Advanced Spam Protection

Cloud App Security leverages Content Scanning to provide advanced spam protection, as a complement to the email protection service on your email gateway side, to further protect your email service users from graymail, scam, BEC, ransomware, advanced phishing, and other high-profile attacks. It uses the following components to implement heuristic policies when detecting unwanted content, or blocking, or automatically allowing an email message:

  • Trend Micro Antispam Engine

  • Trend Micro spam pattern files

Trend Micro updates both the engine and pattern files frequently and makes them available for download. Cloud App Security automatically downloads these components through a scheduled update.

The Antispam engine uses spam signatures and heuristic rules to filter email messages. It scans email messages and assigns a spam score to each one based on how closely it matches the rules and patterns from the pattern file. It then compares the score to the user-defined spam detection level, and sends the result to Cloud App Security. When the spam score exceeds the detection level, Cloud App Security takes action against the email message based on the category that the message falls into. You cannot modify the method that the Antispam engine uses to assign spam scores, but can adjust the detection levels used by Cloud App Security to decide what is spam and what is not spam.

The antispam engine also leverages its Trend Micro Email Behaviour Analysis (EBA) module to detect graymail messages and scams:

  • Graymail: Solicited bulk email messages that do not fit the definition of spam email messages. They could reasonably be considered either spam or good by different users.

  • Scam: An attempt to defraud a person or group after first gaining their confidence, for example, advance-fee schemes such as 419 scams, lottery scams, and bitcoin scams.

In addition, Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats. For more information, see About Writing Style DNA.

About Writing Style DNA

Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats.

By leveraging writing style analysis that comes with Writing Style DNA, Cloud App Security scans the written email messages of a desired individual to learn their particular writing style, and then trains a writing style model on the email system for authorship identification. This writing style model is a set of properties or features explored with automated methods that uniquely identify the way an individual composes email messages. Cloud App Security then uses the model to compare with the incoming email messages claimed to be sent from the individual in protected mailboxes to identify the authorship.

Note:

In this release, writing style analysis applies to email messages written in English, Japanese, German, French, Spanish, Swedish, Danish, Norwegian, Finnish, and Brazilian Portuguese.

This requires Cloud App Security to train and analyze the specific writing style model of each high profile user. As users' writing style models may change over time, it is also necessary to keep updating them to fine-tune email filtering. Therefore, once enabled with this feature, Cloud App Security starts training writing styles of high profile users to build up usable personal models, and improves them once there are new written email messages.

Configuring Advanced Spam Protection

  1. Select Enable Advanced Spam Protection.
  2. Optionally select Allow Trend Micro to collect suspicious email information to improve its detection capabilities..
  3. Configure Rules settings.

    Setting

    Description

    Apply to

    Select the scope of email messages that Advanced Spam Protection applies to.

    • All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains.

    • Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains.

    Note:

    For details about internal domains, see Configuring Internal Domains

    For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses.

    Detection Level

    Select a detection level. Options include:

    • High: This is the most rigorous level of spam detection. Cloud App Security monitors all email messages for suspicious files or text, but there is greater chance of false positives. False positives are those email messages that Cloud App Security filters as spam when they are actually legitimate email messages.

    • Medium: Cloud App Security monitors at a high level of spam detection with a moderate chance of filtering false positives.

    • Low: This is most lenient level of spam detection. Cloud App Security only filters the most obvious and common spam messages, but there is a very low chance that it will filter false positives.

    Display Name Spoofing Detection

    Optionally select the check box to enable display name spoofing detection. By default, this option is disabled.

    Cloud App Security checks the display name of an external sender to find out whether the name is similar to or the same as the one used in your organization, and then analyzes email messages from the sender to determine whether the message is a scam, phishing, BEC, or ransomware attack. Cloud App Security takes the configured action based on the category of threat detected to protect users of your organization from email impersonation attacks using display name spoofing.

    Note:
    • If you want to exclude certain external senders from this detection, go to Administration > Global Settings > Display Name Spoofing Detection Exception List and add the sender email addresses to the exception list.

    • This feature is not available for the outbound protection of Exchange Online (Inline Mode).

    Suspicious Sender Detection

    (Exchange Online only) Select this check box to directly detect an external sender of a message as suspicious when the sender's display name matches the High Profile Users list.

    Cloud App Security takes the action for Suspicious sender on the message.

