Ticket types for Email Security¶
Coro raises tickets for emails when it identifies the following security incidents:
- Blocklisted sender
- Brand Impersonation
- Crowd Blocked Sender
- Domain Impersonation
- Email Phishing
- Forbidden Attachment Type
- Malware in email attachments
- Missing Required Authentication
- Reported by User
- Suspicious Content
- User impersonation
Note
Each ticket raised for the types listed in this article includes Findings and Additional Findings sections. Use these sections to see details of the specific detectors that triggered the ticket, including an indication of the malicious content or authentication failure identified by the detector. For more information, see the Using the ticket log.
Blocklisted sender¶
Coro identifies that the sender's email address or domain is currently in the Suspicious Content Blocklist. The email is deleted for all recipients and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Remove all relevant sender and sender's domain entries from the workspace blocklist. |
| Un-log and remove from audit reports | Remove this ticket from your Workspace status update emails. NOTE: Un-logged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails. |
Brand impersonation¶
Coro identified the email as potentially containing spoofing or impersonation of a brand, due to a detected homograph attack on a domain recognised as a popular brand. The email is moved to your selected quarantine folder and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address or domain to the workspace allowlist. |
| Block | Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address or domain to the workspace blocklist. |
Crowd Blocked Sender¶
Coro identifies that the sender's email address or domain is in the global blocklist. The email is deleted for all recipients and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Add all relevant sender and sender's domain entries to the workspace allowlist. |
| Un-log and remove from audit reports | Remove this ticket from your Workspace status update emails. NOTE: Un-logged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails. |
Domain Impersonation¶
Coro identified the email as potentially containing spoofing or impersonation of a domain, due to a detected homograph attack on a domain recognized as frequently used in your workspace. The email is moved to your selected quarantine folder and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Coro presents a dialog enabling you to allow this email (return it from the quarantine folder back to the original recipients) and optionally add the sender's email address or domain to the workspace allowlist. |
| Block | Coro presents a dialog enabling you to permanently delete this email, and optionally add the sender's email address or domain to the workspace blocklist. |
Email Phishing¶
Note
This ticket type has been deprecated, and is included only for tickets previously raised against it.
Coro determines that an email contains a phishing attempt such as domain impersonation or any intention to mislead the recipient into revealing identifying information about themself. Phishing emails, including those emails marked as safe through the Coro add-in, are automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Coro presents a dialog offering you the choice of either allowing this email (return it from the quarantine folder back to the original recipients), or allowing this email and optionally adding the sender's email address or domain to the workspace allowlist. |
| Block | Coro presents a dialog offering you the choice of either Permanently deleting this email, or deleting the email and optionally adding the sender's email address or domain to the workspace blocklist. |
Forbidden Attachment Type¶
The email contains an attachment of a type included in the file types quarantine list. For more details, see Email security settings. The email is moved to your selected quarantine folder and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Coro presents a dialog offering you the choice of either allowing this email (return it from the quarantine folder back to the original recipients), or allowing this email and optionally adding the sender's email address or domain to the workspace allowlist. |
| Block | Coro presents a dialog offering you the choice of either Permanently deleting this email, or deleting the email and optionally adding the sender's email address or domain to the workspace blocklist. |
Malware in email attachments¶
Coro scans an email's attachments and identifies potential malware. If malware is detected, the email is deleted for all recipients and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Coro presents a dialog enabling you to add the sender's email address or domain to the workspace allowlist. |
| Block | Coro presents a dialog enabling you to add the sender's email address or domain to the workspace blocklist. |
Missing Required Authentication¶
The email failed to meet the enforced authentication requirements. That is, the following conditions were true:
- The email sender's domain is in the workspace's authentication blocklist.
- The sender failed Coro's authentication tests.
The email is deleted for all recipients and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Remove all relevant sender and sender's domain entries from the authentication failure blocklist. |
| Un-log and remove from audit reports | Remove this ticket from your Workspace status update emails. NOTE: Un-logged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails. |
Reported by User¶
The email was reported by the end user as Phishing through the M365 or Gmail Coro add-in, even though Coro did not detect any malicious content. Tickets remain in an open state for operator review and close automatically after a period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Close the ticket and do not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Un-log and remove from audit reports | (Closed tickets only) Remove this ticket from your Workspace status update emails. NOTE: Un-logged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Coro presents a dialog offering you the choice of either allowing this email (return it from the quarantine folder back to the original recipients), or allowing this email and optionally adding the sender's email address or domain to the workspace allowlist. |
| Block | Coro presents a dialog offering you the choice of either Permanently deleting this email, or deleting the email and optionally adding the sender's email address or domain to the workspace blocklist. |
Suspicious Content¶
One or more of the following detectors were triggered, leading Coro to identify the email as containing potentially suspicious content:
- Malicious link: The email contains a known or suspected phishing/malicious URL link.
- Suspicious QR Code: The email contains a QR code encoded with a known or suspected phishing/malicious URL.
- Suspicious email content: The email message body contains content that Coro identifies as suspicious. That is, the email failed a statistics-based detector test involving customer and phishing data.
- Suspicious attachment content: The email includes an attachment that Coro identifies as suspicious or including a potential phishing attempt.
The email is moved to your selected quarantine folder and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Coro presents a dialog offering you the choice of either allowing this email (return it from the quarantine folder back to the original recipients), or allowing this email and optionally adding the sender's email address or domain to the workspace allowlist. |
| Block | Coro presents a dialog offering you the choice of either Permanently deleting this email, or deleting the email and optionally adding the sender's email address or domain to the workspace blocklist. |
User impersonation¶
Coro detected an Envelope honeypot: User impersonation event, whereby the email potentially contains spoofing or impersonation of a user. While the displayed sender name is associated with a known employee, the sender email address is unfamiliar in this workspace. The email is moved to your selected quarantine folder and the ticket is automatically closed by Coro.
| Action | Outcomes |
|---|---|
| Re-open | Reopen this ticket for Admin user intervention and manual remediation. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Download Eml File | Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection. |
| Allow | Coro presents a dialog offering you the choice of either allowing this email (return it from the quarantine folder back to the original recipients), or allowing this email and optionally adding the sender's email address or domain to the workspace allowlist. |
| Block | Coro presents a dialog offering you the choice of either Permanently deleting this email, or deleting the email and optionally adding the sender's email address or domain to the workspace blocklist. |