Modules - Mail Explorer

Introduction

Mail Explorer allows you to view and search for emails Avanan viewed and processed on the protected email platforms.

Mail-Explorer

It allows administrators to search for emails without using complex queries. To search for specific emails using advanced fields and operators, click Advanced (Custom Queries). The system redirects to the Custom Queries page.

Searching for Emails in Mail Explorer

From the Mail Explorer, you can filter and view emails based on specific search criteria.

To filter emails:

  1. Under the Date Received field, select Last or Range and choose the relevant period.

  2. Enable the relevant checkboxes and enter the search criteria for the query.

  3. Click Search.

Note - Whenever you perform a search operation in Mail Explorer, a log gets generated under System Logs.

Available Search Fields

  • Date received
  • Detection (Microsoft or Avanan)
  • Quarantine State (Microsoft, Google, Avanan or administrators)
  • Direction (incoming, outgoing or internal)
  • Subject
  • Sender Email
  • Sender Domain
  • Sender Name
  • Recipients
  • Server IP address
  • Client sender IP address
  • Attachments MD5
  • Links in email body
  • Message ID

Contains vs Match

For search fields that need a string as input, administrators can select Match or Contains conditions.

  • Match condition - Shows only the emails that exactly match the string.
  • Contains condition - Shows the emails that contains the string.

For example, if an email has Check out the invoice for this month as subject and you have searched for Check out this with Match condition, the system does not show the email.

Searching for Emails with Email Subject

When filtering the emails with the subject field, the system shows the search results with this logic:

  • If you use the Match condition, the system shows the emails with subjects that exactly match the search input string.
  • If you use the Contains condition, the system shows all the emails whose subject contains the words (full words, not parts of them) in the search input string, regardless of their order.

This is how the system performs the search operation:

  1. Splits the search string in to words, where the delimiter is every character that is not a letter or a number (a-z, A-Z, 0-9)
    For example, the search string Check:this out now! is split into the words Check, this, out, now
  2. The subject itself is also split into words like the search string.
    For example, for the search subject Check:this out now!, the system also returns Now! Check this: out as a result.
  3. To search for words in specific order in an email subject, use quotation marks ("").
    • Special characters will be presented in the results if they are used in the input search string.
    • If you enter special characters in the search, the system returns the email subjects with those special characters.
      For example, if the search string is "Check this out now!", the system will not return Check:this out now! and Now check this out subjects.
  4. Returns all the emails whose subject contains all of the search string input words, regardless of their order.
    For example, the system returns Now check this out subject also.

Detailed example:

Subject Search that will return the email Search that will NOT return the email
Lorem: ipsum’s dolor sit amet, consectetur adipiscing elit
  • Lorem: ipsum’s
  • Lorem
  • Lorem: ipsum’s dolor sit amet, consectetur adipiscing elit
  • Lorem ipsum’s
  • Ipsum
  • Lorem-ipsum
  • Lorem------ipsum
  • S
  • Ipsum lorem
  • “lorem: ipsum”
  • “lorem:ipsum”
  • “ipsum’s”
  • Lor
  • Lorem: ipsu
  • “lorem”
  • “lorem-ipsum”

 

Searching for Emails with Sender Email

While filtering for emails from a specific sender using the Contains condition, Avanan considers the sender's email address as a single string.

Example:

Email Sender Search that will return the email Search that will NOT return the email
john@company.com
  • oh
  • john
  • hn@comp
  • joh pany
  • john company.com

 

Searching for Emails with Recipient Address

Recipient address contains a list of all email addresses the email was sent to.

Similar to searching on the subject field, the system splits the input string and the list of email recipients into words, where all non-alphabetical characters are delimiters.

Then, the system searches for emails with the string containing those words (not part of them) in the same order as they appear in the input string.

For example, the recipient john@mycompany.com is split in to three consecutive words: john company com

Email Sender Search that will return the email Search that will NOT return the email

john@gmail.com

jeremy@company.com

(the email was sent to both the addresses)

  • john
  • jeremy
  • Jeremy company
  • john gmail com
  • john company
  • joh

 

Searching for Emails with Links in the Email Body

When searching for links in the email body, the system supports searching for three letters and above.

