Views:

Cloud App Security leverages Content Scanning to provide advanced spam protection, as a complement to the email protection service on your email gateway side, to further protect your email service users from graymail, scam, BEC, ransomware, advanced phishing, and other high-profile attacks. It uses the following components to implement heuristic policies when detecting unwanted content, or blocking, or automatically allowing an email message:

  • Trend Micro Antispam Engine

  • Trend Micro spam pattern files

Trend Micro updates both the engine and pattern files frequently and makes them available for download. Cloud App Security automatically downloads these components through a scheduled update.

The Antispam engine uses spam signatures and heuristic rules to filter email messages. It scans email messages and assigns a spam score to each one based on how closely it matches the rules and patterns from the pattern file. It then compares the score to the user-defined spam detection level, and sends the result to Cloud App Security. When the spam score exceeds the detection level, Cloud App Security takes action against the email message based on the category that the message falls into. You cannot modify the method that the Antispam engine uses to assign spam scores, but can adjust the detection levels used by Cloud App Security to decide what is spam and what is not spam.

The antispam engine also leverages its Trend Micro Email Behaviour Analysis (EBA) module to detect graymail messages and scams:

  • Graymail: Solicited bulk email messages that do not fit the definition of spam email messages. They could reasonably be considered either spam or good by different users.

  • Scam: An attempt to defraud a person or group after first gaining their confidence, for example, advance-fee schemes such as 419 scams, lottery scams, and bitcoin scams.

In addition, Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats. For more information, see About Writing Style DNA.

Parent topic: Adding Advanced Threat Protection Policies

About Writing Style DNA

Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats.

By leveraging writing style analysis that comes with Writing Style DNA, Cloud App Security scans the written email messages of a desired individual to learn their particular writing style, and then trains a writing style model on the email system for authorship identification. This writing style model is a set of properties or features explored with automated methods that uniquely identify the way an individual composes email messages. Cloud App Security then uses the model to compare with the incoming email messages claimed to be sent from the individual in protected mailboxes to identify the authorship.

Note:

In this release, writing style analysis applies to email messages written in English, Japanese, German, French, Spanish, Swedish, Danish, Norwegian, Finnish, and Brazilian Portuguese.

This requires Cloud App Security to train and analyze the specific writing style model of each high profile user. As users' writing style models may change over time, it is also necessary to keep updating them to fine-tune email filtering. Therefore, once enabled with this feature, Cloud App Security starts training writing styles of high profile users to build up usable personal models, and improves them once there are new written email messages.

Configuring Advanced Spam Protection

  1. Select Enable Advanced Spam Protection.
  2. Optionally select Allow Trend Micro to collect suspicious email information to improve its detection capabilities..
  3. Configure Rules settings.

    Setting

    Description

    Apply to

    Select the scope of email messages that Advanced Spam Protection applies to.

    • All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains.

    • Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains.

    Note:

    For details about internal domains, see Configuring Internal Domains

    For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses.

    Detection Level

    Select a detection level. Options include:

    • High: This is the most rigorous level of spam detection. Cloud App Security monitors all email messages for suspicious files or text, but there is greater chance of false positives. False positives are those email messages that Cloud App Security filters as spam when they are actually legitimate email messages.

    • Medium: Cloud App Security monitors at a high level of spam detection with a moderate chance of filtering false positives.

    • Low: This is most lenient level of spam detection. Cloud App Security only filters the most obvious and common spam messages, but there is a very low chance that it will filter false positives.

    Display Name Spoofing Detection

    Optionally select the check box to enable display name spoofing detection. By default, this option is disabled.

    Cloud App Security checks the display name of an external sender to find out whether the name is similar to or the same as the one used in your organization, and then analyzes email messages from the sender to determine whether the message is a scam, phishing, BEC, or ransomware attack. Cloud App Security takes the configured action based on the category of threat detected to protect users of your organization from email impersonation attacks using display name spoofing.

    Note:

    • If you want to exclude certain external senders from this detection, go to Administration > Global Settings > Display Name Spoofing Detection Exception List and add the sender email addresses to the exception list.

    • This feature is not available for the outbound protection of Exchange Online (Inline Mode).

