Cloud App Security leverages Content Scanning to provide advanced spam protection, as a complement to the email protection service on your email gateway side, to further protect your email service users from graymail, scam, BEC, ransomware, advanced phishing, and other high-profile attacks. It uses the following components to implement heuristic policies when detecting unwanted content, or blocking, or automatically allowing an email message:
Trend Micro Antispam Engine
Trend Micro spam pattern files
Trend Micro updates both the engine and pattern files frequently and makes them available for download. Cloud App Security automatically downloads these components through a scheduled update.
The Antispam engine uses spam signatures and heuristic rules to filter email messages. It scans email messages and assigns a spam score to each one based on how closely it matches the rules and patterns from the pattern file. It then compares the score to the user-defined spam detection level, and sends the result to Cloud App Security. When the spam score exceeds the detection level, Cloud App Security takes action against the email message based on the category that the message falls into. You cannot modify the method that the Antispam engine uses to assign spam scores, but can adjust the detection levels used by Cloud App Security to decide what is spam and what is not spam.
The antispam engine also leverages its Trend Micro Email Behaviour Analysis (EBA) module to detect graymail messages and scams:
Graymail: Solicited bulk email messages that do not fit the definition of spam email messages. They could reasonably be considered either spam or good by different users.
Scam: An attempt to defraud a person or group after first gaining their confidence, for example, advance-fee schemes such as 419 scams, lottery scams, and bitcoin scams.
In addition, Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats. For more information, see About Writing Style DNA.
Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats.
By leveraging writing style analysis that comes with Writing Style DNA, Cloud App Security scans the written email messages of a desired individual to learn their particular writing style, and then trains a writing style model on the email system for authorship identification. This writing style model is a set of properties or features explored with automated methods that uniquely identify the way an individual composes email messages. Cloud App Security then uses the model to compare with the incoming email messages claimed to be sent from the individual in protected mailboxes to identify the authorship.
In this release, writing style analysis applies to email messages written in English, Japanese, German, French, Spanish, Swedish, Danish, Norwegian, Finnish, and Brazilian Portuguese.
This requires Cloud App Security to train and analyze the specific writing style model of each high profile user. As users' writing style models may change over time, it is also necessary to keep updating them to fine-tune email filtering. Therefore, once enabled with this feature, Cloud App Security starts training writing styles of high profile users to build up usable personal models, and improves them once there are new written email messages.
Setting |
Description |
---|---|
Apply to |
Select the scope of email messages that Advanced Spam Protection applies to.
Note:
For details about internal domains, see Configuring Internal Domains For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses. |
Detection Level |
Select a detection level. Options include:
|
Display Name Spoofing Detection |
Optionally select the check box to enable display name spoofing detection. By default, this option is disabled. Cloud App Security checks the display name of an external sender to find out whether the name is similar to or the same as the one used in your organization, and then analyzes email messages from the sender to determine whether the message is a scam, phishing, BEC, or ransomware attack. Cloud App Security takes the configured action based on the category of threat detected to protect users of your organization from email impersonation attacks using display name spoofing. Note:
|
Suspicious Sender Detection |
(Exchange Online only) Select this check box to directly detect an external sender of a message as suspicious when the sender's display name matches the High Profile Users list. Cloud App Security takes the action for Suspicious sender on the message. Note:
|
Retro Scan & Auto Remediate |
Select whether to rescan historical email messages and take remediation actions. This option is disabled by default. Note:
Enabling this feature requires turning on Allow Trend Micro to collect suspicious email information to improve its detection capabilities. Once the option is enabled, Cloud App Security starts collecting email message metadata when scanning the messages. When more metadata accumulates, Cloud App Security analyzes the metadata to detect previously unidentified or unknown threats by using the updated pattern files and leveraging machine learning technologies that observe and analyze email behavior over a period of time. A considerable advantage of retro scan is that it can correlate the attributes of different email messages, which helps detect threats that cannot be uncovered by analyzing messages one by one. Based on the retro scan result, Cloud App Security automatically takes remediation actions on the affected email messages.
|
Enhanced BEC Detection |
Go to Administration > Global Settings > High Profile Users or Internal Domains or High Profile Domains, and specify high profile users, external or internal domains as necessary. Note:
|
This feature is not available for the outbound protection of Exchange Online (Inline Mode).
Select Enable Graymail Detection.
Cloud App Security detects the following as graymail messages:
Marketing message and newsletter
Social network notification
Forum notification
Bulk email message
Select at least one graymail category.
This feature provides an enhanced way for Cloud App Security to train the writing style models of high profile users to detect probable BEC attacks. Additional configurations are required.
This feature is not available for the outbound protection of Exchange Online (Inline Mode).