    Note:

    Retro Scan & Auto Remediate

    Select whether to rescan historical email messages and take remediation actions. This option is disabled by default.

    Note:
    • This feature is not available for Exchange Online (Inline Mode).

    • This feature does not apply to the email messages matching the Approved/Blocked Sender List or Approved Header Field List in Advanced Spam Protection, or the global Approved Header Field List.

    Enabling this feature requires turning on Allow Trend Micro to collect suspicious email information to improve its detection capabilities.

    Once the option is enabled, Cloud App Security starts collecting email message metadata when scanning the messages. When more metadata accumulates, Cloud App Security analyzes the metadata to detect previously unidentified or unknown threats by using the updated pattern files and leveraging machine learning technologies that observe and analyze email behavior over a period of time. A considerable advantage of retro scan is that it can correlate the attributes of different email messages, which helps detect threats that cannot be uncovered by analyzing messages one by one.

    Based on the retro scan result, Cloud App Security automatically takes remediation actions on the affected email messages.

    • For an email message that should have been filtered as spam or other types of threats but not, Cloud App Security takes the administrator-configured action on the email message.

    • For an email message that has been incorrectly filtered as spam or other types of threats, Cloud App Security restores the email message when the message has been quarantined by the Advanced Spam Protection filter, or moves the message to the inbox when it has been moved to the junk folder by this filter. Cloud App Security does not undo the other actions.

    Enhanced BEC Detection

    Go to Administration > Global Settings > High Profile Users or Internal Domains or High Profile Domains, and specify high profile users, external or internal domains as necessary.

    Note:
    • This enables Cloud App Security to further check email messages claimed to be sent from most frequently forged users or domains, apply fraud checking criteria to identify forged messages, and take actions on the BEC attacks.

    • This feature is not available for the outbound protection of Exchange Online (Inline Mode).

  4. (Exchange Online only) Configure Graymail Detection.
    Note:

    This feature is not available for the outbound protection of Exchange Online (Inline Mode).

    1. Select Enable Graymail Detection.

      Cloud App Security detects the following as graymail messages:

      • Marketing message and newsletter

      • Social network notification

      • Forum notification

      • Bulk email message

    2. Select at least one graymail category.

  5. Configure Writing Style Analysis for BEC settings.
    Note:
    • This feature provides an enhanced way for Cloud App Security to train the writing style models of high profile users to detect probable BEC attacks. Additional configurations are required.

    • This feature is not available for the outbound protection of Exchange Online (Inline Mode).

    Before configuring writing style analysis settings, go to Administration > Global Settings to configure:

    Configure the Writing Style Analysis for BEC settings. For details, see Configuring Writing Style Analysis for BEC.

  6. Configure Approved/Blocked Sender List.
    1. Select Enable the approved sender list.
    2. Specify a sender email address to exclude from scanning and click Add >.
      Note:

      Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.

      To approve all senders from a domain, type *@domain, for example, *@example.com. This only applies to spam message scanning.

    3. Optionally click Import to import sender email addresses in batches.
    4. Select Enable the blocked sender list.
    5. Specify a sender email address to block without scanning, and click Add >.
      Note:

      Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.

      To block all senders from a domain, type *@domain, for example, *@example.com. This only applies to spam message scanning.

    6. Optionally click Import to import sender email addresses in batches.
    7. Go to Action to set an action for the blocked sender list.
    • For Gmail, Label email, Delete, and Quarantine are supported.

    • For other applications and services, Quarantine and Delete are supported.

  7. Configure Approved Header Field List.
    1. Select Enable the approved header field list.
    2. Specify a header field name in the Name text box and a value for the field in the Value text box, and select Contains or Equals as necessary.
    3. Click Add.

      The specified entry appears in the area below.

      When the specified header field of an email message contains or exactly matches with the specified value depending on whether Contains or Equals is selected, the message will not be scanned by Advanced Spam Protection for spam, but will still go through the other security filters in the policy.

      Note:

      Be aware that Name and Value are case sensitive, and wildcard characters and regular expressions are not supported.

      The header field name and value cannot exceed 128 characters.

    4. Optionally repeat steps b and c to add another header field as necessary.

      The email message whose header field hits any of the specified entries will not be scanned by Advanced Spam Protection.

      Note:

      A maximum of 10 header fields is supported.

