With one of the largest domain-reputation databases in the world, Trend Micro web reputation technology tracks the credibility of web domains by assigning a reputation score based on factors including website's age, historical location changes and indications of suspicious activities discovered through malware behavior analysis, such as phishing attacks that are designed to trick users into providing personal information. To increase accuracy and reduce false positives, Trend Micro Web Reputation Services assigns reputation scores to specific pages or links within sites instead of classifying or blocking entire sites, since often, only portions of legitimate sites are hacked and reputations can change dynamically over time.
Attackers may use phishing websites that disguise as legitimate websites to steal user credentials that provide access to your network. To enhance its capability of spotting these credential phishing websites, Cloud App Security integrates with dynamic URL scanning and applies it to URLs classified as untested by Trend Micro Web Reputation Services. By crawling the web pages of these URLs in real time, Cloud App Security determines whether the pages contain malicious patterns and takes pre-configured actions to keep users from zero-day phishing attacks.
Cloud App Security also leverages artificial intelligence (AI)-based computer vision to protect cloud service users against credential phishing attacks. It uses this advanced technology to recognize key elements of a valid cloud service logon page to help prevent users from submitting credentials to untrusted sites and help them get rid of account compromise.
In this release, for a URL detected as a credential phish, Cloud App Security takes the action configured by the administrator under Action on this URL.
The following table explains the Web Reputation risk levels. View the table to understand why a URL is classified as dangerous, highly suspicious, or suspicious.
Risk Level |
Description |
---|---|
Dangerous |
The URL is verified to be fraudulent or known sources of threats. |
Highly suspicious |
The URL is suspected to be fraudulent or possible sources of threats. |
Suspicious |
The URL is associated with spam or possibly compromised. |
Untested |
The URL has not been tested by Trend Micro yet. While Trend Micro actively tests web pages for safety, users may encounter untested pages when visiting new or less popular websites. Blocking access to untested pages can improve safety but can also prevent access to safe pages. |
Safe |
The URL contains no malicious software and shows no signs of phishing. |
Option | Description |
---|---|
Apply to |
(Exchange Online and Gmail only) Select the scope of email messages that Malware Scanning applies to.
Note:
For details about internal domains, see Configuring Internal Domains For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses. |
Security Level |
Select Security Level and then the security level that Web Reputation applies to. Trend Micro considers a URL a web threat if its reputation score falls within a defined threshold, and safe if its score exceeds the threshold. Cloud App Security has three security levels that determine whether it will apply the configured action to a URL with a certain risk level. For details about the risk levels, see Web Reputation Risk Levels.
|
Message Attachments |
(Exchange Online and Gmail only) Select whether to scan message attachment content for suspicious URLs. |
Dynamic URL Scanning |
Select whether to further analyze, in real-time, the URLs classified as Untested by the Web Reputation Services, to detect phishing websites. For more information about dynamic URL scanning, see Web Reputation Services. |
Retro Scan & Auto Remediate |
(Exchange Online and Gmail only) This option is disabled by default. Note:
This feature is not available for Exchange Online (Inline Mode).
After this option is enabled, Cloud App Security periodically examines historical URLs. Based on the retro scan results:
|
Time-of-Click Protection applies to real-time scans for URLs in incoming email messages. To configure actions for those URLs, go to Administration > Global Settings > Time-of-Click Protection Settings.
This feature is not available for the outbound protection of Exchange Online (Inline Mode).
Be aware that for individual email addresses, wildcard characters and regular expressions are not supported.
Be aware that regular expressions are not supported.
For URLs with query parameters, Cloud App Security uses exact match. Wildcard characters are not supported.
For URLs without query parameters, wildcard characters only in the *.example.com and *.example.com/example/* formats are supported.
For Gmail, only URLs without query parameters are supported.
The approved URL list takes precedence over the blocked URL list. If a URL is added into both lists, it will be treated as an approved URL.
Be aware that regular expressions are not supported.
For URLs with query parameters, Cloud App Security uses exact match. Wildcard characters are not supported.
For URLs without query parameters, wildcard characters only in the *.example.com and *.example.com/example/* formats are supported.
For Gmail, only URLs without query parameters are supported.
For Gmail, Label email, Delete, and Quarantine are supported.
For Salesforce, Pass, Quarantine, and Delete are supported.
For the other applications and services, Quarantine and Delete are supported.
The specified entry appears in the area below.
When the specified header field of an email message contains or exactly matches with the specified value depending on whether Contains or Equals is selected, the message will not be scanned by Web Reputation for malicious and suspicious URL detection, but will still go through the other security filters in the policy.
Be aware that Name and Value are case sensitive, and wildcard characters and regular expressions are not supported.
The header field name and value cannot exceed 128 characters.
The email message whose header field hits any of the specified entries will not be scanned by Web Reputation.
A maximum of 10 header fields is supported.
The approved header field list configured here applies only to the current policy. You can also create an approved header field list that is applicable to all enabled policies for Exchange Online. For more information, see Configuring Approved Header Field List for Exchange Online.
Cloud App Security protects services by executing specified actions on email messages or files that match scanning conditions.
For details about the actions, see Actions Available for Different Services.
Optionally select the Take action on URLs that have not been tested by Trend Micro Web Reputation Services check box to apply the configured action to the URLs not yet tested by Trend Micro, for example, new born URLs or shortened URLs.
Optionally select the Configure actions dedicated to files check box to separately configure actions for files and whether to send notifications when the specified action is taken.
When this option is selected, for a file, Cloud App Security takes the action specified here instead of the policy-level action described in the above tables in step 7.
(Salesforce only) Select Apply secondary action when file quarantine fails and specify a secondary action if you want to take a backup action when the quarantine action for a file fails.
This option can be configured only when the Quarantine action is selected.
If the Tag file name action is selected, specify the tag to append to the file name.
The tag cannot exceed 20 characters or contain unsupported characters (/ \ : * ? < > " |).
The tag applies to the Tag file name action specified in the Action section.
Specify text to replace the original file content when a file is quarantined or deleted.
The text applies to the Quarantine and Delete actions in the Action section.
Option | Description |
---|---|
Notify administrator |
|
Notify User |
Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file. Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update. Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages. |
When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.