The system returns an email in the results if it contains a link in its body where the search string is either:

  • A sub string or a full copy of the link domain without protocol. For example, domain.com
  • An exact copy of the entire link, including the full path (not only the domain) and the protocol. For example, https://domain.com/path.html

Example:

Link in email body Search that will return the email Search that will NOT return the email
https://Link_domain.com/path-additionalwords?highlight:yes
  • Link
  • Link_dom
  • ain.com
  • Link_domain.com
  • https://Link_domain.com/path-additionalwords?highlight:yes
  • Li
  • Path
  • path-additionalwords?highlight:yes
  • Link_domain.com/path-
  • https://Link-Domain.com

 

Searching for Emails Based on Detection

Administrators can search for emails based on the Microsoft and Avanan detections.

In addition, administrators can control the search condition between the Avanan and Microsoft detections.

Examples:

Search for Mail Explorer Query
All detected phishing emails

Avanan detection = Phishing

OR

Microsoft detection = High-Confidence Phishing

Microsoft misdetections

Avanan detection = all but clean

AND

Microsoft detection = clean

Microsoft phishing misdetections

Avanan detection = Phishing, Malware

AND

Microsoft detection = all but high-confidence phishing

 

Searching for Emails Based on Quarantine State

Administrators can search for emails based on the enforcement decision of Microsoft / Google, Avanan, administrators or Avanan analysts (see Incident Response as a Service (IRaaS)).

In addition, the administrators can control the search condition between Avanan and Microsoft / Google enforcement decisions.

Examples:

Search for Mail Explorer Query
All quarantined emails

Avanan detection = Quarantined

OR

Microsoft / Google = Quarantined

Google / Microsoft misses

Avanan = Quarantined

AND

Microsoft / Google = Not quarantined

Emails quarantined by administrators

Avanan  = Quarantined by admin

AND

Microsoft / Google = select all

Malicious emails that would have been delivered to Junk by Microsoft / Google

Avanan = Quarantined

AND

Microsoft / Google = Delivered to Junk

Acting on Filtered Results

Restore quarantined emails

To restore the quarantined emails:

  1. Open Mail Explorer from the left navigation panel.
  2. Under Filters, define the criteria for filtering the emails and click Search.
  3. To restore emails from the search criteria, select the emails and click Restore selected emails under
    Actions.

Quarantine delivered emails

To quarantine the delivered emails:

  1. Open Mail Explorer from the left navigation panel.
  2. Under Filters, define the criteria for filtering the emails and click Search.
  3. To quarantine emails from the search criteria, select the emails and click Quarantine selected emails
    under Actions.

Creating Allow-List and Block-List Rule

Administrators can use the filters in Mail Explorer to create an Anti-Phishing Allow-List or Block-List.

The Anti-Phishing engine automatically marks all the emails matching these filters as clean for Allow-List or as Phishing for Block-List.

Notes:

  • The search criteria defined under the Date Received and Quarantine State fields do not apply to any rule.
  • Emails are scanned for malware and DLP even if they are in Anti-Phishing Allow-List.
To create an Allow-list rule that marks emails as clean that match the defined criteria, select the filters and click Create Allow-List Rule.
To create a Block-List rule that blocks emails that match the defined criteria, select the filters and click Create Block-List Rule.

Export Results to CSV

To export the search results to CSV:

  1. Open Mail Explorer from the left navigation panel.
  2. Under Filters, define the criteria for filtering the emails and click Search.
  3. Select the emails to export.
    • To export all the emails from the search results, under Actions, click Export to CSV.
      mail-explorer-export-to-csv
    • To export specific emails from the search results, select the emails and under Actions, click Export to CSV.
      Note - Only the selected emails will be exported.

Getting the Exported CSV File

  • If the export contains less than 500 emails, the CSV file gets downloaded immediately.
  • If the export contains more than 500 emails, the CSV file gets generated in the background. After the export is complete, the administrator that requested the export receives the CSV file through an email.

Notes:

  • You can see the export status under System Settings > System Tasks.
  • The export action gets logged under System Settings > System Logs.