    Unusual Signal Detection
    (Exchange Online only)
    Note:

    This feature is not available for Exchange Online (Inline Mode).

    Unusual signals are the behavior or traits of an email that look suspicious to Cloud App Security. A single unusual signal does not mean a definite threat but can indicate possible risks. When detecting one unusual signal in an email message, Cloud App Security supports taking the action for Unusual Signal on the message. For details about unusual signals, see Unusual Signals.

    • Select whether to check for external senders with any of the following suspicious attributes:

      • The sender's display name matches the High Profile Users list.

        This feature requires that you configure the High Profile Users list.

      • The sender has not sent any email in at least the past 30 days.

        The sender can be from an existing domain or a newly registered one.

        Note:

        Cloud App Security determines whether a sender meets the criteria based on the information collected by Trend Micro.

    • Select whether to check for other unusual signals.

      The following are some examples:

      • Anomalous brand behavior

      • URL similar to a known malicious link

      • Unfamiliar sender discussing payment related issues

      Trend Micro will keep adding new unusual signals to help you detect more email behavior or traits that deviate from what is normal or usual.

    Retro Scan & Auto Remediate

    Select whether to rescan historical email messages and take remediation actions. This option is disabled by default.

    Note:

    • This feature is not available for Exchange Online (Inline Mode).

    • This feature does not apply to the email messages matching the Approved/Blocked Sender List or Approved Header Field List in Advanced Spam Protection, or the global Approved Header Field List.

    Enabling this feature requires turning on Allow Trend Micro to collect suspicious email information to improve its detection capabilities.

    Once the option is enabled, Cloud App Security starts collecting email message metadata when scanning the messages. When more metadata accumulates, Cloud App Security analyzes the metadata to detect previously unidentified or unknown threats by using the updated pattern files and leveraging machine learning technologies that observe and analyze email behavior over a period of time. A considerable advantage of retro scan is that it can correlate the attributes of different email messages, which helps detect threats that cannot be uncovered by analyzing messages one by one.

    Based on the retro scan result, Cloud App Security automatically takes remediation actions on the affected email messages.

    • For an email message that should have been filtered as spam or other types of threats but not, Cloud App Security takes the administrator-configured action on the email message.

    • For an email message that has been incorrectly filtered as spam or other types of threats, Cloud App Security restores the email message when the message has been quarantined by the Advanced Spam Protection filter, or moves the message to the inbox when it has been moved to the junk folder by this filter. Cloud App Security does not undo the other actions.

    Enhanced BEC Detection

    Go to Administration > Global Settings > High Profile Users or Internal Domains or High Profile Domains, and specify high profile users, external or internal domains as necessary.

    Note:

    • This enables Cloud App Security to further check email messages claimed to be sent from most frequently forged users or domains, apply fraud checking criteria to identify forged messages, and take actions on the BEC attacks.

    • This feature is not available for the outbound protection of Exchange Online (Inline Mode).
  4. (Exchange Online only) Configure Graymail Detection.
    Note:

    This feature is not available for the outbound protection of Exchange Online (Inline Mode).

    1. Select Enable Graymail Detection.

      Cloud App Security detects the following as graymail messages:

      • Marketing message and newsletter

      • Social network notification

      • Forum notification

      • Bulk email message

    2. Select at least one graymail category.

  5. Configure Writing Style Analysis for BEC settings.
    Note:

    • This feature provides an enhanced way for Cloud App Security to train the writing style models of high profile users to detect probable BEC attacks. Additional configurations are required.

    • This feature is not available for the outbound protection of Exchange Online (Inline Mode).

    Before configuring writing style analysis settings, go to Administration > Global Settings to configure:

    Configure the Writing Style Analysis for BEC settings. For details, see Configuring Writing Style Analysis for BEC.

