Security Engines - SmartPhish

The SmartPhish security engine is responsible for detecting phishing and suspected phishing emails. It analyzes various components of an email, such as attachments, links, sender reputation, domain analysis, OCR, and many more.

The SmartPhish engine detects phishing in emails in all languages. Language-based detections are supported for languages, as mentioned in Supported Languages for Anti-Phishing.

Phishing Threshold

The Anti-Phishing algorithm returns a verdict on each email analyzed with confidence that may go from Lowest to Highest.

Any email categorized as Phishing with a confidence level equal to or greater than the Phishing Threshold (PT) generates a phishing security event.

Any email categorized as phishing with the confidence level down by one from the phishing threshold (for example, PT is "High" and confidence level of verdict is "Medium") triggers the creation of a suspicious event.

By default, the Phishing Threshold is set to "High".

Best Practice - Avanan recommends that you adjust the Phishing Threshold based on the false positive/false negative rate observed when looking at phishing events triggered by SmartPhish.

Nickname Impersonation

For more details about Nickname Impersonation, see Nickname Impersonation.

Phishing Simulation Solutions

Many organizations use phishing simulation solutions to educate their employees on how to detect and report phishing attacks. These solutions send fake phishing emails to employees to try and trick them into performing actions, opening attachments, or clicking on phishing URLs.

Avanan automatically detects such emails from commonly-used phishing simulation solutions and does not mark them as phishing.

However, Avanan might not detect some of the phishing simulation solutions and blocks such simulation emails. Avanan recommends adding an Anti-Phishing Allow-List rule based on the solution's IP address. For information about adding an Allow-List, see Anti-Phishing Exceptions.

Anti-Phishing Allow-List and Block-List

The Anti-Phishing security engine supports defining Allow-Lists and Block-Lists.

The Anti-Phishing engine stops scanning emails that match an Allow-List or Block-List rule. The Anti-Phishing verdict will automatically be clean (for Allow-List) or Phishing (for Block-List).

Note - Emails in the Anti-Phishing Allow-List and Block-List are evaluated by other security engines, such as Anti-Malware and DLP.

Adding Anti-Phishing Allow-List or Block-List Rule

You can add the Allow-List or Block-List rule from any of these:

  • From the Anti-Phishing Allow-List / Block-List
    1. Navigate to Configuration > Anti-Phishing Allow-List or Configuration > Anti-Phishing Block-List as per the requirement.
    2. Under Filters, define the criteria for filtering the emails and click Search.
    3. After refining the email criteria, click Create Allow-List Rule to create an allow-list rule or Create Block-List Rule to create a block-list rule.
    4. If required, enter the description for the rule under Comment and click Ok.
  • From the Mail Explorer (see Creating Allow-List and Block-List Rule)
  • From the email profile page
    1. Open the required email profile.
    2. Under Security Stack, select Similar Emails / Create Rules.
    3. Under Filters, define the criteria for filtering the emails and click Search.
    4. After refining the email criteria, click Create Allow-List Rule to create an allow-list rule or Create Block-List Rule to create a block-list rule.
    5. If required, enter the description for the rule under Comment and click Ok.

Filters to refine the email criteria for Allow-List or Block-List

While refining the criteria for creating Allow-List or Block-List, you can use these filters.

Filter Name Description
Date Received Events in the last year, month, week, day, or hour.
Also, using Range, you can choose to select the emails on a specific date and time.
Quarantine State Select the events based on these quarantine states.
  • Quarantine
  • Non Quarantined
  • Display All
Recipients Emails that contain a specific recipient or a recipient that match a specific term.
Subject Emails that match a specific subject.
Sender Name Emails from a specific sender.
Sender Domain Emails from a specific domain.
Sender Email Emails from a specific email address.
Client Sender IP Emails from a specific client and IP address.
Server IP Emails from a specific server IP address.
Links in body Emails that has links to external resources in the body of the email.
Attachments MD5 Emails that has attachments with specific MD5.
Headers Emails that has a header.

 

Importing Allow-List or Block-List from External Sources

For various use-cases, predominantly migrating from a legacy solution to Avanan, you might need to import a large number of items to the Allow-List or Block-List.

To import Allow-List or Block-List, contact Avanan Support.

Reviewing Phishing Events

Phishing events are triggered by the SmartPhish and Click-Time Protection security engines.

The SmartPhish security engine prevents the most sophisticated phishing and spam emails from being delivered to the end users' mailboxes.

The Click-Time Protection security engine re-writes the links in emails, emulates and checks the reputation of websites behind the links every time an end user clicks on them.

Acting on Phishing Events

To review and investigate the phishing event:

  • To see reasons for the detection of an event as phishing, under Security Stack, click More Info for SmartPhish.
  • To investigate the header of the raw email, under Email Profile, click Show for Header from raw email.
  • To investigate the body of the raw email, under Email Profile, click Show for Show body from raw email.
  • To download the raw email, under Email Profile, click Download for Download this email.
  • To send the original email to the end-user, under Email Profile, click Send for Send Original Email.
    Note - This option appears only when there are links that were re-written by the Click-Time Protection security engine.
  • To recheck the email for phishing, under Email Profile, click Recheck for Recheck email.

To filter emails similar to the event generated:

  1. Under Security Stack, select Similar Emails / Create Rules.
  2. Under Filters, define the criteria for filtering the emails.
  3. Click Search.
    Note - After filtering the emails, you can create Anti-Phishing Allow-List and Block-List. See Anti-Phishing Exceptions.

To report mis-classification of an event:

  1. Under Security Stack in the event profile, click Report mis-classification for Anti-Phishing.
  2. Under Report this email as, select how you want to classify the event:
    • Legit Marketing Email
    • Clean Email
    • Spam
    • Phishing
  3. Under How confident are you, select how confident you are about the classification you selected:
    • Not so sure
    • Medium confidence
    • High confidence
  4. Click OK.