Emails scanned by the Spam Scanning layer will be assigned a Category, based on the scan results from the email header and body checks. This information will surface more detail on which elements of the email contributed to the score and the category.
The information is visible in Message Center, within the Analysis tab for each message. The Category field shows which classification this email has, and a ‘Spam Analysis’ section shows more scanning details. Non-malicious emails will have a category of None and will have a low spam score. Certain policies such as Permitted Sender & intentionally bypass Spam Scanning so no information for these will be displayed.
Malicious emails are discarded as early as possible in our processing funnel as we perform multiple checks and levels of analysis to ensure that an email is not malicious. For this reason, you may see many emails in the Rejected and Deferred queue that have Spam Score of ‘0’ or ‘-‘ and a category of ‘None’. This means that they were not classified as they were rejected before scanning was required. For example, an email with a virus contained within an attachment will be rejected and could have a spam score of 0 and a category of 'None' as it was rejected prior to the email body being scanned.
When trying to diagnose the ‘Why’ of an email it is best to do the following:
-
-
- For Message Center emails in the Rejected and Deferred view, you should look at the Rejected Type first to understand at a high level why an email was rejected. Then use the supporting information within the Spam Analysis section of the Analysis tab to show which email headers and body contents contributed to the score and the category.
- For Message Center emails in the Held Messages view, you should look at the Held Reason which shows the policy name that triggered the Hold. Then use the supporting information within the Spam Analysis section of the Analysis tab to show which email headers and body contents contributed to the score and the category.
-
Categories
When an email is scanned it will be assigned one of the following categories based on the results of each of the scans which are performed as it goes through the Processing Layers. The categories can be one of:
-
-
- Malicious.
- Phishing.
- Scam.
- Spam.
- Graymail.
- None.
-
Spam Analysis
Where more scanning information is available, it will be presented in the Spam Analysis section of the Analysis tab. This section will only show the summary of the highest impacting results on an email. There are many minor checks and scans that are performed, which would be too verbose to display, but are used to generate the overall decision and score for an email.
Each category and subcategory has a label showing its risk level. This is the potential risk of the identified marker and not a confidence gauge. For example, a Malicious Monitored Actor will have a high risk, and a known Graymail email will be low.
The risk levels are:
-
-
- High is red.
- Medium is yellow.
- Low is black.
- Very Low is Black.
-
| Category – Malicious | Description |
|---|---|
| downloader | A file or link that is used to download (and install) a malicious program onto a victim's computer. |
| exploit | A vulnerability on a computer or system that allows the attacker to gain access to or manipulate the computer or system in a malicious way. |
| technology_feed | Any vendor feed that has detected and classified the sample as malware. |
| malware | Generic catchall classification for Malware related mails or campaigns. |
| monitored_actor | Threat actors tracked by the MSOC Research team that are known to run malware campaigns. |
| ransomware | Malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. |
| url | URLs that have been identified as malicious, either through a vendor or through research done by the MSOC team. |
| Category – Phishing | Description |
| cred_phishing | An attempt to obtain the victim's login credentials to valid services, usually through some form of deceptive login page served through URL or HTML attachment. |
| fraud | Generic classification for emails where the attacker is trying to coerce the victim into paying the attacker. |
| fraud => bank_fraud | Phishing attempt using bank themed mails with the aim of getting the target to reveal their login information for their bank account. |
| fraud => crypto_extortion | Extortion mail attempting to coerce a victim to pay an amount of money via a crypto-currency. (usually Bitcoin or Litecoin). |
| monitored_actor | Threat actors tracked by the MSOC Research team that are known to run business email compromise campaigns. |
| url => phishing_and_fraud | URLs used in Phishing and Fraud emails. |
| url => structure | Unique URL structures seen to be used in campaigns. |
| url => suspicious | URLs with suspicious characteristics seen in regular use by threat actors. |
| whaling | A highly targeted phishing attack - aimed at senior executives - masquerading as a legitimate email. |
| Category – Scam | Description |
| Advanced_fee | A form of fraud and one of the most common types of confidence tricks. The scam typically involves promising the victim a significant share of a large sum of money, in return for a small up-front payment, which the fraudster requires in order to obtain the large sum. Examples include 419 and loan scams. |