  6. Configure Approved/Blocked Sender List.
    1. Select Enable the approved sender list.
    2. Specify a sending email address or domain to bypass Advanced Spam Protection scanning and click Add >.
      Note:

      You can use the wildcard character (*) to represent any characters in the email address or domain name. Examples: *@example.com, name@*.com, *@*.example.com

      The following formats are invalid: *@*, *

    3. Optionally click Import to import sender email addresses in batches.
    4. Select Enable the blocked sender list.
    5. Specify a sending email address or domain to apply actions on messages directly, and click Add >.
      Note:

      You can use the wildcard character (*) to represent any characters in the email address or domain name. Examples: *@example.com, name@*.com, *@*.example.com

      The following formats are invalid: *@*, *

    6. Optionally click Import to import sender email addresses in batches.
    7. Go to Action to set an action for the blocked sender list.

    • For Gmail, Label email, Delete, and Quarantine are supported.

    • For other applications and services, Quarantine and Delete are supported.

  7. Configure Approved Header Field List.
    1. Select Enable the approved header field list.
    2. Specify a header field name in the Name text box and a value for the field in the Value text box, and select Contains or Equals as necessary.
    3. Click Add.

      The specified entry appears in the area below.

      When the specified header field of an email message contains or exactly matches with the specified value depending on whether Contains or Equals is selected, the message will not be scanned by Advanced Spam Protection for spam, but will still go through the other security filters in the policy.

      Note:

      Be aware that Name and Value are case sensitive, and wildcard characters and regular expressions are not supported.

      The header field name and value cannot exceed 128 characters.

    4. Optionally repeat steps b and c to add another header field as necessary.

      The email message whose header field hits any of the specified entries will not be scanned by Advanced Spam Protection.

      Note:

      A maximum of 10 header fields is supported.

    5. To delete a specified header field, select it from the list and click Delete.

    The approved header field list configured here applies only to the current policy. You can also create an approved header field list that is applicable to all enabled policies for Exchange Online. For more information, see Configuring Approved Header Field List for Exchange Online.

  8. Configure Action settings for each category.

    Cloud App Security allows you to configure actions by the following categories:

    • (Exchange Online only) Graymail

    • (Exchange Online only) Scam: For example, 419 scams, lottery scams, and bitcoin scams.

    • BEC

    • Phishing

    • Ransomware

    • Malicious content: Spam messages that carry malicious attacks of other types such as command and control (C&C), malware, and bank Trojan.

    • Spam: For example, unsolicited commercial email messages or unsolicited bulk email messages.

      Optionally select Pass all the messages sent from internal domains if detected as other spam to help reduce false positives if some internal email messages are detected by Cloud App Security as other spam but you treat them as normal messages based on your organization's security policies.

      Note:

      For the outbound protection for Exchange Online (Inline Mode), optionally select Pass all outbound messages detected as other spam without logging.

    • Blocked sender list: Messages that come from senders with email addresses matching the blocked sender list.

    • Unusual signal: Messages that match any unusual trait or behavior that looks suspicious to Cloud App Security.
      Note:

      Trend Micro recommends that you apply the "Add disclaimer" action to alert your users to the unusual traits or behavior in the emails. Since a single unusual signal does not mean a definite threat, we do not recommend the "Quarantine" or "Delete" action..

    For details about the actions, see Actions Available for Different Services.

    For details about how advanced spam protection filtering actions apply, see Advanced Spam Protection Filtering Action Criteria.

  9. Configure Notification settings.
    Option Description

    Notify administrator

    1. Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups. For details, see Configuring Recipient Groups.

    2. Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.

    3. Set the notification threshold which limits the number of notification messages to send. Threshold settings include:

      • Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).

      • Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.

      • Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.

    Notify User

    Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.
    Note:

    When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

  10. Click Save or select another policy configuration on the left navigation to continue with additional rules.

Configuring Writing Style Analysis for BEC

  1. Select Enable writing style analysis.

    Cloud App Security automatically starts retrieving email messages written by high profile users from the configured email addresses and analyzing them to train the writing style model for each user. To view the training progress, go to Administration > Global Settings > High Profile Users.

    To train the writing style model of each high profile user added for your email service, that is, Exchange Online or Gmail, you must enable writing style analysis in at least one Advanced Threat Protection policy for that service. If you disable writing style analysis in all policies of that service, the training process is paused and will be resumed when writing style analysis is enabled in at least one policy.

    Important:

    Cloud App Security only scans email messages to train the particular writing style model for each high profile user, and does NOT collect any actual email message or its content.

