Security Engines - SmartPhish

The SmartPhish engine is responsible for detecting phishing and suspected phishing emails. It analyzes various components of an email, such as attachments, links, sender reputation, domain analysis, OCR, and many more.

The SmartPhish engine detects phishing in emails in all languages. Language-based detections are supported for languages, as mentioned in Supported Languages for Anti-Phishing.

Phishing Threshold

The Anti-Phishing algorithm returns a verdict on each email analyzed with confidence that may go from Lowest to Highest.

Any email categorized as Phishing with a confidence level equal to or greater than the Phishing Threshold (PT) generates a phishing security event.

Any email categorized as phishing with the confidence level down by one from the phishing threshold (for example, PT is "High" and confidence level of verdict is "Medium") triggers the creation of a suspicious event.

By default, the Phishing Threshold is set to "High".

Best Practice - We recommend you adjust it based on the false positive/false negative rate observed when looking at phishing events triggered by SmartPhish.

Nickname Impersonation

For more details about Nickname Impersonation, see Nickname Impersonation.

Anti-Phishing Exceptions

In this screen, you can manage exceptions for the Anti-Phishing algorithm. You can set exceptions for the Anti-Phishing algorithm from a specific event. You can also add exceptions directly on this screen.

Note - An email matching one of the criteria of exception for Anti-Phishing is still inspected by the other security engines such as URL Reputation, Threat Emulation, and others.

Available Exceptions

Name Description
Excluded Emails This will not scan an email with the Anti-Phishing algorithm if the email address of the sender is in the list.
Excluded IPS This will not scan an email with the Anti-Phishing algorithm if the IP Address of the sender is in the list.
Excluded Domains This will not scan an email with the Anti-Phishing algorithm if the domain of the sender is in the list.
Excluded Nicknames This will not scan an email with the Anti-Phishing algorithm if the nickname of the sender is in the list.
Excluded Emails per Owner This section shows exceptions set by users themselves. When the workflow for phishing defined in policy is to add a warning to the email subject, Avanan will sometimes add a banner at the top of the email "Do you trust this sender - Yes or No". If the user clicks Yes, then an exception is added under this tab for this specific recipient and sender.

 

Anti-Phishing Block-List

When opening an email's event details, not flagged as being a phishing email by the Anti-Phishing algorithm, Mark as phishing option is shown.

You can mark the email under review as phishing as well as previous emails based on the criteria you select.

Additionally, any future email matching those criteria is handled as phishing.

You can review and remove Block-List rules under Configuration > Anti-Phishing Block-List.