Settings

Use the Settings tab to manage Coro's email security configuration.

Through this tab, you configure the types of threats you want Coro to detect and remediate. You can also determine the action you want Coro to take, configure bypass criteria, and define where to place quarantined emails.

Email settings tab

To learn more about the settings in this tab, see the following sections:

Coro raises tickets for detected email threats (excluding where specified) so admin users can investigate and intervene if required. To see the complete list of ticket types raised for email security events, see Ticket types for Email Security.

Important

If a sender's email address, domain, or IP address is in the Email Security allowlist, Coro delivers email as normal and bypasses the threat detections listed here.

If a sender's email address, domain, or IP address appears in the Email Security blocklist, Coro blocks and deletes affected emails and reports the event through a Blocklisted sender or Crowd Blocked Sender ticket.

Scanning emails for threats

note

These settings apply to Coro's API-based Email Security module and also to the Inbound Gateway add-on when enabled. Email threat scanning is enabled by default for new workspaces.

Coro can scan emails as they are delivered to your protected users for a range of potential threats, such as malware and phishing attacks. On this page, you can enable or disable this protection and configure how Coro should react when such a threat is detected.

To enable email threat scanning, enable Scan emails for the following threat types:

Enable real-time email scans

When email scanning is enabled, Coro protects against the following threat types:

Each threat type can be enabled or disabled using the adjacent checkbox. If a threat type is enabled, Coro uses the configured Security mode to determine the outcome when that threat is detected. Coro supports the following modes:

Mode Description
Quarantine Limit damage by blocking potentially malicious emails from reaching a recipients's inbox. If the email contains detected malware, for safety Coro deletes the email completely. For all other potential threats, Coro moves the message to quarantine, enabling recipients and workspace admin users to investigate and take appropriate action.

Admin users can inspect associated tickets through the Coro console and, depending on the type of threat, choose to Allow release of the email to its recipients as safe or Block the email and its contents permanently.
Warn recipient Continue to deliver the email as normal, but include a warning label or banner within the message to show the type of threat Coro has detected. This allows recipients and workspace admin users to perform analysis and identification of potentially malicious messages while not disrupting the normal delivery of legitimate emails.

Admin users can inspect tickets raised to identify a suspicious email event; however, this is for information only and no further remediation actions are available as the email has already been delivered. Ticket actions might be limited to retrospective operations such as adding the sender's email address, domain, or IP address to an allowlist or blocklist for future remediation decisions.

NOTE: Your email service provider can perform its own remediation on delivered emails and could, for example, quarantine emails itself that Coro has detected as potentially harmful, but delivered with a warning.
note

Quarantine mode is available as a configurable option only for malware, phishing, and spam threat types. The remaining types, if enabled, are set by default to warn recipients only.

What do email warnings look like

In Gmail, Coro presents the warning message as a label. In Microsoft 365/Outlook, Coro presents the warning message as a banner.

For example:

Email warning examples

Important

If Coro detects more than one threat in an email, only the most significant threat is used as the basis for the warning message. This is determined by the following order, from most significant to least significant:

  1. Malware in Email Attachments
  2. Phishing
  3. Spam
  4. Newly Registered Domain
  5. Encrypted Attachment
  6. Unverified Sender
  7. Unknown External Sender

To see full details for all detected threats, review the ticket Coro raises for the incident. For more information on Email Security ticket types, see Ticket types for Email Security.

Malware in Email Attachments

Coro scans all incoming emails for attachment files that might be malicious, and creates a ticket for detected threats. If you select a security mode of Quarantine, suspicious files are deleted for all recipients to prevent possible damage. If you select Warn recipients, the message is delivered as normal to recipients with an added warning label or banner. As Coro has already enacted remediation, no further Admin intervention is required and the ticket is marked closed.

Admin users can review closed malware tickets to examine the details, including performing actions such as downloading the suspicious email for analysis or adding sender details to an allowlist or blocklist.

Important

If the Inbound Gateway add-on is enabled, suspicious emails are not deleted but instead stored in Coro's secure quarantine for optional admin review. For more information, see How Coro handles malicious email.

To learn more, see Malware in Email Attachments tickets.

Spam

Spam is an email that has passed Coro's malware and phishing detection and is considered not malicious but contains indicators for unsolicited or unwanted content.

Coro scans emails for suspected spam in the message body, headers, and attachments, and creates a ticket for any identified cases. Depending on your selected security mode, suspicious emails are either moved to quarantine, or the message is delivered as normal to recipients with an added warning label. As Coro has already enacted remediation, no further admin user intervention is required and the ticket is marked closed.

Admin users can review closed spam tickets to examine the details, including performing actions such as downloading the suspicious email for analysis or adding sender details to an allowlist or blocklist.

To learn more, see Spam tickets.

Phishing

Coro scans emails from external domains for phishing indications. Coro can identify a range of different phishing categories, with specific ticket types being raised to help admin users analyse trends. For all categories (excluding user-reported phishing through the Coro add-in), Coro quarantines or warns recipients regarding the suspicious email based on your selected security mode. As Coro has already enacted remediation, no further admin user intervention is required and raised tickets are marked closed.

Admin users can review closed phishing tickets to examine the details, including performing actions such as downloading the suspicious email for analysis or adding sender details to an allowlist or blocklist. To see the full range of phishing email ticket types reported by Coro, see Ticket types for Email Security.