  2. Select an action.

    An incoming email message that hits the writing style analysis criteria is subject to the action configured here, regardless of the setting for BEC in Action.

    For details about the actions, see Actions Available for Different Services.

    If writing style analysis is enabled in more than one policy of an email service, the action configured in the policy with a higher priority applies.

    If you want an email address related to a high profile user to skip from scanning for writing style verification, add the email address in the High Profile User Exception List.

  3. Optionally select Notify supposed sender to decide whether to send a notification message to the high profile user who is expected to be the real sender of the email message.

    • Optionally select Attach the original email message to decide whether to add the original email message as an attachment when notifying the supposed sender.

      Note:

      This option does not apply when Action is set to Delete or Quarantine.

    • Optionally select Allow the supposed sender to provide feedback to decide whether to add a feedback option in the notification message.

      The supposed sender can click Yes or No to confirm whether the sender has actually sent the email message. This does not affect the configured action taken on the email message, but helps Trend Micro improve its writing style analysis capabilities.

  4. Optionally select Notify administrator.

    A message specifically designed for writing style analysis violation will be sent to notify the administrator that Cloud App Security detected a probable BEC attack through email and took action on the email message. Whether or not the administrator receives the notification message is subject to the settings here, regardless of the setting in Notification.

    • Optionally click Edit notification to modify the message content as necessary. For details about the tokens, see Token List.

    • Optionally select Attach the original email message to decide whether to add the original email message as an attachment when notifying the administrator.

      Note:

      This option does not apply when Action is set to Delete or Quarantine.

Advanced Spam Protection Filtering Action Criteria

Advanced Spam Protection filtering action criteria for Exchange Online are described as follows:

  • For the scam, BEC, phishing, ransomware, and malicious spam categories, the default action is Quarantine, that for graymail is Pass, and that for other spam is Move to Junk Email folder.

  • After Cloud App Security takes the Move to Junk Email folder action against an email message, the email message will still be sent to other scanning filters for further processing.

  • If an email message hits multiple categories, Cloud App Security combines the actions set for each of these categories and takes only the action with the highest priority. The actions come with the following priorities from high to low: Delete, Quarantine, Move to Junk Email folder, Tag subject, Pass.

  • If an email message is moved to or restored from the Junk Email folder by a user, Cloud App Security will scan and process the message when a new manual scan starts.

  • If an email message is moved to the Junk Email folder by Cloud App Security after the Move to Junk Email folder action is taken, Cloud App Security will not scan and process the message again.

  • If an email message is moved to the Junk Email folder by Exchange Online, Cloud App Security processes it and still takes action against it as long as the action set for the corresponding spam category takes precedence over Move to Junk Email folder.

Advanced Spam Protection filtering action criteria for Gmail are described as follows:

  • For the BEC, phishing, ransomware, and malicious spam categories, the default action is Label email, and that for other spam is Move to Spam.

  • After Cloud App Security takes the Move to Spam action against an email message, the email message will still be sent to other scanning filters for further processing.

  • If an email message hits multiple spam categories, Cloud App Security combines the actions set for each of these categories and takes only the action with the highest priority. The actions come with the following priorities from high to low: Delete, Label email, Move to Spam, Pass.

  • If an email message is moved to the Spam label by Gmail, Cloud App Security processes it and still takes action against it as long as the action set for the corresponding spam category takes precedence over Move to Spam.

Unusual Signals

The following table lists the unusual signals that Cloud App Security can detect.

Signal

Description

Account-Takeover

This sender account might be compromised.

Unusual-URL

The URLs in the email are similar to those found in other malicious emails.

Payment-PDF-Free-Email

This message originates from a free email service and discusses payment-related issues in a PDF attachment.

Payment-HTML-Free-Email

This message originates from a free email service and discusses payment-related issues in an HTML attachment.

Payment-HTML-NB-Account

This account has no prior contact history with you and discusses payment-related issues in an HTML attachment.

Forged-Brand

The sender claims to be a well-known brand. However, the behavior of the sender does not match the known behavior of the brand.

Suspicious-Notify

The attachment might contain links used for malicious activity.