Anti-Phishing

The Anti-Phishing engine detects phishing, suspected phishing, and spam emails. It analyzes various components of an email, such as attachments, links, sender reputation, domain analysis, OCR, URLs behind QR code, and many more.

The Anti-Phishing engine detects phishing in emails in all languages. Language-based detections are supported for languages, as mentioned in Appendix C: Supported Languages for Anti-Phishing.

Phishing Confidence Level (Threshold)

The Anti-Phishing algorithm returns a verdict on each email analyzed with confidence that may go from Lowest to Highest.

Any email categorized as phishing with a confidence level equal to or greater than the phishing confidence level (threshold) generates a Phishing event and triggers the relevant workflow.

Any email categorized as phishing with a confidence level below the defined phishing confidence level (threshold) generates a Suspected Phishing event and triggers the relevant workflow.

For example, if the phishing confidence level (threshold) is High and if the Anti-Phishing engine categorized an email as phishing with phishing confidence level (threshold) as Medium, it triggers the Suspected Phishing workflow.

By default, the phishing confidence level (threshold) is set to High.

To configure the phishing confidence level (threshold):

  1. Go to Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Under Phishing confidence level, select the required threshold.

  4. Click Save.

Nickname Impersonation

Protection Against Executive Spoofing

Executive spoofing is a scam in which cyber criminals impersonate the names and emails of company executives to try and fool an internal employee into disclosing sensitive information or executing a payment.

Anti-Phishing has a setting that allows Infinity Portal administrators to automatically block such spoofing attempts.

Configuring Nickname Impersonation

Infinity Portal administrators can trigger the Phishing or Suspected Phishing workflows when Anti-Phishing detects a nickname impersonation.

To configure nickname impersonation, follow these steps.

  1. Navigate to Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Select the scope of users:

    • Important/key people

      Note - By default, Anti-Phishing references the job title of the user to determine the seniority. Examples of senior titles are CEO, CFO, etc. Alternatively, you can define your own senior users by creating a security group (in Office 365 or Gmail) for senior-level users, and entering the exact name of the security group in the designated field. This field is case sensitive.

    • All internal users

  4. Select the Phishing or Suspected Phishing workflow for detections.

Best Practices for Detecting Nickname Impersonation

  • It is recommended to start protecting a small group of senior-level people first and then expand it to other people and/or use the Suspected Phishing workflow.

  • If you wish to extend nickname impersonation workflows for all internal users, it is recommended to use the Suspected Phishing workflow to avoid false positive detections.

  • Protected users must be informed to not use their personal email addresses, as these will be detected as impersonations.

Note - Anti-Phishing always looks for nickname impersonations for all users.

Handling False Positives

Many commonly used services like Salesforce or ServiceNow sends legitimate emails on behalf of other users. The Anti-Phishing engine detects these emails as nickname impersonations. Therefore, it’s important to ensure that this configuration is not generating false positive phishing/suspected phishing detections.

To monitor detections, create Custom Queries that filters the detections containing nickname impersonations.

Note - Since Impersonation detection takes priority, sometimes an Allow-List rule will be overridden due to an SPF failure. If you need to ensure that an email is not overridden by an SPF failure or suspected impersonation, edit the Allow-List rule to Ignore SPF check.

Ensure to add legitimate services to Allow-List that appear in the query by navigating to Security Settings > Exceptions > Anti-Phishing.

For more details, contact Check Point Support.

Phishing Simulation Solutions

Many organizations use phishing simulation solutions to educate their employees on how to detect and report phishing attacks. These solutions send fake phishing emails to employees to try and trick them into performing actions, opening attachments or clicking on phishing URLs.

Harmony Email & Collaboration automatically detects such emails from commonly-used phishing simulation solutions and does not mark them as phishing. Phishing reports from users regarding these emails will be automatically declined.

Harmony Email & Collaboration detects phishing simulation solutions from ActiveTrail, BenchMark, CybeReady, HubSpot, Infosec IQ, KnowBe4, MailChimp, MailGun, MailJet, MimeCast, Phished, PhishMe, ProofPoint, SendGrid, SendInBlue, Sophos Phish Threat V2, TargetHero, TerraNova, and ZoHo.