Before configuring writing style analysis settings, go to Administration > Global Settings to configure:
Email addresses of required high profile users to train their writing style models. For details, see Configuring High Profile Users.
Email addresses to skip from scanning for writing style verification. For details, see Configuring High Profile User Exception List.
Configure the Writing Style Analysis for BEC settings. For details, see Configuring Writing Style Analysis for BEC.
Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.
To approve all senders from a domain, type *@domain, for example, *@example.com. This only applies to spam message scanning.
Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.
To block all senders from a domain, type *@domain, for example, *@example.com. This only applies to spam message scanning.
For Gmail, Label email, Delete, and Quarantine are supported.
For other applications and services, Quarantine and Delete are supported.
The specified entry appears in the area below.
When the specified header field of an email message contains or exactly matches with the specified value depending on whether Contains or Equals is selected, the message will not be scanned by Advanced Spam Protection for spam, but will still go through the other security filters in the policy.
Be aware that Name and Value are case sensitive, and wildcard characters and regular expressions are not supported.
The header field name and value cannot exceed 128 characters.
The email message whose header field hits any of the specified entries will not be scanned by Advanced Spam Protection.
A maximum of 10 header fields is supported.
The approved header field list configured here applies only to the current policy. You can also create an approved header field list that is applicable to all enabled policies for Exchange Online. For more information, see Configuring Approved Header Field List for Exchange Online.
Exchange Online, Exchange Online (Inline Mode) - Inbound Protection, Exchange Online (Inline Mode) - Outbound Protection policies
Action |
Description |
---|---|
Tag subject |
Cloud App Security adds keywords before email message subject (Spam: <subject> ) to inform the user that an action occurred. The email message is delivered to the intended recipient, but the tag informs them that the original content was infected. |
Delete |
Cloud App Security deletes the entire email message. |
Quarantine |
Cloud App Security moves the email message to a dedicated quarantine location, removing it as a security risk to protected services. Note:
For Exchange Online, the quarantine location is a folder in the user's mailbox; for Exchange Online (Inline Mode), the quarantine location is in the storage of Cloud App Security. |
Pass |
Cloud App Security records the detection in a log and the message is unchanged. |
Move to Junk Email folder |
Cloud App Security moves the email message to the user's Junk Email folder. Note:
This action option is not available for Exchange Online (Inline Mode) - Outbound Protection. |
Add disclaimer |
Cloud App Security adds a disclaimer to display at the beginning of the email body to inform the recipient that the email may contain risks. The disclaimer cannot exceed 512 characters. For details about the token that can be used in the disclaimer, see Token List. |
Gmail policies
Action |
Description |
---|---|
Delete |
Cloud App Security deletes the entire email message. |
Quarantine |
Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services. |
Move to Spam |
Cloud App Security applies Gmail's system label "Spam" to the email message and the message only displays in the user's Spam label. |
Label email |
Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox. |
Pass |
Cloud App Security records the detection in a log and the message is unchanged. |
Cloud App Security allows you to configure actions by the following categories:
(Exchange Online only) Graymail
(Exchange Online only) Scam: For example, 419 scams, lottery scams, and bitcoin scams.
BEC
Phishing
Ransomware
Malicious spam: Spam messages that carry malicious attacks of other types such as command and control (C&C), malware, and bank Trojan.
Other spam: For example, unsolicited commercial email messages or unsolicited bulk email messages.
Optionally select Pass all the messages sent from internal domains if detected as other spam to help reduce false positives if some internal email messages are detected by Cloud App Security as other spam but you treat them as normal messages based on your organization's security policies.
For the outbound protection for Exchange Online (Inline Mode), optionally select Pass all outbound messages detected as other spam without logging.
Blocked sender list: Messages that come from senders with email addresses matching the blocked sender list.
Suspicious sender: Messages that come from senders with display names matching the High Profile Users list.
For details about how advanced spam protection filtering actions apply, see Advanced Spam Protection Filtering Action Criteria.
Option | Description |
---|---|
Notify administrator |
Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file. Notification threshold sets limits on messages to send. Threshold settings include:
|
Notify User |
Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. |
When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.
Cloud App Security automatically starts retrieving email messages written by high profile users from the configured email addresses and analyzing them to train the writing style model for each user. To view the training progress, go to Administration > Global Settings > High Profile Users.
To train the writing style model of each high profile user added for your email service, that is, Exchange Online or Gmail, you must enable writing style analysis in at least one Advanced Threat Protection policy for that service. If you disable writing style analysis in all policies of that service, the training process is paused and will be resumed when writing style analysis is enabled in at least one policy.
Cloud App Security only scans email messages to train the particular writing style model for each high profile user, and does NOT collect any actual email message or its content.
