Threat Detection Policy for Incoming Emails

Configuring a Threat Detection Policy Rule

  1. Click Policy on the left panel of the Harmony Email & Collaboration Administrator Portal.

  2. Click Add a New Policy Rule.

  3. From the Choose SaaS drop-down list, select the SaaS platform you want to set policy for Office 365 Mail or Gmail.

  4. From the Choose Security drop-down list, select Threat Detection and click Next.

  5. Select the desired policy protection mode (Detect, Detect and Remediate or Prevent (Inline)).

    If required, you can change the Rule Name.

    Note - Harmony Email & Collaboration protects Microsoft 365 Groups (a service that works with the Microsoft 365) only when the policy mode is set to Prevent (Inline).

  6. Under Scope, select the users and groups to which the policy is applicable and click Add to Selected.

    • To apply the policy to all users and groups in your organization, select All Users and Groups checkbox.

    • To apply the policy only to specific users or groups, select the users/groups and click Add to Selected.

    • To exclude some of the users or groups from the policy, select the users/groups and click Add to Excluded.

    For more information about excluded users, see Excluding members of groups from an inline policy.

  7. Select the workflows required for the policy.

    Note - If you select Detect and Remediate or Detect mode, you may not see some of these additional configuration options that allows you to customize the end user email notifications.

    For more information on workflows, see Phishing Protection, Malware Protection, Spam Protection, and Password Protected Attachments Protection.

  8. Configure Alerts to send to the administrators, users, and specific email addresses.

    • To send email alerts about phishing and malware, select Send email alert to admin(s) about phishing and Send email alert to admin(s) about malware.

    • To send email alerts to specific emails, select Send Email alert to ... and enter the email address.

    • To stop sending alerts to administrators for block-listed items, clear the Send email notifications to Admin on blocklisted items checkbox.

    • To stop sending alerts to users for block-listed items, clear the Send email notifications to User on blocklisted items checkbox.

    Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role. For more details about managing roles and permissions in the Infinity Portal, refer to Global Settings > Users in Infinity Portal Administration Guide.

    • To customize the email alert templates, click on the gear icon to the right of the alert.

  9. After the policy is configured, click Save and Apply.

    Note - Policies are based on the order of precedence. Make sure your policies are applied in the proper order. You can adjust the policy order from the order column of Policy.

Excluding Members of Microsoft 365 Groups from a Prevent (Inline) Policy

When you exclude a user from a policy in the Prevent (Inline) protection mode, this is the expected behavior:

  • The excluded user’s emails will not be processed by Harmony Email & Collaboration using the Prevent (Inline) protection mode.

  • The policy workflow in Prevent (Inline) protection mode will not apply to the excluded user.

However, these factors might affect this expected behavior:

  1. If the excluded user is a member of a Microsoft 365 group that includes other users protected by a Prevent (Inline) policy.

  2. If the email is sent to other users who are protected by a Prevent (Inline) policy.

Scenarios and Expected Behavior for Excluded Users in Prevent (Inline) Policies:

 

Email sent only to the excluded user

Email sent to excluded user and another protected user

Email sent to group

Policy protection mode

 Workflows applied? Policy protection mode

Workflows applied?

 Policy protection mode Workflows applied?

Excluded user is part of a protected Microsoft 365 group

Prevent (Inline)

No

Prevent (Inline)

Yes

Prevent (Inline)

Yes

Excluded user is part of another protected group (not Microsoft 365)

Detect

No

Detect

No

Detect

No

Excluded user is not part of any protected group

Detect

No

Detect

No

Detect

No

Example:

Consider a policy in Prevent (Inline) protection mode with these settings:

  1. The policy applies to all users except John Smith.

  2. The policy workflow is configured to quarantine phishing emails.

  3. John Smith is part of a Microsoft 365 group with James Wilson.

Scenario 1: A phishing email is sent only to John Smith (excluded user)

Result: The email was inspected and identified as phishing but delivered to John Smith's mailbox since the Prevent (Inline) policy was not applied, and the email was not quarantined.

Scenario 2: A phishing email is sent to both John Smith (excluded user) and James Wilson (protected user)

Result: The email was inspected, identified as phishing, and quarantined. John Smith's email was not delivered, though he was excluded from the policy.

Scenario 3: A phishing email is sent to John Smith and James Wilson (both part of a protected Microsoft 365 group)

Result: The email was inspected, identified as phishing, and quarantined. Both John Smith and James Wilson do not receive the email.

Scenario 4: A phishing email is sent to John Smith and James Wilson (both John Smith and James Wilson were part of a different group type

Result: The email was inspected and identified as phishing. The email is delivered to John Smith's mailbox without being quarantined.