If you use a different phishing simulation solution:

  • To avoid detection of phishing simulation emails, add an Anti-Phishing Allow-List rule based on the solution’s IP address.

    For information about adding an Allow-List, see Anti-Phishing Exceptions.

  • To request for supporting the phishing simulation solution, contact Check Point Support.

  • To automatically decline end-users' phishing reports regarding phishing simulation emails, contact Check Point Support.

To configure the Harmony Email & Collaboration Administrator Portal to automatically send feedback to users who reported phishing training emails as phishing:

  1. Access the Harmony Email & Collaboration Administrator Portal.

  2. Click Security Settings > User Interaction > Phishing Reports.

  3. In the Phishing simulation emails section, select the Notify user checkbox.

  4. (Optional) To change the default text in the feedback:

    1. Click the icon next to Notify user checkbox.

      The Configure Auto-Reply to Users Reporting Phishing Simulation Emails pop-up appears.

    2. Make the necessary changes and click Save.

  5. Click Save and Apply.

For Office 365, to see user reported phishing reports from phishing simulation solutions, see Automatic Ingestion of End User Reports.

Upstream Message Transfer Agents (MTAs)

During Learning Mode, to improve the accuracy of the Anti-Phishing engine, Harmony Email & Collaboration automatically detects MTAs that process emails before they reach Microsoft/Google.

If there are other MTAs that are not detected by Harmony Email & Collaboration, you can add them manually.

To add MTAs manually:

  1. Access the Harmony Email & Collaboration Administrator Portal.

  2. Click Security Settings > Security Engines.

  3. Click Configure for Anti-Phishing.

  4. Scroll-down to SMTP host/s acting as Mail Transfer Agent/s (MTA) and enter the full DNS names or IP addresses of MTAs separated by comma.

  5. Click Save.

Blocking Emails that Fail DMARC

Some organizations configure their DMARC (Domain-based Message Authentication, Reporting and Conformance) record to quarantine or reject emails that fail DMARC checks. Most organizations choose to enforce this rejection for incoming emails with Microsoft/Google.

If you wish to enforce it with Harmony Email & Collaboration, you may configure to trigger the Suspected Phishing or Phishing workflow for emails that fail DMARC checks.

By default, No extra action is selected for DMARC failed emails in the Anti-Phishing security engine.

To configure the workflow for DMARC failed emails with Quarantine or Reject action:

  1. Access the Harmony Email & Collaboration Administrator Portal.

  2. Click Security Settings > Security Engines.

  3. Click Configure for Anti-Phishing.

  4. Scroll-down to When emails fail DMARC with action reject/quarantine section and select one of these.

  5. Click Save.

    Warning - If incoming emails go through a secure email gateway (SEG) before reaching Microsoft/Google, then Microsoft/Google might flag these emails as DMARC violation because the email comes in from the SEG, whose IP might not be authorized in the SPF/DMARC records.

    In such cases, selecting to trigger Suspected Phishing or Phishing workflow might result in a high number of false positives and might impact email delivery.

    Make sure the DMARC record is configured properly before selecting these workflows.

Impersonation of your Partners

Harmony Email & Collaboration lists all your partners in the Partner Risk Assessment (Compromised Partners) dashboard.

When a sender from a newly registered domain sends an email to your organization, the Anti-Phishing engine checks if the sender domain resembles your partner domain(s). By default, if such a domain similarity is detected, it is considered an indicator in the AI-based Anti-Phishing security engine. It might or might not yield a Phishing verdict.

Partner Impersonation Attacks - Workflow

Administrators can select to override the AI-based verdict of the Anti-Phishing security engine and trigger a specific workflow when such a similarity is detected.

To configure a specific workflow for emails from domains that resemble a partner domain:

  1. Access the Harmony Email & Collaboration Administrator Portal.

  2. Click Security Settings > Security Engines.

  3. Click Configure for Anti-Phishing.

  4. Scroll-down to When the sender domain resembles the domain of a partner section and select one of these workflows.

    • Consider as an indicator in the standard Anti-Phishing inspection (Default)

    • Trigger Suspected Phishing workflow

    • Trigger Phishing workflow

  5. Click Save.

Handing Secured (Encrypted) Emails

Administrators can select how to manage incoming encrypted emails for end users, including Microsoft RPMSG and Microsoft 365 Message Encryption and so on.

