Security Engines - Smart-Phish (Anti-Phishing)

The Smart-Phish (Anti-Phishing) security engine is responsible for detecting phishing, suspected phishing, and spam emails. It analyzes various components of an email, such as attachments, links, sender reputation, domain analysis, OCR, and many more.

The Smart-Phish engine detects phishing in emails in all languages. Language-based detections are supported for languages, as mentioned in Supported Languages for Anti-Phishing.

Phishing Confidence Level (Threshold)

The Anti-Phishing algorithm returns a verdict on each email analyzed with confidence that may go from Lowest to Highest.

Any email categorized as phishing with a confidence level equal to or greater than the phishing confidence level (threshold) generates a Phishing event and triggers the relevant workflow.

Any email categorized as phishing with a confidence level below the defined phishing confidence level (threshold) generates a Suspected Phishing event and and triggers the relevant workflow.

For example, if the phishing confidence level (threshold) is High and if the Anti-Phishing engine categorized an email as phishing with phishing confidence level (threshold) as Medium, it triggers the Suspected Phishing workflow.

By default, the phishing confidence level (threshold) is set to High.

To configure the phishing confidence level (threshold):

  1. Go to Configuration > Security Engines > Smart-Phish.
  2. Click Configure for Smart-Phish.
  3. Under Phishing confidence level, select the required threshold.
  4. Click Save.

Nickname Impersonation

For more details about Nickname Impersonation, see Nickname Impersonation.

Phishing Simulation Solutions

Many organizations use phishing simulation solutions to educate their employees on how to detect and report phishing attacks. These solutions send fake phishing emails to employees to try and trick them into performing actions, opening attachments, or clicking on phishing URLs.

Avanan automatically detects such emails from commonly-used phishing simulation solutions and does not mark them as phishing. Phishing reports from users regarding those emails will be automatically declined.

Avanan Portal supports phishing simulation solutions from ActiveTrail, BenchMark, HubSpot, KnowBe4, MailChimp, MailGun, MailJet, MimeCast, PhishMe, ProofPoint, SendGrid, SendInBlue, Sophos Phish Threat V2, TargetHero, TerraNova, and ZoHo.

If you are using a different phishing simulation solution:

  • To avoid detection of phishing simulation emails, add an Anti-Phishing Allow-List rule based on the solution's IP address.
    For information about adding an Allow-List, see Anti-Phishing Exceptions.
  • To request for supporting the phishing simulation solution, contact Avanan Support.
  • To automatically decline end-users' phishing reports regarding phishing simulation emails, contact Avanan Support.

For Office 365, to see user-reported phishing reports from phishing simulation solutions, see Integration with End-user Phishing Reports.

Upstream Message Transfer Agents (MTAs)

During Learning Mode, to improve the accuracy of the Anti-Phishing engine, Avanan automatically detects MTAs that process emails before they reach Microsoft/Google.

If there are other MTAs that are not detected by Avanan, you can add them manually.

To add MTAs manually:

  1. Go to Configuration > Security Engines.
  2. Click Configure for Anti-Phishing.
  3. Scroll-down to SMTP host/s acting as Mail Transfer Agent/s (MTA) and enter the full DNS names or IP addresses of MTAs separated by comma.
  4. Click Save.

 

Anti-Phishing Exceptions

The Anti-Phishing security engine supports defining Allow-Lists and Block-Lists.

The Anti-Phishing engine stops scanning emails that match an Allow-List or Block-List rule. The Anti-Phishing verdict will automatically be clean (for Allow-List) or Phishing  / Suspected Phishing / Spam (for Block-List).

Note - Emails in the Anti-Phishing Allow-List and Block-List are evaluated by other security engines, such as Anti-Malware and DLP.

Adding Anti-Phishing Allow-List or Block-List Rule

You can add the Allow-List or Block-List rule from any of these:

  • From the Anti-Phishing Allow-List / Block-List
    1. Navigate to Configuration > Anti-Phishing Allow-List or Configuration > Anti-Phishing Block-List as per the requirement.
    2. Under Filters, define the criteria for filtering the emails and click Search.
    3. After refining the email criteria, click Create Allow-List Rule to create an allow-list rule or Create Block-List Rule to create a block-list rule.
    4. If required, enter the description for the rule under Comment and click Ok.
  • From the Mail Explorer (see Creating Allow-List and Block-List Rule)
  • From the email profile page
    1. Open the required email profile.
    2. Under Security Stack, select Similar Emails / Create Rules.
    3. Under Filters, define the criteria for filtering the emails and click Search.
    4. After refining the email criteria, click Create Allow-List Rule to create an allow-list rule or Create Block-List Rule to create a block-list rule.
    5. If required, enter the description for the rule under Comment and click Ok.

Filters to refine the email criteria for Allow-List or Block-List

While refining the criteria for creating Allow-List or Block-List, you can use these filters.

Filter Name Description
Date Received Events in the last year, month, week, day, or hour.
Also, using Range, you can choose to select the emails on a specific date and time.
Quarantine State Select the events based on these quarantine states.
  • Quarantine
  • Non Quarantined
  • Display All
Recipients Emails that contain a specific recipient or a recipient that match a specific term.
Subject Emails that match a specific subject.
Sender Name Emails from a specific sender.
Sender Domain Emails from a specific domain.
Sender Email Emails from a specific email address.
Client Sender IP Emails from a specific client and IP address.
Server IP Emails from a specific server IP address.
Links in body Emails that has links to external resources in the body of the email.
Attachments MD5 Emails that has attachments with specific MD5.
Headers Emails that has a header.