| dating | Occurs when strangers pretend romantic intentions, gain the affection of victims, and then use that goodwill to gain access to their victims' money, bank accounts, credit cards, passports, and/or national identification numbers or by getting the victims to commit financial fraud on their behalf. |
| Category – Spam | Description |
| abused_services | Legitimate services that can be used in everyday business mails but which are often used in malicious campaigns or used to hide the attacker's intent. e.g., Dropbox hosted PDFs, Office forms asking for passwords, etc. |
| backscatter | Non-Delivery Reports exploited to get mail delivered to the victim. |
| compromised | Legitimate business accounts that have been compromised and are used to send out mails with some malicious intent. |
| content => body | Detection based on some content in the message body. |
| content => header | Generic classification for emails where the headers exhibit a specific suspicious patter that is not seen in legitimate mail. |
| content => header => forged_headers | Fraudulently added headers in a message to make the message appear to have been sent or received from a system that it did not pass through. |
| content => header => poorly_structured | Bad structure in the message headers which is often caused by a mailing script or poorly configured message transfer agent. |
| heuristic | Detection characteristics that have been identified to only appear in the correct combinations in unwanted email. |
| lists => blocklist => attachment | Any block list related to attachments used in malicious campaigns (blake2 hash). |
| lists => blocklist => body | Any block list related to body content. |
| lists => blocklist => dns_auth | Any block list related to failed DNS Authentication results. |
| lists => blocklist => header | Any block list related to content found in the headers. |
| lists => blocklist => url | Any block list related to URLs or their content. |
| lists => redlist => header | Any lists related to content found in the headers which has been scored at a Hold level. |
| sender_spam | An MTA that has handled the message in the transmission chain considers it likely to be spam. (e.g. Microsoft has marked the message as spam in the headers). |
| snowshoe | A strategy in which spam is propagated over several domains and IP addresses to weaken reputation metrics and avoid filters. |
| technology_feed | Any vendor feed that has detected and classified the sample as spam. |
| ubm | Generic classification for email that is unwanted or not requested by the recipient and sent in large quantities. |
| ubm => adult | Email that is unwanted or not requested by the recipient and sent in large quantities with adult themed content. |
| ubm => chinese | Email that is unwanted or not requested by the recipient and sent in large quantities with Chinese body content. |
| ubm => ddos | Email that is unwanted or not requested by the recipient and sent in large quantities in an attempt to disable or cripple a service or system. |
| ubm => pharmacy | Email that is unwanted or not requested by the recipient and sent in large quantities with Pharmaceutical themes and advertising of cheap medicine. |
| ubm => recruitment | Email that is unwanted or not requested by the recipient and sent in large quantities with Recruitment themed wording usually asking for personal information or attempting to elicit a response from the recipient. |
| ubm => religion | Email that is unwanted or not requested by the recipient and sent in large quantities with religious themes. |
| ubm => retirement | Email that is unwanted or not requested by the recipient and sent in large quantities with retirement themes. |
| ubm => validation | Email that is unwanted or not requested by the recipient and sent in large quantities with the intention of confirming if the recipient address is legitimate. These mails usually contain very little to no body content. |
| Category – Graymail | Description |
| graymail | Solicited bulk email messages that don't fit the definition of email spam (e.g., the recipient "opted into" receiving them). Recipient interest in this type of mailing tends to diminish over time, increasing the likelihood that recipients will report graymail as spam. |
Scenarios Where Spam Scanning Results Aren't Displayed
In scenarios where we do not spam scan, (e.g., where the email has been rejected) Category in Message Details will show "-" or "None". The most common rejected scenarios where you will not see any information are:
-
-
- Virus Signature Found.
- Sender Location Found in Geographic RBL.
- DKIM Reject (result will be seen in Processing Details).
- SPF Sender Invalid (result will be seen in Processing Details).
- DMARC Reject (result will be seen in Processing Details).
- Connection Attempt.
- IP Found in RBL.
- Invalid Recipient Address.
- Envelope Rejected (it is indicated in Processing Details that it is a blocked sender under Permitted Senders).
- Manual Envelope Rejection (it is indicated in Processing Details that it is a blocked sender under Managed Senders).
- Secure Receipt Policy (TLS ENFORCED).
-
The most common scenarios where an email is accepted and spam scanning information is not displayed:
-
-
- Permitted Senders Policy (shown in processing details).
- Managed Senders (shown in processing details).
- Outbound Messages.
- Journaled Messages.
-
Comments
Please sign in to leave a comment.