To view the content of the encrypted emails, the end users must click the link provided in the email and authenticate.

To configure workflow for secured (encrypted) emails:

  1. Click Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll down to the Secured encrypted emails section and select a workflow.

    • Do not trigger any phishing workflow

    • Trigger Suspected Phishing workflow for recurring first time senders

    • Trigger Suspected Phishing workflow for first time senders

    • Trigger Suspected Phishing workflow

    • Trigger Phishing workflow for recurring first time senders

    • Trigger Phishing workflow for first time senders

    • Trigger Phishing workflow

    Note - Recurring first-time senders are senders identified as sending multiple emails where they are considered first-time senders, across all Check Point customers.

  4. Click Save.

Preventing Email Bomb Attacks

An Email Bomb is a social engineering attack that overwhelms inboxes with unwanted emails. Usually, subscription confirmations to newsletters the users never signed up for.

Users targeted by these attacks lose access to their business emails, and the attackers may even use this as a distraction while performing malicious activities on the user's behalf.

To prevent such attacks, administrators must configure these in Harmony Email & Collaboration:

  • Conditions for detecting and handling an ongoing Email Bomb attack.

  • Workflow to be triggered when such an attack is detected.

Identifying an Email Bomb Attack

Harmony Email & Collaboration identifies an Email Bomb attack when the number of emails from new senders exceeds a defined threshold in a common attack timeframe.

Note - The attack timeframe is dynamic and changes depending on the Check Point security analyst's judgement. It is usually a couple of hours.

To configure the Email Bomb attack threshold:

  1. Go to Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll down to Email Bomb – Threshold and enter the threshold value.

  4. Click Save.

Once the number of emails from new senders in the common attack timeframe exceeds the threshold, Harmony Email & Collaboration treats all subsequent emails from any new sender as part of the attack. This continues until the attack timeframe passes without the number of emails from new senders going over the threshold.

For example, if an administrator configured the Email Bomb threshold as 50, Harmony Email & Collaboration counts emails 51 and above as part of the attack.

Handling Emails of an Email Bomb Attack

By default, when Harmony Email & Collaboration detects an Email Bomb attack, it individually evaluates every email part of the attack for Spam and Phishing. Administrators can configure a dedicated workflow for these emails.

To configure the workflow for Email Bomb attack:

  1. Go to Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll down to Email Bomb – Workflow and select the required workflow.

    • Evaluate each email separately for spam/phishing

    • Trigger Spam workflow

    • Trigger Suspected Phishing workflow

    • Trigger Phishing workflow

  4. Click Save.

Spam Protection Settings

Spam Confidence Level

Any email categorized as spam with a confidence level equal to or greater than the spam confidence level (threshold) generates a Spam event and triggers the relevant workflow.

To configure the spam confidence level (threshold):

  1. Go to Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. Scroll down to the Spam confidence level section and select the required threshold.

    • Lowest

    • Low

    • Medium

    • High

    • Highest

      Note - Low confidence levels could result in a high number of false positives.

  4. Click Save.

Treating Marketing Emails as Spam

  1. Go to Security Settings > Security Engines.

  2. Click Configure for Anti-Phishing.

  3. To treat the marketing emails as spam, scroll down to the Spam confidence level section and select the Treat marketing emails as spam checkbox.

    Note - Selecting this option flags all the marketing emails as spam and triggers the configured Spam workflow. For more information, see Spam Workflows.

  4. Click Save.

Trusted Senders - End-User Spam Allow-List

See Trusted Senders - End-User Allow-List.

Detecting Malicious QR Codes

The Anti-Phishing security engine analyzes the links behind the QR codes and reports the malicious links, if any.

To view the links behind QR codes, open the Email Profile page and scroll down to the Link analysis section.

Filtering Emails Containing QR Codes

Using the Detection reason as QR in Custom Queries, the administrators can filter emails with malicious QR code. For more information, see Custom Queries.

Anti-Phishing Exceptions

See Anti-Phishing Exceptions.