Advanced Anti-Phishing Protection provides a variety of automated actions that the security administrator can choose from - such as quarantine malicious emails. Visit https://www.techbento.com/cloud-e-mail-file-security/ to learn more.
Malware End-user workflow
1 - User is alerted and allowed to restore the email
Email to the user is scanned and when found malicious the subject is replaced with a quarantined notice and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the file if a false positive is suspected. The attachment is also stripped and noted in the replaced body. In this mode, the user is authorized to perform their own release of the attachment. Using the link in the email end-users can release quarantined attachment. The original email and attachment will be immediately delivered back to the inbox.
2 - User is alerted, allowed to requests a restore. Admin must approve
Email to the user is scanned and when found malicious the subject is replaced with a Quarantined notice and the original subject is provided in brackets. The body of the message is replaced with a customizable message to the user along with a link to release the file if a false positive is suspected. The attachment is also stripped and noted in the replaced body. The Malware will be zipped, password protected and delivered to the Restore request approver.
In some cases, the we may choose not to block the email, and allow it to be delivered to the inbox - for example, suspicious (low confidence) email detections. For these scenarios, Advanced Anti-Phishing Protection allows warning the end-users of the potential risks detected on these emails by embedding a banner that explains the nature of the risk.
Embedding warning banners are available in Protect (inline) and Detect and Prevent modes only.
Release Process for Administrators
The admin will be notified via email to the configured Restore requests approver email address. Optional alerts and email notifications can also be configured. The email will contain the Malware in a zipped, password protected attachment with a direct link to the email profile in the Advanced Anti-Phishing Protection portal. Once in the Advanced Anti-Phishing Protection portal a full security review of the Malware can be completed and the release request can be fulfilled or declined.
Types of warning banners
The following warning banners are generated, based on the detection attributes:
Suspected phishing: This email contains elements that may indicate "Phishing" intent - aimed at tricking you to disclose private/financial information or even your credentials.
Suspected phishing - potentially trusted sender: This mail is suspected to be a phishing e-mail. Are you sure you trust the sender (<sender>)?
First time sender: We do not know this sender, do you trust <sender>?
Non-authentic internal email: The email is sent from the organization's domain (<domain>), but suspected as non-authentic.
Potential Impersonation: The sender <sender> seems to be using a different email address than in the previous correspondence (<previous email>), this often indicates an impersonation attempt.
Encrypted Attachments: Be careful when opening this email. It is carrying an encrypted attachment - often used for evading virus scans. Make sure you trust this email before opening the attachment.
Workflows and Notification
Detect and Prevent Mode and Protect (inline) Mode both offer three separate workflows to manage Malware and Anti-Phishing attacks in the platform. The only difference is when the workflow is invoked. Detect and Prevent scans email after delivery of email to the user and Protect (inline) scan just prior to delivery.
- User is alerted and allowed to restore the email
- User is alerted, allowed to requests a restore. Admin must approve
- Email quarantined. User is not alerted. Admin can restore
- Do nothing
- User receives the email with an alert
- Email quarantined. Admin can restore
- Email Quarantined. User is alerted, allowed to request a restore. Admin must approve
- Do nothing
Suspicious Phishing affects
- User receives the email with a warning
- User is not alerted. Admin can restore
- Do nothing
Advanced options are available to customize all messages and notifications to the end users