Attack Classifications

This topic describes the different types of email attacks.

Attack Taxonomy

Messages that are untrusted, per the Message Trust Score, are classified by Cloud Email Protection into one or more of the attack taxonomy classes seen in the figure below.

The Attack classification taxonomy.
The Attack classification taxonomy

The attack classifications will be seen in the Message Details view and can be used for search and policy.

The taxonomy attack classifications are described in more detail below.

Domain Spoof

A Domain Spoof is a message that purports to be sent by a high reputation domain, but Cloud Email Protection has detected it is not coming from an authentic sending source for that domain.

Domain Spoof example
Domain Spoof example

Look-alike Domains

A Look-alike Domain attack is when a domain attempts to look like a highly trusted and well known domain, like one of your internal or partner domains.

Look-alike domain example.
Look-alike domain example

Display Name Impostor

A Display Name Impostor is when the display name portion of the From field is changed to look like a well known brand or a different individual. Display name deception is frequently used along with other attack types like Look-alike Domains or Compromised Accounts. In Cloud Email Protection, Display Name Impostors are split into two classes: Individual Display Name Impostors and Brand Display Name Impostors.

Individual Display Name impostor example.
Individual Display Name impostor example
Brand Display Name impostor example.
Brand Display Name impostor example

Compromised Account (Account Take Over)

A Compromised Account is an account that belongs to a real person/user but has been taken over by a bad actor and used for malicious purposes. When Cloud Email Protection finds indicators of account take over we will classify it as a message from a Compromised Account.

Compromised account example.
Compromised account example

Malicious Attachment

If attachment scanning is enabled, Cloud Email Protection will tell you when an attachment is likely to be malicious.

Malicious attachment example.
Malicious attachment example

Likely Malicious URI

If URI scanning is enabled, Cloud Email Protection will tell you when a URI is found in the body of a message that is likely to be malicious.

Malicious URI example.
Malicious URI example

Spam or Graymail

In addition to the sender classifications that identify malicious messages, Cloud Email Protection also classifies messages that are not necessarily malicious, but represent unwanted or unsolicited email. Messages that fit the Spam or Graymail class should not be trusted, regardless of the other sender classifications.

Spam or Greymail example.
Spam or Greymail example

TIP: In addition to the attack classifications, Cloud Email Protection will also classify messages that simply come from a Low Message Trust Rule. Many messages that fit the taxonomy classifications of Fraud and Unsolicited Email (Spam and Greymail) come from domains that should not be trusted, regardless of the sender classifications. This example shows not only a message with the Spam/Graymail attack classification, but also identified as low message trust.