Newly Registered Domain

Coro checks if the sender's email address is from a domain that was registered within the last 30 days. A recently-registered domain indicates increased risk of potentially malicious activity.

No tickets are raised for detected threats of this type, and the email is delivered as normal with a warning label or banner to highlight the risk.

Encrypted Attachment

Coro checks for emails that include an encrypted attachment. This is a commonly-used method to evade virus scans.

No tickets are raised for detected threats of this type, and the email is delivered as normal with a warning label or banner to highlight the risk.

Unverified Sender

Coro attempts to verify an external sender's identity through standard authenticaton protocols. An unverified or unverifiable sender is flagged to recipients.

No tickets are raised for detected threats of this type, and the email is delivered as normal with a warning label or banner to highlight the risk.

Unknown External Sender

Coro checks for emails sent from external senders who have not previously sent messages to these recipients.

No tickets are raised for detected threats of this type, and the email is delivered as normal with a warning label or banner to highlight the risk.

Setting sensitivity for spam detection

Coro enables you to set the sensitivity level for spam detection within your protected users' emails. This can help to alleviate scenarios where your users find a higher than expected amount of false positives, or if it appears Coro is not detecting spam to the level desired:

Spam sensitivity level

Set your detection level according to the following:

Level Description
High (Default) The highest level of sensitivity with the lowest trigger point for detection. This level is most likely to identify spam in emails, but with an increased risk of false positives.
Medium Provides a balanced approach to spam detection. Coro detects a high level of spam in emails, with a reduced likelihood of false positives.
Low The lowest level of sensitivity, producing the least amount of spam identification and interception. Use this level if spam is a lower priority for your organization, you want to reduce the number of spam notifications, or you encounter a large number of false positives.

Quarantining email attachments by file type

note

These settings apply to Coro's Email Security module and, when enabled, to the Inbound Gateway add-on.

Admin users can choose to quarantine emails containing attachments of specified types.

Quarantine emails with attachment file types

Select Quarantine emails with attachments of these specified file types. Then, select or deselect file attachment extensions from the presented list.

If an email is sent to a protected user containg an attachment of a specified type, Coro quarantines the email message and triggers a Forbidden attachment type ticket.

note

Use the Custom file types box to enter additional file extensions not listed.

To learn more about types of sensitive data to monitor for access and exposure in email sharing, see User Data Governance.

Excluding emails from threat scans

Use the Allow emails to bypass the scans section to set rules for which emails should be excluded from threat detection.

Coro supports two types of exclusion mechanism:

Security Awareness Training

Organizations can utilize Security Awareness (SA) providers to help train employees in recognizing phishing attempts and malicious content delivered via email. SA providers send simulated email attacks to test employee awareness and measure response rates to deceptive messages, with a view to educating employees on what to look for and how to flag or avoid future threats.

To avoid such emails being flagged as suspicious, Coro enables you to define an allowlist for emails originating from SA providers. Allowlist entries can be based on the sender's email domain, IP address, a range of IP addresses, or an expected email header value:

Security Awareness Training allowlist

To enable the Security Awareness Training allowlist, enable Allow emails for Security Awareness Training purposes.

To add a new provider to the allowlist:

  1. Select + ADD .

    Coro displays the Add to allowlist dialog:

    Security Awareness Training Add to allowlist dialog

  2. Enter the following details:
    • Name : Enter a name for the provider.
    • Domains, IPs, or IP Ranges : (Optional) Enter one or more email domains, IP addresses, or range of IP addresses identifying the provider. Select Enter or Tab after each entry to add it to the list.
    • Email header : (Optional) Enter an email header name and corresponding expected value. The value is case-insensitive. To add additional email headers, select + Add new header and enter the new header details.
    note

    You must specify at least one entry in either Domains, IPs, or IP range or Email header for your provider record to be valid.

  3. To save your provider details, select ADD TO LIST .

After you have added a new SA provider, use the dropdown to the left of the record to view a summary of the settings. Or, use the adjacent three-dot menu to Edit or Remove the record:

Security Awareness Training allowlist edit menu

Subject line exclusion

Use this section to instruct Coro to ignore emails containing specific keywords in the subject line:

Subject line keyword exclusion

To enable subject line keyword exclusion, enable Allow emails with specified keywords in the subject line. Then, enter one or more keywords into the box provided. Select Enter or Tab after each keyword to add it to the list.

Coro matches keywords individually. To be excluded, a subject line must match at least one keyword from the list.

Specifying the default email quarantine folder

Important

This feature is not applicable if you have enabled and configured the Inbound Gateway email proxy add-on. In this scenario, quarantined emails are stored in Coro's dedicated secure storage.

Specify the default folder location where malicious emails are stored for Microsoft 365 and Gmail. The options are:

  • Dedicated Suspected folder : ( default setting ) All quarantined emails are stored in a dedicated Suspected folder in the email service. Coro creates this folder at a first detection and stores malicious emails within it thereafter.
  • System trash folder : All quarantined emails are stored in the system (Microsoft 365/Gmail) trash folder.
note

When the default quarantine folder is changed, quarantined emails are not transferred between folders.

To set the default email quarantine folder, use the Quarantine folder selector:

Email quarantine folder

All quarantined emails are now stored in the selected folder.