Ticket types for Email Security

Coro raises tickets for emails when it identifies the following security incidents:

note

Each ticket raised for the types listed in this article includes Findings and Additional Findings sections. Use these sections to see details of the specific detectors that triggered the ticket, including an indication of the malicious content or authentication failure identified by the detector. For more information, see the Using the ticket log.

Blocklisted Sender

Coro identifies that the sender's email address, domain, or IP address is currently in the Suspicious Content Blocklist. The email is deleted for all recipients and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Removes all relevant sender entries from the workspace blocklist.
Un-log and remove from audit reports Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.

Brand Impersonation

Coro identified the email as potentially containing spoofing or impersonation of a brand, due to a detected homograph attack on a domain recognised as a popular brand. The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Crowd Blocked Sender

Coro identifies that the sender's email address, domain, or IP address is in the global blocklist. The email is deleted for all recipients and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Add the sender's details (email address, domain, or IP address as stored in the blocklist) to the workspace allowlist.
Un-log and remove from audit reports Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.

Domain Impersonation

Coro identified the email as potentially containing spoofing or impersonation of a domain, due to a detected homograph attack on a domain recognized as frequently used in your workspace. The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Email Phishing

note

This ticket type has been deprecated, and is included only for tickets previously raised against it.

Coro determines that an email contains a phishing attempt such as domain impersonation or any intention to mislead the recipient into revealing identifying information about themself. The email is moved to your selected quarantine folder, and tickets for phishing emails, including those emails marked as safe through the Coro add-in, are automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace allowlist.
Block Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace blocklist.

Forbidden Attachment Type

The email contains an attachment of a type included in the file types quarantine list. For more details, see Email security settings. The email is moved to your selected quarantine folder and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Malware in Email Attachments

Coro scans an email's attachments and identifies potential malware. If malware is detected, the email is handled according to the Malware in Email Attachments security mode in your email security settings and the ticket is automatically closed by Coro.

Important

Where you select a Malware in Email Attachments security mode of "Quarantine", the remediation outcome depends on whether you have enabled Coro's Inbound Gateway add-on. Typically, emails containing malware are automatically deleted. However, if your email is routed through the Inbound Gateway, emails are stored in Coro's dedicated secure quarantine, pending remediation by admin users. These two alternative outcomes can impact the Allow and Block actions shown in the table below.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace allowlist.

If the Inbound Gateway add-on is enabled in your workspace, you can also allow this email (return it from the quarantine folder back to the original recipients).

NOTE: If your Malware in Email Attachments security mode is set to "Warn recipients", the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace blocklist.

If the Inbound Gateway add-on is enabled, you can also remove the email from quarantine and permanently delete it.

NOTE: If your Malware in Email Attachments security mode is set to "Warn recipients", the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Missing Required Authentication

The email failed to meet the enforced authentication requirements. That is, the following conditions were true:

  • The email sender's domain is in the workspace's authentication blocklist .
  • The sender failed Coro's authentication tests.

The email is deleted for all recipients and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Removes all relevant sender and sender's domain entries from the authentication failure blocklist.
Un-log and remove from audit reports Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.

Reported by User

The email was reported by the end user as Phishing through the M365 or Gmail Coro add-in, even though Coro did not detect any malicious content. Tickets remain in an open state for operator review and close automatically after a period of two weeks.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket without taking any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Un-log and remove from audit reports (Closed tickets only) Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog offering you the choice of either allowing this email (return it from the quarantine folder back to the original recipients), or allowing this email and optionally adding the sender's email address, domain, or IP address to the workspace allowlist.
Block Coro presents a dialog offering you the choice of either permanently deleting this email, or deleting the email and optionally adding the sender's email address, domain, or IP address to the workspace blocklist.

Spam

Coro determines that an email contains suspected spam in the message body, headers, or attachments. Spam is an email that has passed Coro's malware and phishing detection and is considered not malicious but contains indicators for unsolicited or unwanted content.

The email is handled according to the Spam security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Spam security mode is set to "Warn recipients", the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Spam security mode is set to "Warn recipients", the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Suspicious Metadata

The email contains metadata identified as potentially malicious. For example, the sender domain is flagged as malicious by one or more phishing evaluations.

The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Suspicious Content

One or more of the following detectors were triggered, leading Coro to identify the email as containing potentially suspicious content:

  1. Malicious link : The email contains a known or suspected phishing/malicious URL link.
  2. Suspicious QR Code : The email contains a QR code encoded with a known or suspected phishing/malicious URL.
  3. Suspicious email content : The email message body contains content that Coro identifies as suspicious. That is, the email failed a statistics-based detector test involving customer and phishing data.
  4. Suspicious attachment content : The email includes an attachment that Coro identifies as suspicious or including a potential phishing attempt.

The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

User Impersonation

Coro detected an Envelope honeypot: User impersonation event, whereby the email potentially contains spoofing or impersonation of a user. While the displayed sender name is associated with a known employee, the sender email address is unfamiliar in this workspace. The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to "Warn recipients", the email is already delivered so Block is limited to adding the sender to the workspace blocklist.