Partner Risk Assessment (Compromised Partners)
Organizations take measures to secure their users, collaboration applications, and emails. However, partners are one of the greatest threats to an organization. These are other companies that the organization maintains a business relationship with.
If one of the partners gets compromised, it is difficult for the email security solutions and the end users to detect these malicious and impersonated emails.
With Partner Risk Assessment in Avanan, you can proactively detect compromised partners.
Using the Partner Risk Assessment dashboard, you can view these:
- All your organization's business partners
- Risk indicators of partners that are possibly compromised.
To view the Partner Risk Assessment, go to Analytics > Partner Risk.
Identifying a Partner
Avanan automatically identifies partners while inspecting the incoming and outgoing emails for threats and DLP.
To identify an organization as a partner, Avanan uses multiple methods like these:
- External domain sending invoices to your organization's domain.
- External domain with a significant volume of emails exchanged with your organization's domain.
Reviewing the Partners
Avanan shows the identified partners (compromised and uncompromised) in a table under the Partner Risk Assessment dashboard.
The Partners table has these columns:
| Column Name | Description |
| Risk Score |
The severity of the detected Risk Indicator.
|
| Partner Domain | The partner's domain and its name. Note - Avanan sometimes does not show the partner name. |
| Communication Volume |
An indicator of how many emails were exchanged with the partner in the last
|
| Internal Contacts |
The internal contacts that corresponded with the partner domain. Note - If there are many contacts, it shows five contacts with the highest communication volume with the partner domain. |
| Partner Contacts |
The contacts from the partner domain that corresponded with your domain. |
| Risk Indicators |
A list of reasons a partner is considered potentially compromised. |
| Last Risk Date |
Last time when a risk indicator was detected. |
Risk Indicators
Avanan detects different risk indicators and assigns them to partners. Each risk indicator has a risk score attached to it.
The risk indicators have these values:
| Severity | Risk Indicator | Description |
| Highest | Phishing emails sent to your organization | Avanan detected high-confidence phishing emails sent to your organization from this domain, and the sender was authenticated (SPF pass). |
| High | Phishing emails sent to other organizations | Avanan detected high-confidence phishing emails sent to other Check Point customers from this domain, and the sender was authenticated (SPF pass). |
| High | Partner impersonation emails sent to your organization | Avanan detected high-confidence phishing emails sent to your organization from this domain, but the sender was not authenticated (SPF fail). |
| High | Service being used to send phishing emails to your organization | Avanan detected high-confidence phishing emails sent to your organization from this domain. This domain is a publicly available service that allows sending emails from it. |
| Medium | Partner impersonation emails sent to other organizations |
Avanan detected high-confidence phishing emails sent to other Check Point customers from this domain, but the sender was not authenticated (SPF fail). |
| Medium | Service being used to send phishing emails to other organizations | Avanan detected high-confidence phishing emails sent to other Check Point customers from this domain, and this domain is a publicly available service that allows sending emails from it. |
Stop Considering a Partner as Compromised
When Avanan detects a partner as compromised, it adds the relevant risk indicator to the partner. This risk indicator remains valid only for the next 72 hours.
For example, Avanan detected a partner as compromised and added Phishing emails sent to your organization risk indicator. If no phishing emails from its domain are detected in the next 72 hours, Avanan removes the risk indicator.
When no risk indicators are available, the partner is considered uncompromised.
Removing a Partner from the List
Administrators can override the automatic identification of a partner and remove a partner from the list.
To do that, click the vertical ellipses icon for the partner from the last column of the table and select Not a partner.
Note - If you remove a partner, you cannot add again. To add a removed partner, contact Avanan Support.
Acting on Compromised Partners
Anti-Phishing Higher Sensitivity
By default, when Avanan detects a partner as suspicious, it inspects the emails from their domain with high sensitivity. This way, they are more likely to be found as phishing.
Investigating Emails from Compromised Partners
To view and investigate the emails from the partner domain, click the vertical ellipses icon for the partner from the last column of the table and select Emails from partner.
Mail Explorer opens and, by default, shows the emails from the partner domain in the last seven days.
Impersonation of Partners
By default, the Anti-Phishing security engine treats emails from domains that resemble one of your partner's
domains with more suspicion.
Administrators can select to trigger a specific workflow in these cases. For more information, see Impersonation of your Partners.