Exchange Online, Exchange Online (Inline Mode) - Inbound Protection policies
Option | Description |
---|---|
Tag subject |
Cloud App Security adds keywords before the email message subject (Probable BEC attack: <subject> ) to inform the recipient that an action occurred. The email message is delivered to the intended recipient, but the tag informs them that the original content may be a BEC attack. |
Add disclaimer |
Cloud App Security adds a disclaimer message to display at the beginning of the email body to inform the recipient that an action occurred. The email message is delivered to the intended recipient, but the disclaimer informs them that the original content may be a BEC attack. The disclaimer cannot exceed 512 characters. For details about the token in the disclaimer, see Token List. |
Pass |
Cloud App Security records the detection in a log and the message is unchanged. |
Delete |
Cloud App Security deletes the entire email message. |
Quarantine |
Cloud App Security moves the email message to a dedicated quarantine location, removing it as a security risk to protected services. Note:
For Exchange Online, the quarantine location is a folder in the user's mailbox; for Exchange Online (Inline Mode), the quarantine location is in the storage of Cloud App Security. |
Move to Junk Email folder |
Cloud App Security moves the email message to the user's Junk Email folder. |
Gmail policies
Option | Description |
---|---|
Label email |
Cloud App Security includes a label Risky (by Trend Micro) at the top of the email message in the user's mailbox. |
Pass |
Cloud App Security records the detection in a log and the message is unchanged. |
Delete |
Cloud App Security deletes the entire email message. |
Quarantine |
Cloud App Security moves the email message to a restricted access folder, removing it as a security risk to protected services. |
Move to Spam |
Cloud App Security applies Gmail's system label "Spam" to the email message and the message only displays in the user's Spam label. |
An incoming email message that hits the writing style analysis criteria is subject to the action configured here, regardless of the setting for BEC in Action.
If writing style analysis is enabled in more than one policy of an email service, the action configured in the policy with a higher priority applies.
If you want an email address related to a high profile user to skip from scanning for writing style verification, add the email address in the High Profile User Exception List.
Optionally select Attach the original email message to decide whether to add the original email message as an attachment when notifying the supposed sender.
This option does not apply when Action is set to Delete or Quarantine.
Optionally select Allow the supposed sender to provide feedback to decide whether to add a feedback option in the notification message.
The supposed sender can click Yes or No to confirm whether the sender has actually sent the email message. This does not affect the configured action taken on the email message, but helps Trend Micro improve its writing style analysis capabilities.
A message specifically designed for writing style analysis violation will be sent to notify the administrator that Cloud App Security detected a probable BEC attack through email and took action on the email message. Whether or not the administrator receives the notification message is subject to the settings here, regardless of the setting in Notification.
Optionally click Edit notification to modify the message content as necessary. For details about the tokens, see Token List.
Optionally select Attach the original email message to decide whether to add the original email message as an attachment when notifying the administrator.
This option does not apply when Action is set to Delete or Quarantine.
Advanced Spam Protection filtering action criteria for Exchange Online are described as follows:
For the scam, BEC, phishing, ransomware, and malicious spam categories, the default action is Quarantine, that for graymail is Pass, and that for other spam is Move to Junk Email folder.
After Cloud App Security takes the Move to Junk Email folder action against an email message, the email message will still be sent to other scanning filters for further processing.
If an email message hits multiple categories, Cloud App Security combines the actions set for each of these categories and takes only the action with the highest priority. The actions come with the following priorities from high to low: Delete, Quarantine, Move to Junk Email folder, Tag subject, Pass.
If an email message is moved to or restored from the Junk Email folder by a user, Cloud App Security will scan and process the message when a new manual scan starts.
If an email message is moved to the Junk Email folder by Cloud App Security after the Move to Junk Email folder action is taken, Cloud App Security will not scan and process the message again.
If an email message is moved to the Junk Email folder by Exchange Online, Cloud App Security processes it and still takes action against it as long as the action set for the corresponding spam category takes precedence over Move to Junk Email folder.
Advanced Spam Protection filtering action criteria for Gmail are described as follows:
For the BEC, phishing, ransomware, and malicious spam categories, the default action is Label email, and that for other spam is Move to Spam.
After Cloud App Security takes the Move to Spam action against an email message, the email message will still be sent to other scanning filters for further processing.
If an email message hits multiple spam categories, Cloud App Security combines the actions set for each of these categories and takes only the action with the highest priority. The actions come with the following priorities from high to low: Delete, Label email, Move to Spam, Pass.
If an email message is moved to the Spam label by Gmail, Cloud App Security processes it and still takes action against it as long as the action set for the corresponding spam category takes precedence over Move to Spam.