Ticket types for Email Security

Important

The tickets discussed in this article apply to devices running Windows or macOS Agents.

Coro raises tickets for emails when it identifies the following security incidents:

note

Each ticket raised for the types listed in this article includes Findings and Additional Findings sections. Use these sections to see details of the specific detectors that triggered the ticket, including an indication of the malicious content or authentication failure identified by the detector. For more information, see the Using the ticket log.

Blocklisted Sender

Coro identifies that the sender's email address or domain is currently in the blocklist. Coro deletes the email for all recipients and automatically closes the ticket.

note

Is this scenario, Coro does not perform threat detection on the email content. The ticket relates only to the sender's email address or domain being currently blocklisted.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Removes all relevant sender entries from the workspace blocklist.
Un-log and remove from audit reports Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.

Brand Impersonation

Coro identified the email as potentially containing spoofing or impersonation of a brand, due to a detected homograph attack on a domain recognised as a popular brand. The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Crowd Blocked Sender

Coro identifies that the sender's email address, domain, or IP address is in the global blocklist. Coro deletes the email for all recipients and automatically closes the ticket.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Add the sender's details (email address, domain, or IP address as stored in the blocklist) to the workspace allowlist.
Un-log and remove from audit reports Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.

Domain Impersonation

Coro identified the email as potentially containing impersonation of a domain, due to a detected homograph attack on a domain recognized as frequently used in your workspace. The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Domain Spoofing

Coro identified the email as having failed authentication checks for the originating domain. For example, the email is tagged with Sender Policy Framework (SPF) check failures. The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Un-log and remove from audit reports Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Email Phishing

note

This ticket type has been deprecated, and is included only for tickets previously raised against it.

Coro determines that an email contains a phishing attempt such as domain impersonation or any intention to mislead the recipient into revealing identifying information about themself. The email is moved to your selected quarantine folder, and tickets for phishing emails, including those emails marked as safe through the Coro add-in, are automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace allowlist.
Block Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace blocklist.

Forbidden Attachment Type

The email contains an attachment of a type included in the file types quarantine list. For more details, see Email security settings. The email is moved to your selected quarantine folder and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Inbound Gateway: MX Record Misconfigured

If the Inbound Gateway is enabled in your subscription, Coro performs a periodic connection test (every four hours) to ensure that the gateway is correctly configured in your email service. Coro raises this ticket if the connection test observes that the highest priority MX record in the DNS for the named email domain is pointing to a non-Coro SMTP proxy server, preventing the gateway from receiving your incoming email.

The ticket remains open until:

  • Coro's periodic connection test confirms that the DNS is correctly configured.
  • An admin user performs a successful manual connection test ( ACTIONS > Test connection ).
  • An admin user manually closes the ticket.
note

To learn more about configuring the Inbound Gateway for your email service, see Configuring the Inbound Gateway.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket without taking any remediation action.
Test connection Coro presents a dialog enabling you to run a connection test against the DNS for your email domain to determine if the Inbound Gateway MX record is correctly configured. If the test is successful, Coro closes the ticket.

Malware in Email Attachments

Coro scans an email's attachments and identifies potential malware. If malware is detected, the email is handled according to the Malware in Email Attachments security mode in your email security settings and the ticket is automatically closed by Coro.

Important

Where you select a Malware in Email Attachments security mode of "Quarantine", the remediation outcome depends on whether you have enabled Coro's Inbound Gateway add-on. Typically, emails containing malware are automatically deleted. However, if your email is routed through the Inbound Gateway, emails are stored in Coro's dedicated secure quarantine, pending remediation by admin users. These two alternative outcomes can impact the Allow and Block actions shown in the table below.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace allowlist.

If the Inbound Gateway add-on is enabled in your workspace, you can also allow this email (return it from the quarantine folder back to the original recipients).

NOTE: If your Malware in Email Attachments security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace blocklist.

If the Inbound Gateway add-on is enabled, you can also remove the email from quarantine and permanently delete it.

NOTE: If your Malware in Email Attachments security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Missing Required Authentication

Coro identifies that the sender's IP address is currently in, or falls within an IP address range declared in, the workspace's blocklist. Coro deletes the email for all recipients and automatically closes the ticket.

note

In this scenario, Coro does not perform threat detection on the email content. The ticket relates only to the sender's IP address being currently blocklisted.

Coro deletes the email for all recipients and automatically closes the ticket.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Removes all relevant sender and sender's domain entries from the blocklist.
Un-log and remove from audit reports Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.

Reported by User

The email was reported by the end user as Phishing through the M365 or Gmail Coro add-in, even though Coro did not detect any malicious content. Tickets remain in an open state for operator review and close automatically after a period of two weeks.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket without taking any remediation action.
Re-open (Closed tickets only) Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Un-log and remove from audit reports (Closed tickets only) Removes this ticket from your workspace status update emails.

NOTE: Unlogged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog offering you the choice of either allowing this email (return it from the quarantine folder back to the original recipients), or allowing this email and optionally adding the sender's email address, domain, or IP address to the workspace allowlist.
Block Coro presents a dialog offering you the choice of either permanently deleting this email, or deleting the email and optionally adding the sender's email address, domain, or IP address to the workspace blocklist.

Spam

Coro determines that an email contains suspected spam in the message body, headers, or attachments. Spam is an email that has passed Coro's malware and phishing detection and is considered not malicious but contains indicators for unsolicited or unwanted content.

The email is handled according to the Spam security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Spam security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Spam security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Suspicious Metadata

The email contains metadata identified as potentially malicious. For example, the sender domain is flagged as malicious by one or more phishing evaluations.

The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Suspicious Content

One or more of the following detectors were triggered, leading Coro to identify the email as containing potentially suspicious content:

  1. Malicious link : The email contains a known or suspected phishing/malicious URL link.
  2. Suspicious QR Code : The email contains a QR code encoded with a known or suspected phishing/malicious URL.
  3. Suspicious email content : The email message body contains content that Coro identifies as suspicious. That is, the email failed a statistics-based detector test involving customer and phishing data.
  4. Suspicious attachment content : The email includes an attachment that Coro identifies as suspicious or including a potential phishing attempt.

The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

User Impersonation

Coro detected an Envelope honeypot: User impersonation event, whereby the email potentially contains spoofing or impersonation of a user. While the displayed sender name is associated with a known employee, the sender email address is unfamiliar in this workspace. The email is handled according to the Phishing security mode in your email security settings and the ticket is automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address, domain, or IP address to the workspace allowlist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Allow is limited to adding the sender to the allowlist.
Block Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address, domain, or IP address to the workspace blocklist.

NOTE: If your Phishing security mode is set to Warn recipients, the email is already delivered so Block is limited to adding the sender to the workspace blocklist.

Email Phishing

note

This ticket type has been deprecated, and is included only for tickets previously raised against it.

Coro determines that an email contains a phishing attempt such as domain impersonation or any intention to mislead the recipient into revealing identifying information about themself. The email is moved to your selected quarantine folder, and tickets for phishing emails, including those emails marked as safe through the Coro add-in, are automatically closed by Coro.

Action Outcomes
Re-open Reopens this ticket for admin user intervention and manual remediation.
Contact user Coro sends an email to the recipient containing a message and the ticket information.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Download Eml File Downloads the suspicious email (.eml format).

This enables you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection.
Allow Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace allowlist.
Block Coro presents a dialog enabling you to add the sender's email address, domain, or IP address to the workspace blocklist.