Partner Risk Assessment (Compromised Partners)

Organizations take measures to secure their users, collaboration applications, and emails. However, partners are one of the greatest threats to an organization. These are other companies that the organization maintains a business relationship with.

If one of the partners gets compromised, it is difficult for the email security solutions and the end users to detect these malicious and impersonated emails.

With Partner Risk Assessment in Harmony Email & Collaboration, you can proactively detect compromised partners.

Using the Partner Risk Assessment dashboard, you can view these:

  • All your organization's business partners

  • Risk indicators of partners that are possibly compromised.

To view the Partner Risk Assessment, click Analytics > Partner Risk.

Identifying a Partner

Harmony Email & Collaboration automatically identifies partners while inspecting the incoming and outgoing emails for threats and DLP.

To identify an organization as a partner, Harmony Email & Collaboration uses multiple methods like these:

  • External domain sending invoices to your organization's domain.

  • External domain with a significant volume of emails exchanged with your organization's domain.

Reviewing the Partners

Harmony Email & Collaboration shows the identified partners (compromised and uncompromised) in a table under the Partner Risk Assessment dashboard.

The Partners table has these columns:

Column Name

Description

Risk Score

The severity of the detected Risk Indicators.

  • Critical

  • High

  • Medium

  • Low

  • Lowest

  • None

Partner Domain

The partner's domain and its name.

Note - Harmony Email & Collaboration sometimes does not show the partner name.

Communication Volume

An indicator of how many emails were exchanged with the partner in the last two weeks.

  • High

  • Medium

  • Low

Internal Contacts

The internal contacts that corresponded with the partner domain.

Note - If there are many contacts, it shows five contacts with the highest communication volume with the partner domain.

Partner Contacts

The contacts from the partner domain that corresponded with your domain.

Note - If there are many contacts, it shows five contacts with the highest communication volume with your domain.

Risk Indicators

A list of reasons a partner is considered potentially compromised.

If Harmony Email & Collaboration detects a partner as uncompromised, it shows no indicators.

For more information, see Risk Indicators.

Last Risk Date

Last time when a risk indicator was detected.

Risk Indicators

Harmony Email & Collaboration detects different risk indicators and assigns them to partners. Each risk indicator has a risk score attached to it.

The risk indicators have these values:

Severity

Risk Indicator

Description

Highest

Phishing emails sent to your organization

Check Point detected high-confidence phishing emails sent to your organization from this domain, and the sender was authenticated (SPF pass).

High

Phishing emails sent to other organizations

Check Point detected high-confidence phishing emails sent to other Check Point customers from this domain, and the sender was authenticated (SPF pass).

High

Partner impersonation emails sent to your organization

Check Point detected high-confidence phishing emails sent to your organization from this domain, but the sender was not authenticated (SPF fail).

High

Service being used to send phishing emails to your organization

Check Point detected high-confidence phishing emails sent to your organization from this domain. This domain is a publicly available service that allows sending emails from it.

Medium

Partner impersonation emails sent to other organizations

Check Point detected high-confidence phishing emails sent to other Check Point customers from this domain, but the sender was not authenticated (SPF fail).

Medium

Service being used to send phishing emails to other organizations

Check Point detected high-confidence phishing emails sent to other Check Point customers from this domain, and this domain is a publicly available service that allows sending emails from it.

Stop Considering a Partner as Compromised

When Harmony Email & Collaboration detects a partner as compromised, it adds the relevant risk indicator to the partner. This risk indicator remains valid only for the next 72 hours.

For example, Harmony Email & Collaboration detected a partner as compromised and added Phishing emails sent to your organization risk indicator. If no phishing emails from its domain are detected in the next 72 hours, Harmony Email & Collaboration removes the risk indicator.

When no risk indicators are available, the partner is considered uncompromised.

Removing a Partner from the List

Administrators can override the automatic identification of a partner and remove a partner from the list.

To do that, click the icon for the partner from the last column of the table and select Not a partner.

Note - If you remove a partner, you cannot add again. To add a removed partner, contact Check Point Support.

Acting on Compromised Partners

Anti-Phishing Higher Sensitivity

By default, when Harmony Email & Collaboration detects a partner as suspicious, it inspects the emails from their domain with high sensitivity. This way, they are more likely to be found as phishing.

Investigating Emails from Compromised Partners

To view and investigate the emails from the partner domain, click the icon for the partner from the last column of the table and select Emails from partner.

Mail Explorer opens and, by default, shows the emails from the partner domain in the last seven days.

Impersonation of Partners

By default, the Anti-Phishing security engine treats emails from domains that resemble one of your partner's domains with more suspicion.

Administrators can select to trigger a specific workflow in these cases. For more information, see Impersonation of your Partners.