Investigating a Detected Message

  1. Search for the email message.

    See Viewing Detected Messages.

  2. Click the arrow next to the email message in the table.

    The table row expands with more information.

  3. Discover the email message details.

    See Email Message Details.

Email Message Details

The following table explains the email message details viewable after expanding the search results. The display fields vary depending on the type of detected threats.

Field

Description

View in Threat Connect

Click View in Threat Connect to get correlated information about suspicious objects detected in your environment and threat data from the Trend Micro Smart Protection Network, which provides relevant and actionable intelligence.

View Virtual Analyzer Report

Click View Virtual Analyzer Report to view the analysis report in HTML or PDF format.

View Screenshot

Click View Screenshot to safely display the email message as an image.

Download

Select an option from the drop-down list to download the information for further investigation.

Overview

View the message ID, recipients, last detection time, sender and source IP addresses, and direction of the email message to understand where the message came from and other tracking information.

Note:

For sender and source IP addresses, Unknown indicates that the detected messages are from an unknown origin (both the location and IP address information is not available), and No data indicates that the location information is not available.

Get information about the policy rules that the email message violates.

Messages

View the name of the scanning engine and the category for detected email messages that are considered as spam or graymail.

Attachments

Get information about any files attached to the email message, including the file name, password, file type, risk level, SHA-1 and SHA-256 hash values, the scan engine that identified the threat, and the name of detected threats.

YARA Detection

Get information about the detected files based on matched YARA rules in the associated YARA rule files.

Links

Get information about any embedded suspicious URLs that appeared in the email message, including the URL, site category, risk level, extraction source, the scan engine that identified the threat, and the name of detected threats.

Message Characteristics

Get information about any social engineering attack related characteristics that were detected in the email message, including the mail server reputation, gaps between transits, inconsistent recipient accounts, and forged sender addresses or unexpected relay servers, etc.

Content Keyword/Expression Match

Get information about the content keywords or expressions that are matched in the email message.

DLP Incident

Get information about the data identifiers and DLP templates that are matched in the email message.

Email Header

View the email message header content.