Message Attachments	(Exchange Online and Gmail only) Select whether to scan message attachment content, including QR codes, for suspicious URLs. Note Cloud App Security supports scanning the QR codes in the following file formats: JPG, PNG, BMP, TIFF, GIF, and WEBP When you enable this option, Cloud App Security also scans the QR code images in the email body.
   Dynamic URL Scanning	Select whether to further analyze, in real-time, the URLs classified as Untested by the Web Reputation Services, to detect phishing websites. For more information about dynamic URL scanning, see Web Reputation Services.
   Computer Vision	(Exchange Online and Gmail only) Select whether to use computer vision techniques to detect phishing websites. Computer vision is an AI-based advanced detection technology that uses image analysis to detect phishing.
   Retro Scan & Auto Remediate	(Exchange Online and Gmail only) This option is disabled by default. Note This feature is not available for Exchange Online (Inline Mode). Select whether to rescan historical URLs in users' email metadata using newer patterns updated by the Web Reputation Services. Users' email metadata may include undetected suspicious or dangerous URLs that have only recently been discovered. Examination of such metadata is an important part of forensic investigations to determine if your email service is affected by attacks. Cloud App Security collects email metadata of users in your organization and retroactively scans the historical URLs using newer web reputation patterns. Based on the latest scan result, Cloud App Security automatically takes remedial action on the affected email messages. Note URLs in the Approved / Blocked URL Lists and in the email messages that fall into the Approved Sender List or Approved Header Field List will be excluded from scanning. On the screen that appears, click OK to allow Cloud App Security to collect users' email metadata. After this option is enabled, Cloud App Security periodically examines historical URLs. Based on the retro scan results: If the risk level of a URL changes and thus it hits the current policy, Cloud App Security takes the administrator-configured action on the affected email message. If the risk level of a URL changes and thus it no longer hits the current policy, Cloud App Security restores the affected email message when Action was set to Quarantine. Cloud App Security does not undo the action that was set to other values than Quarantine.
   Time-of-Click Protection	Select Enable Time-of-Click Protection. Note Time-of-Click Protection applies to real-time scans for URLs in incoming email messages. To configure actions for those URLs, go to Administration → Global Settings → Time-of-Click Protection Settings. This feature is not available for the outbound protection of Exchange Online (Inline Mode). Select the range of URLs to which Time-of-Click Protection applies.

4. Click Approved/Blocked List.
5. (Exchange Online and Gmail only) Configure the approved sender list.
   1. Select Enable the approved sender list.
   2. Specify a sending email address or domain to bypass Web Reputation scanning and click Add >.

      Note You can use the wildcard character (*) to represent any characters in the email address or domain name. Examples: *@example.com, name@*.com, *@*.example.com The following formats are invalid: *@*, *

   3. Optionally click Import to import sender email addresses in batches.
6. Configure the approved/blocked URL lists.
   1. Enable the approved URL list.
   2. (Exchange Online only) Select Add internal domains to the approved URL list to exclude your internal domains from scanning.
   3. Specify a URL to exclude from scanning and click Add >.

      Note Be aware that regular expressions are not supported. For URLs with query parameters, Cloud App Security uses exact match. Wildcard characters are not supported. For URLs without query parameters, wildcard characters only in the *.example.com and *.example.com/example/* formats are supported. For Gmail, only URLs without query parameters are supported.

   4. Optionally click Import to import URLs in batches.
   5. Enable the blocked URL list.
   6. Specify a URL to block without scanning and click Add >.

      Note The approved URL list takes precedence over the blocked URL list. If a URL is added into both lists, it will be treated as an approved URL. Be aware that regular expressions are not supported. For URLs with query parameters, Cloud App Security uses exact match. Wildcard characters are not supported. For URLs without query parameters, wildcard characters only in the *.example.com and *.example.com/example/* formats are supported. For Gmail, only URLs without query parameters are supported.

   7. Optionally click Import to import URLs in batches.
   8. Go to Action to set an action for the blocked URL list.
      • For Gmail, Label email, Delete, and Quarantine are supported.
      • For the other applications and services, Quarantine and Delete are supported.
7. (Exchange Online only) Configure the approved header field list.
   1. Enable the approved header field list.
   2. Specify a header field name in the Name text box and a value for the field in the Value text box, and select Contains or Equals as necessary.
   3. Click Add.
      The specified entry appears in the area below.

      When the specified header field of an email message contains or exactly matches with the specified value depending on whether Contains or Equals is selected, the message will not be scanned by Web Reputation for malicious and suspicious URL detection, but will still go through the other security filters in the policy.

      Note Be aware that Name and Value are case sensitive, and wildcard characters and regular expressions are not supported. The header field name and value cannot exceed 128 characters.

   4. Optionally repeat steps b and c to add another header field as necessary.
      The email message whose header field hits any of the specified entries will not be scanned by Web Reputation.

      Note A maximum of 10 header fields is supported.

   5. To delete a specified header field, select it from the list and click Delete.
   The approved header field list configured here applies only to the current policy. You can also create an approved header field list that is applicable to all enabled policies for Exchange Online. For more information, see Configuring Approved Header Field List for Exchange Online.
8. Click Action & Notifications.
9. Configure Action settings.
   Cloud App Security protects services by executing specified actions on email messages or files that match scanning conditions.

   For details about the actions, see Actions Available for Different Services.
   1. Optionally select the Take action on URLs that have not been tested by Trend Micro Web Reputation Services check box to apply the configured action to the URLs not yet tested by Trend Micro, for example, new born URLs or shortened URLs.
   2. Optionally select the Configure actions dedicated to files check box to separately configure actions for files and whether to send notifications when the specified action is taken.

      Note When this option is selected, for a file, Cloud App Security takes the action specified here instead of the policy-level action described in the above tables in step 7.

   3. If the Tag file name action is selected, specify the tag to append to the file name.

      Note The tag cannot exceed 20 characters or contain unsupported characters (/ \ : * ? < > " |). The tag applies to the Tag file name action specified in the Action section.

   4. Specify text to replace the original file content when a file is quarantined or deleted.
      The text applies to the Quarantine and Delete actions in the Action section.
10. Configure Notification settings.

    Option	Description
    Notify administrator	Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups. Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file. Set the notification threshold which limits the number of notification messages to send. Threshold settings include: Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s). Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box. Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
    Notify User	Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file. Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.

    Note When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

11. Click Save or select another policy configuration on the left navigation to continue with additional rules.