    5. To delete a specified header field, select it from the list and click Delete.

    The approved header field list configured here applies only to the current policy. You can also create an approved header field list that is applicable to all enabled policies for Exchange Online. For more information, see Configuring Approved Header Field List for Exchange Online.

  8. Configure Action settings for each category.
    • Exchange Online, Exchange Online (Inline Mode) - Inbound Protection, Exchange Online (Inline Mode) - Outbound Protection policies

      Action

      Description

      Tag subject

      Cloud App Security adds keywords before email message subject (Spam: <subject> ) to inform the user that an action occurred. The email message is delivered to the intended recipient, but the tag informs them that the original content was infected.

      Delete

      Cloud App Security deletes the entire email message.

      Quarantine

      Cloud App Security moves the email message to a dedicated quarantine location, removing it as a security risk to protected services.

      Note:

      For Exchange Online, the quarantine location is a folder in the user's mailbox; for Exchange Online (Inline Mode), the quarantine location is in the storage of Cloud App Security.

      Pass

      Cloud App Security records the detection in a log and the message is unchanged.

      Move to Junk Email folder

      Cloud App Security moves the email message to the user's Junk Email folder.

      Note:

      This action option is not available for Exchange Online (Inline Mode) - Outbound Protection.

      Add disclaimer

      Cloud App Security adds a disclaimer to display at the beginning of the email body to inform the recipient that the email may contain risks.

      The disclaimer cannot exceed 512 characters.

      For details about the token that can be used in the disclaimer, see Token List.

    • Gmail policies

      Action

      Description

      Delete

      Cloud App Security deletes the entire email message.

      Quarantine

      Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services.

      Move to Spam

      Cloud App Security applies Gmail's system label "Spam" to the email message and the message only displays in the user's Spam label.

      Label email

      Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox.

      Pass

      Cloud App Security records the detection in a log and the message is unchanged.

    Cloud App Security allows you to configure actions by the following categories:

    • (Exchange Online only) Graymail

    • (Exchange Online only) Scam: For example, 419 scams, lottery scams, and bitcoin scams.

    • BEC

    • Phishing

    • Ransomware

    • Malicious spam: Spam messages that carry malicious attacks of other types such as command and control (C&C), malware, and bank Trojan.

    • Other spam: For example, unsolicited commercial email messages or unsolicited bulk email messages.

      Optionally select Pass all the messages sent from internal domains if detected as other spam to help reduce false positives if some internal email messages are detected by Cloud App Security as other spam but you treat them as normal messages based on your organization's security policies.

      Note:

      For the outbound protection for Exchange Online (Inline Mode), optionally select Pass all outbound messages detected as other spam without logging.

    • Blocked sender list: Messages that come from senders with email addresses matching the blocked sender list.

    • Suspicious sender: Messages that come from senders with display names matching the High Profile Users list.

    For details about how advanced spam protection filtering actions apply, see Advanced Spam Protection Filtering Action Criteria.

  9. Configure Notification settings.
    Option Description

    Notify administrator

    Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.

    Notification threshold sets limits on messages to send. Threshold settings include:

    • Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).

    • Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.

    • Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.

    Notify User

    Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.

    Note:

    When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

  10. Click Save or select another policy configuration on the left navigation to continue with additional rules.

Configuring Writing Style Analysis for BEC

  1. Select Enable writing style analysis.

    Cloud App Security automatically starts retrieving email messages written by high profile users from the configured email addresses and analyzing them to train the writing style model for each user. To view the training progress, go to Administration > Global Settings > High Profile Users.

    To train the writing style model of each high profile user added for your email service, that is, Exchange Online or Gmail, you must enable writing style analysis in at least one Advanced Threat Protection policy for that service. If you disable writing style analysis in all policies of that service, the training process is paused and will be resumed when writing style analysis is enabled in at least one policy.

    Important:

    Cloud App Security only scans email messages to train the particular writing style model for each high profile user, and does NOT collect any actual email message or its content.

  2. Select an action.
    • Exchange Online, Exchange Online (Inline Mode) - Inbound Protection policies

    Option Description

    Tag subject

    Cloud App Security adds keywords before the email message subject (Probable BEC attack: <subject> ) to inform the recipient that an action occurred. The email message is delivered to the intended recipient, but the tag informs them that the original content may be a BEC attack.

