Attachment and URI Analysis

Fortra Cloud Email Protection is capable of analyzing attachments to messages and URIs in message bodies, and using the results of that analysis, in addition to identity intelligence, to determine the overall trust of a message.

There are two levels of malicious content analysis possible in Cloud Email Protection:

  • Basic collection of attachment information, such as name and file extension, which can be used in Search and Policy.
  • Scanning of attachments for indicators of malicious intent, to enhance scoring and message classification.

URI analysis will:

  • Extract URIs from:
    • The text/HTML MIME parts of messages, including base URIs from head sections.
    • Microsoft Office and Adobe Acrobat documents attached to messages.
  • Parse both http and https schemes.
  • Will display URIs in message details views, but those URIs will not be clickable.
  • Identify URIs that use common URI shorteners and identify websites behind those URI shorteners.

Using Attachment Analysis

Once attachment analysis is enabled, you can use the results of attachment analysis in different ways.

Using Attachment Analysis Results in Search and Policy

You will notice a new option on your Analyze > Search Messages page. The same field will also appear in Manage > Policies when you want to create or edit a policy.

Searching for messages with an attachment.
Searching for messages with an attachment

If you are only collecting attachment name information the following options will be available for you to search and set policy on :

  • has any attachments

  • has attachment name:

  • has attachment filename extension:

If you have enabled attachment scanning then all of the options will be available for search and policy.

Searching for attachments: with attachment scanning enabled.
Searching for attachments: with attachment scanning enabled

NOTE: Wildcard matching or partial entries in attachment name search is not supported. E.g. "attachment name is 'foo.*.bar'" will not match "foo.banana.bar"

Attachment Scan Results

When attachment scanning is enabled, Cloud Email Protection uses the results of the scan in it's scoring models and message classification models. For example you will see the "Malicious Attachment" message classification like below in the Message Details. (NOTE: Coming soon you will also be able to expand the malicious attachment classification to see details on the malicious components that were detected.)

Attachment scanning results in the message details pane.
Attachment scanning results in the message details pane

Details of the Attachment Scan

Cloud Email Protection attachment scanning is focused on identifying potentially malicious behaviors in document based attachments. It is not a sandbox and does not try to force malicious code to execute.

Cloud Email Protection will unpack, de-obfuscate, and perform static analysis of the following types of files:

  • Archive file formats (zip/rar/tar/{gz/gzip/tgz}/{bz2/bzip2/tbz2/tbz}/cab)
  • Office files, PDF, MHTML, email files, image files, flat data files, RTF
  • Flash, video formats, Javascript, VBA

Using URI Analysis

URI analysis is available in both message search and policy creation. In both cases, you can select Likely Malicious URI from the Attack Type drop-down list to be included in the search or policy filter.

Select this to include messages with likely malicious URIs in searches or policies.
Select this to include messages with likely malicious URIs in searches or policies.