 

Allow-List Settings

Even when there is an allow-list in Avanan Portal, if Microsoft 365 gives a high SCL score, these emails might be quarantined or moved to the Junk folder.

To customize the Allow-List settings:

  1. Go to Configuration > Security Engines.
  2. Click Configure for Smart-Phish (Anti-Phishing).
  3. Scroll down to Allow-List Settings and select the required settings.
    • For emails allow-listed in Avanan portal, to stop quarantining from Microsoft 365 and to allow the emails to the end user mailbox, select Allow-List emails that are allow-listed by Check Point also in Microsoft/Google.
    • For emails allow-listed in Microsoft 365, to stop quarantining from Avanan portal and to allow the emails to the end user mailbox, select Allow-List emails that are allow-listed in Microsoft (SCL = -1) also in Check Point.
  4. Click Save. 

Importing Allow-List or Block-List from External Sources

For various use-cases, predominantly migrating from a legacy solution to Avanan, you might need to import a large number of items to the Allow-List or Block-List.

To import Allow-List or Block-List, contact Avanan Support.

Blocking Emails that Fail DMARC

Some organizations configure their DMARC (Domain-based Message Authentication, Reporting and Conformance) record to quarantine or reject emails that fail DMARC checks. Most organizations choose to enforce this rejection for incoming emails with Microsoft/Google.

If you wish to enforce it with Avanan, you may configure to trigger the Suspected Phishing or Phishing workflow for emails that fail DMARC checks.

By default, No extra action is selected for DMARC failed emails in the Anti-Phishing security engine.

To configure the workflow for DMARC failed emails with Quarantine or Reject action:

  1. Sign in to the Avanan Portal.
  2. Navigate to Configuration > Security Engines.
  3. Click Configure for Smart-Phish (Anti-Phishing).
  4. Scroll-down to When emails fail DMARC with action reject/quarantine section and select one of
    these.
    • No extra action - Enforces no extra action.
    • Trigger 'Suspected Phishing' workflow - Enforces the Suspected Phishing workflow configured in the threat detection policy.
    • Trigger 'Phishing' workflow - Enforces the Phishing workflow configured in the threat
      detection policy. See
  5. Click Save.

Warning - If incoming emails go through a secure email gateway (SEG) before reaching Microsoft/Google, then Microsoft/Google might flag these emails as DMARC violation because the email comes in from the SEG, whose IP might not be authorized in the SPF/DMARC records.
In such cases, selecting to trigger Suspected Phishing or Phishing workflow might result in a high number of false positives and might impact email delivery.
Make sure the DMARC record is configured properly before selecting these workflows.

Reviewing Phishing Events

Phishing events are triggered by the Smart-Phish and Click-Time Protection security engines.

The Smart-Phish security engine prevents the most sophisticated phishing and spam emails from being delivered to the end users' mailboxes.

The Click-Time Protection security engine re-writes the links in emails, emulates and checks the reputation of websites behind the links every time an end user clicks on them.

Acting on Phishing Events

To review and investigate the phishing event:

  • To see reasons for the detection of an event as phishing, under Security Stack, click More Info for Smart-Phish.
  • To investigate the header of the raw email, under Email Profile, click Show for Header from raw email.
  • To investigate the body of the raw email, under Email Profile, click Show for Show body from raw email.
  • To download the raw email, under Email Profile, click Download for Download this email.
  • To send the original email to the end-user, under Email Profile, click Send for Send Original Email.
    Note - This option appears only when there are links that were re-written by the Click-Time Protection security engine.
  • To recheck the email for phishing, under Email Profile, click Recheck for Recheck email.

To filter emails similar to the event generated:

  1. Under Security Stack, select Similar Emails / Create Rules.
  2. Under Filters, define the criteria for filtering the emails.
  3. Click Search.
    Note - After filtering the emails, you can create Anti-Phishing Allow-List and Block-List. See Anti-Phishing Exceptions.

To report mis-classification of an event:

  1. Under Security Stack in the event profile, click Report mis-classification for Anti-Phishing.
  2. Under Report this email as, select how you want to classify the event:
    • Legit Marketing Email
    • Clean Email
    • Spam
    • Phishing
  3. Under How confident are you, select how confident you are about the classification you selected:
    • Not so sure
    • Medium confidence
    • High confidence
  4. Click OK.

Post-delivery Email Recheck

Sometimes emails are rechecked after delivering to the end user mailbox, which may result in emails being removed from the user mailbox.

Post-delivery email recheck can be initiated in these cases:

  1. Recheck initiated by the inputs from the end users (reported phishing, malicious url clicks) and other sources.
  2. Emails are processed by the Anti-Phishing security engine and when needed by the Avanan security analysts.
  3. When a global block action is issued. The block action includes all emails that match the relevant match criteria, across all protected mailboxes.
  4. Emails processed by the relevant policy workflows.
    When a policy is configured to block emails, the emails are removed from the mailbox and placed in quarantine. Avanan generates the relevant security events and sends email notifications.