How Coro handles malicious email¶

Coro's Inbound Gateway offers two configurable outcomes when potentially malicious email is encountered. Such emails can be either:

Warning only: Emails are sent on to intended recipients as normal, with a warning indicator [SUSPECTED] added to the email subject line.

For example:

Admin users can inspect tickets raised to identify a suspicious email; however, this is for information only and no further remediation actions are available as the email has already been forwarded. Ticket actions might be limited to retrospective operations such as adding the sender or sender's domain to an allowlist or blocklist for future remediation decisions.
Block: Emails are blocked from end recipients and remain in Coro's dedicated secure quarantine storage pending remediation.

Note

The quarantine location selected in the Email Security Settings tab is not applicable in this mode.

Admin users can inspect tickets raised to identify a blocked email event and, depending on the type of threat, choose to Allow release of the email to its recipients as safe or Block the email and its contents permanently.

Reviewing email security tickets¶

Coro raises tickets to represent suspicious email events. These tickets contain findings concerning the nature of the threat observed, key details such as the sender and recipients, and a range of remediation actions.

To view your email security tickets:

Sign into your Coro workspace.
From the Actionboard, select the Email Security panel:
Use the threat type links listed in the right-hand pane to view tickets of that specific type, or select All to view all email security tickets.

Note

Alternatively, select the Ticket Log icon in the toolbar and set a module filter of "Email Security". To learn more, see Using the Ticket Log.
Review a ticket instance and select Actions to view the available remediation actions. For example:

To learn more about email security ticket types and available remediation actions, see Email Security ticket types.