Password Protected Attachments Protection

When password-protected attachments are detected, Harmony Email & Collaboration attempts to extract the password using various techniques such as searching for the password in the email body. If the password is found, Harmony Email & Collaboration uses the password to decrypt the file and inspect it for malware.

If the password is not found, the administrator can select any one of these workflows:

Password Protected Attachments Workflow

Note - These workflows apply only for the incoming and internal emails.

Workflow

Description

User receives the email with a warning

The detected email is delivered to the user with a notification inserted in the body of the email.

Require the end-user to enter a password

The attachment is removed temporarily and a warning banner is added to the email along with a link to enter the password.

After the password is entered, the Anti-Malware engine scans the attachment. If the Anti-Malware engine finds the attachment as clean, the original email with the original password-protected attachment gets delivered to the original recipients of the email.

Notes:

  • Harmony Email & Collaboration will not store the passwords entered by the end users. It uses these passwords only for inspection and deletes them after the inspection is complete.

  • If a user tries to release an email which was already released, the system prompts a message that the attachment was already released.

  • Security measures ensure machines do not brute-force password of files (for example, it does not allow to enter password after multiple wrong attempts).

    • Even if an attacker manages to get the link provided in the warning banner and manages to guess the password, the original password-protected attachments are delivered to the original recipients of the email and not to the mailbox of the person that entered the password.

Quarantine. User is alerted and allowed to restore the email

The email is automatically quarantined and the user is notified about the quarantine. Using the link in the email, the user can release the attachment. The original email and attachment will be immediately delivered back to the inbox.

Quarantine. User is not alerted (admin can restore)

The email is automatically quarantined with no user notification. The administrator can restore the email.

Trigger suspected malware workflow

The email follows the workflow configured for Suspected Malware.

Do nothing

The attachment will be considered as clean.

Note - This workflow flags only the attachment as clean (not malicious). The email can still be found to be malicious for various reasons.

For example, if there are other malicious attachments in the email, if the Anti-Phishing engine flagged the email as phishing for other reasons than the attachment being malicious, if there is a DLP violation in the email and more.

To add allow-list for password-protected attachments from specific email addresses or domains, see Password-Protected Attachments Allow-List.

For more information on who receives the restored emails, see Who Receives the Emails Restored from Quarantine.

Supported File Types

Harmony Email & Collaboration can detect these file types as password-protected:

File Type

File Extensions

Archives

AR, ARJ, BZ2, CAB, CHM, CRAMFS, CPIO, GZ, IMG, ISO, IZH, QCOW2, RAR, RPM, TAR,TAR.BZ2, TAR.GZ, TAR.XZ, TB2, TBZ, TBZ2, TGZ, TXZ, UDF, WIM, XZ, ZIP, and 7Z.

Adobe PDF (all versions)

PDF

Microsoft Excel 2007 and later

XLSX, XLSB, XLSM, XLTX, XLTM, XLAM

Microsoft Excel 2007 Binary

XLSB

Microsoft Excel 97 - 2003

XLS

Microsoft PowerPoint 2007 and later

PPTX, PPTM, POTX, POTM, PPAM, PPSX, PPSM

Microsoft PowerPoint 97 - 2003

PPT, PPS, POT, PPA

Microsoft Word 2007 and later

DOCX, DOCM, DOTX, DOTM

Microsoft Word 97 - 2003

DOC, DOT

To add allow-list for password-protected attachments from specific email addresses or domains, see Password-Protected Attachments Allow-List.

Requesting Passwords from End Users - End-User Experience

End-User Experience for Require end-user to enter a password workflow

For password protected attachments, if Require end-user to enter a password workflow is defined in the policy, the attachment is removed temporarily and a warning banner is added to the email with a link to enter the password.

To restore the password protected attachments with Require end-user to enter a password workflow:

  1. Click the link in the warning banner of the email.

  2. Enter the password for the attachment and click Submit.

    After you submit, the Anti-Malware engine scans the attachment for malicious content.

    If the Anti-Malware engine finds the attachment as clean, the original email with password-protected attachment gets delivered to the original recipients of the email.

    If the email was already released, this message appears:

End-User Experience for Quarantine. User is alerted and allowed to restore the email workflow

For password protected attachments, if Quarantine. User is alerted and allowed to restore the email workflow is defined for the policy, the email body and its attachments are removed. The user is notified about the email and its attachments with a link to request to release the email.

To restore the email and its attachments with Quarantine. User is alerted and allowed to restore the email workflow:

  1. Click the link provided in the email.

  2. If prompted, enter the reason for restoring the attachment, and click Submit.

    After you submit, the admin receives the request.

    After the admin approves, the user receives the original email.

Password Protected Attachments - Administrator Experience

For password protected attachments, if Quarantine. User is alerted and allowed to restore the email workflow is defined for the policy, and if the end-user requests to release the email, the administrator is notified about the request.

To review the request:

  1. Open the security event of the email for which the user requested to release.

    Under Security Stack, the password-protected attachments which are not scanned by Anti-Malware will be marked as Insecure attachments found.

  2. To inspect the password-protected attachments before restoring the email:

    1. Click Type in passwords to enter the password for the attachment.

    2. Enter the password for the attachment and click Submit.

      The Anti-Malware engine scans the attachment and gives a verdict. Depending on the verdict decide whether to restore the email or not.

    3. To restore the email and its attachments, click Restore Email.

  3. To release the original email without inspecting the password-protected attachments, click Restore Email.