Trend Micro Email
Security
provides detailed information for email messages detected as possible social
engineering attacks. To view social engineering attack details, click the
Details link beside Social engineering
attack on the Mail Tracking Details screen.
The following table lists the possible reasons for social
engineering attack detections.
Possible reasons for social engineering attack detections
|
Email Characteristics
|
Description
|
|
Inconsistent sender host names
|
The Message-ID host name (<host_name>) does not match the From
host name (<host_name>).
|
|
Broken mail routing path
|
Broken mail routing path from hop (<IP_address>) to hop
(<IP_address>).
|
|
Mail routing path contains mail server with bad reputation
|
The mail routing path contains mail server with bad reputation
(<IP_address>).
|
|
Significant time gap during email message transit
|
Significant time gap (<duration>) detected during email
message transit between hops (<source> &
<destination>) from time (<date_time>) to time
(<date_time>).
|
|
Inconsistent recipient accounts
|
Envelope recipient (<email_address>) is inconsistent with
header recipient (<email_address>).
|
|
Inconsistent sender ASNs or unexpected relay or forward
|
The sender host (<host_address>) belongs to an ASN
(<ASN>) that does not match the ASN (<ASN>) of the
sender account (<email_address>). This message may occur
from an unexpected server-side relay or forward.
|
|
Email message travels across multiple time zones
|
The email message travels across time zones
(<time_zone_list>).
|
|
Possible social engineering attack characterized by suspicious
charsets in email entities
|
Suspicious charsets (<character_set_list>) are identified
in a single email message, implying the email message originated
from a foreign region. This behavior is an indicator of a social
engineering attack.
|
|
Violation of time headers
|
Multiple time headers (<date_time>, <date_time>)
exist in one message, which violates RFC5322 section 3.6.
|
|
Malicious client IP address
|
The client IP address (<IP_address>) has been associated with
known malicious activity
|
|
Possibly forged sender (Yahoo)
|
The email message claimed from Yahoo (<email_address>) lost
required headers.
|
|
Executable files with tampered extension names in the
attachment
|
Files in compressed attachment (<file_name>) may be
executable files with modified extension names.
|
|
Anomalous relationship between sender/recipient(s) related email
headers
|
Anomalous relationship between sender/recipient(s) related email
headers (<email_address>).
|
|
Encrypted attachment intends to bypass antivirus scan engines
|
Encrypted attachment (<file_name>) with password
(<password>) provided in email content possibly intends to
bypass antivirus scan engines.
|
|
Exploitable attachment
|
The attached file (<file_name>) may contain exploits.
|
|
Email message might be sent from a self-written mail agent due to
abnormal transfer encoding in email entities
|
Content-Transfer-Encoding (<encoding_type>) is abnormal in
the email message. The email message might be sent from a
self-written mail agent.
|
|
Short message body
|
The body text or the HTML text of the email is short. The text
length (<character_count> characters, for body text/HTML
text respectively) may suggest that the email content has little
meaning.
|
|
Replied or forwarded email contains no corresponding headers
|
The email message was claimed as a forwarded or replied message
with subject-tagging (<email_subject>), but the email
message does not contain corresponding email headers (RFC
5322).
|
|
Email message travels across multiple ASNs
|
The email message travels across multiple ASNs
(<ASN_list>).
|
|
Email message travels across multiple countries
|
The email message travels across multiple countries
(<country_code_list>).
|
|
Abnormal Content-type behavior in email message
|
Content-type in email content should not have attributes
(<attribute_list>).
|
|
Executable files archived in the compressed attachment
|
The compressed attachment (<file_name>) contains executable
files.
|
|
Exploitable file types detected in the compressed attachment
|
The compressed attachment (<file_name>) contains
exploitable file types.
|
|
Inconsistent host domains or unexpected relay or forward
|
The sender host (<host_address>) belongs to a different domain
from the sender account (<email_address>). This message may
occur from an unexpected server-side relay or forward.
|
|
Email nickname is inconsistent with email address
|
The recipient account uses an email nickname (<nickname>) that
is inconsistent with its email address (<email_address>).
|
|
Sender account is inconsistent with reply-to account
|
The sender account (<email_account>) is inconsistent with
the reply-to account (<email_account>).
|
|
Sender host name possibly associated with targeted attacks
|
The sender host name (<host_name>) has been associated with
one or more targeted attacks or performed behavior consistent
with targeted attacks.
|
|
Sender IP address possibly associated with targeted attacks
|
The sender IP address (<ip_address>) has been associated
with one or more targeted attacks or performed behavior
consistent with targeted attacks.
|
|
Sender account possibly associated with targeted attacks
|
The sender account (<email_account>) has been associated
with one or more targeted attacks or performed behavior
consistent with targeted attacks.
|
|
Sender account header potentially modified
|
The email message was sent from an email client or service
provider (<user_agent>) that allows modification of the
sender address or nickname.
|
|
Internal email with a public reply-to domain
|
The reply-to domain (<domain_name>) belongs to a public
messaging service but the sender and recipient domains are the
same (<domain_name>). The email message may be disguised
to appear internal.
|
|
Internal email with a disguised reply-to domain
|
The reply-to domain (<domain_name>) has been disguised to
be similar to the sender and recipient domains (domain_name).
The email message may be disguised to appear internal.
|
|
Reply-to account disguised to be similar to sender account
|
The reply-to account (<email_account>) uses a different
domain but similar information to the sender account
(<email_account>) to disguise the two accounts to be from
the same individual.
|
|
Conversation history in email body
|
The email message includes a conversation history between
(<email_account>) and (<email_account>). This email
message may be part of a man-in-the-middle attack.
|
|
Nickname of company executive with public domain address
|
The sender header (<sender_header>) contains a nickname
that appears to be a company executive and an email address from
a public messaging service.
|
|
Sender domain disguised to be similar to recipient domain
|
The sender domain (<domain_name>) is different but similar
to the recipient domain (<domain_name>). The email message
may be disguised to appear internal.
|
|
Potentially deceptive message header text
|
Because (<header_text>) closely resembles (<header_text>),
this message seems intended to deceive the recipient.
|
|
Message contains suspicious content
|
Some text in the message meets the criteria for the
(<category_name>) category, indicating a possible intent to
deceive the recipient.
|
|
Name of a protected sender used with a suspicious domain
|
The message uses the name (<sender_name>) in combination with
an unfamiliar domain in an apparent attempt to deceive the
recipient.
|