Post-delivery Email Recheck

Sometimes emails are rechecked after delivering to the end user mailbox, which may result in emails being removed from the user mailbox.

Post-delivery email recheck can be initiated in these cases:

  1. Recheck initiated by the inputs from the end users (reported phishing, malicious url clicks) and other sources.

  2. Emails are processed by the Anti-Phishing security engine and when needed by the Avanan security analysts.

  3. When a global block action is issued. The block action includes all emails that match the relevant match criteria, across all protected mailboxes.

  4. Emails processed by the relevant policy workflows.

    When a policy is configured to block emails, the emails are removed from the mailbox and placed in quarantine. Avanan generates the relevant security events and sends the email notifications.

Post-delivery Reclassification

Avanan can identify security threats that happened after the fact (post-delivery).

For example, during the initial pre-delivery scanning, an email is classified as clean, but later it can be reclassified as malicious.

When such a post-delivery reclassification occurs, the security event includes the detection reason Post-delivery reclassification. The detection reason is also included in SIEM integrations in the ap_detection_reasons field.