    Add disclaimer

    Cloud App Security adds a disclaimer message to display at the beginning of the email body to inform the recipient that an action occurred. The email message is delivered to the intended recipient, but the disclaimer informs them that the original content may be a BEC attack.

    The disclaimer cannot exceed 512 characters.

    For details about the token in the disclaimer, see Token List.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    Delete

    Cloud App Security deletes the entire email message.

    Quarantine

    Cloud App Security moves the email message to a dedicated quarantine location, removing it as a security risk to protected services.

    Note:

    For Exchange Online, the quarantine location is a folder in the user's mailbox; for Exchange Online (Inline Mode), the quarantine location is in the storage of Cloud App Security.

    Move to Junk Email folder

    Cloud App Security moves the email message to the user's Junk Email folder.

    • Gmail policies

    Option Description

    Label email

    Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox.

    Pass

    Cloud App Security records the detection in a log and the message is unchanged.

    Delete

    Cloud App Security deletes the entire email message.

    Quarantine

    Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services.

    Move to Spam

    Cloud App Security applies Gmail's system label "Spam" to the email message and the message only displays in the user's Spam label.

    An incoming email message that hits the writing style analysis criteria is subject to the action configured here, regardless of the setting for BEC in Action.

    If writing style analysis is enabled in more than one policy of an email service, the action configured in the policy with a higher priority applies.

    If you want an email address related to a high profile user to skip from scanning for writing style verification, add the email address in the High Profile User Exception List.

  3. Optionally select Notify supposed sender to decide whether to send a notification message to the high profile user who is expected to be the real sender of the email message.
    • Optionally select Attach the original email message to decide whether to add the original email message as an attachment when notifying the supposed sender.

      Note:

      This option does not apply when Action is set to Delete or Quarantine.

    • Optionally select Allow the supposed sender to provide feedback to decide whether to add a feedback option in the notification message.

      The supposed sender can click Yes or No to confirm whether the sender has actually sent the email message. This does not affect the configured action taken on the email message, but helps Trend Micro improve its writing style analysis capabilities.

  4. Optionally select Notify administrator.

    A message specifically designed for writing style analysis violation will be sent to notify the administrator that Cloud App Security detected a probable BEC attack through email and took action on the email message. Whether or not the administrator receives the notification message is subject to the settings here, regardless of the setting in Notification.

    • Optionally click Edit notification to modify the message content as necessary. For details about the tokens, see Token List.

    • Optionally select Attach the original email message to decide whether to add the original email message as an attachment when notifying the administrator.

      Note:

      This option does not apply when Action is set to Delete or Quarantine.

Advanced Spam Protection Filtering Action Criteria

Advanced Spam Protection filtering action criteria for Exchange Online are described as follows:

  • For the scam, BEC, phishing, ransomware, and malicious spam categories, the default action is Quarantine, that for graymail is Pass, and that for other spam is Move to Junk Email folder.

  • After Cloud App Security takes the Move to Junk Email folder action against an email message, the email message will still be sent to other scanning filters for further processing.

  • If an email message hits multiple categories, Cloud App Security combines the actions set for each of these categories and takes only the action with the highest priority. The actions come with the following priorities from high to low: Delete, Quarantine, Move to Junk Email folder, Tag subject, Pass.

  • If an email message is moved to or restored from the Junk Email folder by a user, Cloud App Security will scan and process the message when a new manual scan starts.

  • If an email message is moved to the Junk Email folder by Cloud App Security after the Move to Junk Email folder action is taken, Cloud App Security will not scan and process the message again.

  • If an email message is moved to the Junk Email folder by Exchange Online, Cloud App Security processes it and still takes action against it as long as the action set for the corresponding spam category takes precedence over Move to Junk Email folder.

Advanced Spam Protection filtering action criteria for Gmail are described as follows:

  • For the BEC, phishing, ransomware, and malicious spam categories, the default action is Label email, and that for other spam is Move to Spam.

  • After Cloud App Security takes the Move to Spam action against an email message, the email message will still be sent to other scanning filters for further processing.

  • If an email message hits multiple spam categories, Cloud App Security combines the actions set for each of these categories and takes only the action with the highest priority. The actions come with the following priorities from high to low: Delete, Label email, Move to Spam, Pass.

  • If an email message is moved to the Spam label by Gmail, Cloud App Security processes it and still takes action against it as long as the action set for the corresponding spam category takes precedence over Move to Spam.