Email Message Risk Levels

Deep Discovery Email Inspector assesses email message risk using multi-layered threat analysis. Upon receiving an email message, Deep Discovery Email Inspector email scanners check the email message for known threats in the Trend Micro Smart Protection Network and Trend Micro Advanced Threat Scanning Engine. If the email message has unknown or suspicious characteristics, the email scanners send file attachments and embedded URLs to Virtual Analyzer for further analysis. Virtual Analyzer simulates the suspicious file and URL behavior to identify potential threats. Deep Discovery Email Inspector assigns a risk level to the email message based on the highest risk assigned between the Deep Discovery Email Inspector scanners and Virtual Analyzer.

The following table explains the email message risk levels after investigation. View the table to understand why an email message was classified as high, medium, or low risk.

Table 1. Email Message Risk Definitions

Risk Level

Description

High

A high-risk email message contains:

  • Attachments with unknown threats detected as high risk by Virtual Analyzer

  • Attachments detected as high risk based on YARA rules

  • Attachments detected as high risk based on suspicious file matching

  • Attachments detected by Predictive Machine Learning and Email Malware Threat Scan

  • Business Email Compromise

  • Links detected as high risk by Virtual Analyzer

  • Links detected as high risk based on suspicious URL matching

Medium

A medium-risk email message contains:

  • Known malware

  • Known phishing threats

  • Known dangerous links

  • Attachments detected as medium risk based on YARA rules

  • Links detected as medium risk based on suspicious URL matching

Low

A low-risk email message contains:

  • Known highly suspicious or suspicious links (Aggressive mode)

  • Links detected as low risk by Virtual Analyzer

  • Attachments detected as low risk by Virtual Analyzer

  • Attachments detected as low risk based on YARA rules

  • Links detected as low risk based on suspicious URL matching

  • Social engineering attacks

  • Business Email Compromise (BEC) scams

No risk

A no-risk email message:

  • Contains no suspicious attachments or links

  • Contains known highly suspicious or suspicious links (Standard mode)

  • Matches policy exception criteria

Unrated

An unrated email message falls under any of the following categories:

  • Bypassed scanning: Contains an attachment with a compression layer greater than 20 (the file has been compressed over twenty times)

  • Unscannable archive: Contains a password-protected archive that could not be extracted and scanned using the password list or heuristically obtained passwords

  • Unscannable message or attachment: Matches any of the following criteria:

    • Malformed email format

    • A system timeout occurred when Virtual Analyzer attempted to analyze the message

    • A system timeout occurred when Virtual Analyzer attempted to analyze some of the attachments or links and no other risks were detected

    • Virtual Analyzer was unable to analyze all of the attachments or links and no other risks were detected

Unavailable

Deep Discovery Email Inspector does not assign a risk level to a spam/graymail message or an email message with content violation.