Hosted Email Security provides detailed information for email messages detected as possible social engineering attacks. To view social engineering attack details, click the Details link beside Social engineering attack on the Mail Tracking Details screen.
These logs are only available when such email is received and Social engineering attack option is selected AND Enable Virtual Analyzer option is NOT selected (in Scanning Criteria of the active policy). If both of these options are selected, you will receive the Virtual Analyzer report containing complete information, including information about social engineering attacks.
The following table lists the possible reasons for social engineering attack detections.
|
Email Characteristics |
Description |
|---|---|
|
Inconsistent sender host names |
Inconsistent host names between Message-ID (<domain>) and From (<domain>). |
|
Broken mail routing path |
Broken mail routing path from hop (<IP_address>) to hop (<IP_address>). |
|
Mail routing path contains mail server with bad reputation |
The mail routing path contains mail server with bad reputation (<IP_address>). |
|
Significant time gap during email message transit |
Significant time gap (<duration>) detected during email message transit between hops (<source> & <destination>) from time (<date_time>) to time (<date_time>). |
|
Inconsistent recipient accounts |
Envelope recipient (<email_address>) is inconsistent with header recipient (<email_address>). |
|
Possibly forged sender account or unexpected relay/forward |
Possibly forged sender account (<email_address>) is sending email messages via host/IP (<host_address>) of which ASNs (<ASN_list>) are inconsistent to sender ASNs (<ASN_list>); or unexpected server-side relay/forward. |
|
Email message travels across multiple time zones |
The email message travels across time zones (<time_zone_list>). |
|
Possible social engineering attack characterized by suspicious charsets in email entities |
Suspicious charsets (<character_set_list>) are identified in a single email message, implying the email message originated from a foreign region. This behavior is an indicator of a social engineering attack. |
|
Violation of time headers |
Multiple time headers (<date_time>, <date_time>) exist in one message, which violates RFC5322 section 3.6. |
|
Possibly forged sender (Yahoo) |
The email message claimed from Yahoo (<email_address>) lost required headers. |
|
Executable files with tampered extension names in the attachment |
Executable files in compressed attachment (<file_name>) intend to disguise as ordinary files with tampered extension names. |
|
Anomalous relationship between sender/recipient(s) related email headers |
Anomalous relationship between sender/recipient(s) related email headers (<email_address>). |
|
Encrypted attachment intends to bypass antivirus scan engines |
Encrypted attachment (<file_name>) with password (<password>) provided in email content possibly intends to bypass antivirus scan engines. |
|
Email attachment could be exploitable |
Email attachment (<file_name>) could be exploitable. |
|
Email message might be sent from a self-written mail agent due to abnormal transfer encoding in email entities |
Content-Transfer-Encoding (<encoding_type>) is abnormal in the email message. The email message might be sent from a self-written mail agent. |
|
Few meaningful words in the email message |
The email message is less meaningful with only few characters in its text/HTML body (<character_count>). |
|
Possible email spoofing |
The email message was claimed as a forwarded or replied message with subject-tagging (<email_subject>), but the email message does not contain corresponding email headers (RFC 5322). |
|
Email message travels across multiple ASNs |
The email message travels across multiple ASNs (<ASN_list>). |
|
Email message travels across multiple countries |
The email message travels across multiple countries (<country_code_list>). |
|
Abnormal Content-type behavior in email message |
Content-type in email content should not have attributes (<attribute_list>). |
|
Executable files archived in the compressed attachment |
Executable files archived in compressed attachment (<file_name>). |
|
Exploitable file types detected in the compressed attachment |
Exploitable file types detected in compressed attachment (<file_name>). |
|
Sender account header potentially modified |
The email message was sent from an email client or service provider (<user_agent>) that allows modification of the sender address or nickname. |
|
Conversation history in email body |
The email message includes a conversation history between (<email_account>) and (<email_account>). This email message may be part of a man-in-the-middle attack. |
|
Internal message with a disguised reply-to domain |
The reply-to domain (<domain_name>) has been disguised to be similar to the sender and recipient domains (domain_name). The email message may be disguised to appear internal. |
|
Internal message with a public reply-to domain |
The reply-to domain (<domain_name>) belongs to a public messaging service but the sender and recipient domains are the same (<domain_name>). The email message may be disguised to appear internal. |
|
Nickname of company executive with public domain address |
The sender header (<sender_header>) contains a nickname that appears to be a company executive and an email address from a public messaging service. |
|
Reply-to account disguised to be similar to sender account |
The reply-to account (<email_account>) uses a different domain but similar information to the sender account (<email_account>) to disguise the two accounts to be from the same individual. |
|
Sender account possibly associated with targeted attacks |
The sender account (<email_account>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks. |
|
Sender domain disguised to be similar to recipient domain |
The sender domain (<domain_name>) is different but similar to the recipient domain (<domain_name>). The email message may be disguised to appear internal. |
|
Sender host name possibly associated with targeted attacks |
The sender host name (<host_name>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks. |
|
Sender IP address possibly associated with targeted attacks |
The sender IP address (<ip_address>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks. |