Skip to content

Ticket types for emails

Coro raises tickets for emails when it identifies the following security incidents:

Malware in email attachments

Coro scans an email's attachments and identifies potential malware. If malware is detected, the email is quarantined immediately and moved to the Suspected folder. Malware in email attachment tickets are closed immediately. To learn more, see Identifying malware in email.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Approve this email Coro moves the email from the Suspected folder to the Inbox.

The sender is not allowlisted.
Delete this email Coro deletes the email from the Suspected folder.

The sender is not blocklisted.

A record is added to the Activity Log and Ticket Log: "Email from <sender's email> has been deleted".
Add sender to blocklist Coro adds the email address to the blocklist.

If the address was in the allowlist, it is removed.

Coro deletes the email for all recipients.
Add sender's domain to blocklist Coro adds the sender's domain to the blocklist.

If the domain was in the allowlist, it is removed.

For all of this organization's users, Coro moves all emails from this domain to the Suspected folder.

Email phishing

Coro determines that an email contains a phishing attempt such as domain impersonation or any intention to mislead the recipient into revealing identifying information about themself. Phishing emails, including those emails marked as safe through the Coro add-in, are automatically closed after a review period of two weeks. To learn more, see Identifying phishing in email.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Approve this email Coro moves the email from the Suspected folder to the Inbox.

The sender is not allowlisted.
Delete this email Coro deletes the email from the Suspected folder.

The sender is not blocklisted.

A record is added to the Activity Log and Ticket Log: "Email from <sender's email> has been deleted".
Add sender to allowlist Coro adds the sender's email address to the allowlist.

For all of this organization's users, Coro moves emails received from this address from the Suspected folder to the Inbox.
Download Eml File Download the suspicious email (.eml format).

This allows you to thoroughly examine potentially malicious emails before taking any further action.

For further information, see Downloading suspicious emails for further inspection
Add sender to blocklist Coro adds the email address to the blocklist.

If the address was in the allowlist, it is removed.

Coro deletes the email for all recipients.
Add sender's domain to allowlist Coro adds the sender's domain to the allowlist.

If the domain was in the blocklist, remove it.

For all of this organization's users, Coro moves all emails from this domain from the Suspected folder to the Inbox.
Add sender's domain to blocklist Coro adds the sender's domain to the blocklist.

If the domain was in the allowlist, it is removed.

For all of this organization's users, Coro moves all emails from this domain to the Suspected folder.