Settings
Use the Settings tab to manage Coro's email security configuration.
Through this tab, you configure the types of threats you want Coro to detect and remediate. You can also determine the action you want Coro to take, and where to place quarantined emails.
To learn more about the settings in this tab, see the following sections:
Coro raises tickets for detected email threats (excluding where specified) so admin users can investigate and intervene if required. To see the complete list of ticket types raised for email security events, see Ticket types for Email Security.
Important
If a sender's email address, domain, or IP address is in the Email Security allowlist, Coro delivers email as normal and bypasses the threat detections listed here.
If a sender's email address, domain, or IP address appears in the Email Security blocklist, Coro blocks and deletes affected emails and reports the event through a Blocklisted sender or Crowd Blocked Sender ticket.
Scanning emails for threats
note
These settings apply to Coro's API-based Email Security module and also to the Inbound Gateway add-on when enabled. Email threat scanning is enabled by default for new workspaces.
Coro can scan emails as they are delivered to your protected users for a range of potential threats, such as malware and phishing attacks. On this page, you can enable or disable this protection and configure how Coro should react when such a threat is detected.
To enable email threat scanning, enable Scan emails for the following threat types:
When email scanning is enabled, Coro protects against the following threat types:
- Malware in Email Attachments
- Spam
- Phishing
- Newly Registered Domains
- Encrypted Attachment
- Unverified Sender
- Unknown External Sender
Each threat type can be enabled or disabled using the adjacent checkbox. If a threat type is enabled, Coro allows you to configure the security mode. This determines the outcome when that threat is detected. Select from the following options:
| Mode | Description |
|---|---|
| Quarantine | Limit damage by blocking potentially malicious emails from reaching a recipients's inbox. If the email contains detected malware, for safety Coro deletes the email completely. For all other potential threats, Coro moves the message to quarantine, enabling recipients and workspace admin users to investigate and take appropriate action. Admin users can inspect associated tickets through the Coro console and, depending on the type of threat, choose to Allow release of the email to its recipients as safe or Block the email and its contents permanently. |
| Warn recipient | Continue to deliver the email as normal, but include a warning label or banner within the message to show the type of threat Coro has detected. This allows recipients and workspace admin users to perform analysis and identification of potentially malicious messages while not disrupting the normal delivery of legitimate emails. Admin users can inspect tickets raised to identify a suspicious email event; however, this is for information only and no further remediation actions are available as the email has already been delivered. Ticket actions might be limited to retrospective operations such as adding the sender's email address, domain, or IP address to an allowlist or blocklist for future remediation decisions. NOTE: Your email service provider can perform its own remediation on delivered emails and could, for example, quarantine emails itself that Coro has detected as potentially harmful, but delivered with a warning. |
note
Quarantine mode is available as an option only for malware, phishing, and spam threat types. The remaining types, if enabled, are set by default to warn recipients only.
What do email warnings look like
In Gmail, Coro presents the warning message as a label. In Microsoft 365/Outlook, Coro presents the warning message as a banner.
For example:
Malware in Email Attachments
Coro scans all incoming emails for attachment files that might be malicious, and creates a ticket for detected threats. If you select a security mode of Quarantine, suspicious files are deleted for all recipients to prevent possible damage. If you select Warn recipients, the message is delivered as normal to recipients with an added warning label or banner. As Coro has already enacted remediation, no further Admin intervention is required and the ticket is marked closed.
Admin users can review closed malware tickets to examine the details, including performing actions such as downloading the suspicious email for analysis or adding sender details to an allowlist or blocklist.
Important
If the Inbound Gateway add-on is enabled, suspicious emails are not deleted but instead stored in Coro's secure quarantine for optional admin review. For more information, see How Coro handles malicious email.
To learn more, see Malware in Email Attachments tickets.
Spam
Spam is an email that has passed Coro's malware and phishing detection and is considered not malicious but contains indicators for unsolicited or unwanted content.
Coro scans emails for suspected spam in the message body, headers, and attachments, and creates a ticket for any identified cases. Depending on your selected security mode, suspicious emails are either moved to quarantine, or the message is delivered as normal to recipients with an added warning label. As Coro has already enacted remediation, no further admin user intervention is required and the ticket is marked closed.
Admin users can review closed malware tickets to examine the details, including performing actions such as downloading the suspicious email for analysis or adding sender details to an allowlist or blocklist.
To learn more, see Spam tickets.
Phishing
Coro scans emails from external domains for phishing indications. Coro can identify a range of different phishing categories, with specific ticket types being raised to help admin users analyse trends. For all categories (excluding user-reported phishing through the Coro add-in), Coro quarantines or warns recipients regarding the suspicious email based on your selected security mode. As Coro has already enacted remediation, no further admin user intervention is required and raised tickets are marked closed.
Admin users can review closed phishing tickets to examine the details, including performing actions such as downloading the suspicious email for analysis or adding sender details to an allowlist or blocklist. To see the full range of phishing email ticket types reported by Coro, see Ticket types for Email Security.
Newly Registered Domain
Coro checks if the sender's email address is from a domain that was registered within the last 30 days. A recently-registered domain indicates increased risk of potentially malicious activity.
No tickets are raised for detected threats of this type, and the email is delivered as normal with a warning label or banner to highlight the risk.
Encrypted Attachment
Coro checks for emails that include an encrypted attachment. This is a commonly-used method to evade virus scans.
No tickets are raised for detected threats of this type, and the email is delivered as normal with a warning label or banner to highlight the risk.
Unverified Sender
Coro attempts to verify an external sender's identity through standard authenticaton protocols. An unverified or unverifiable sender is flagged to recipients.
No tickets are raised for detected threats of this type, and the email is delivered as normal with a warning label or banner to highlight the risk.
Unknown External Sender
Coro checks for emails sent from external senders who have not previously sent messages to these recipients.
No tickets are raised for detected threats of this type, and the email is delivered as normal with a warning label or banner to highlight the risk.
Quarantined email attachments by file type
note
These settings apply to Coro's Email Security module and, when enabled, to the Inbound Gateway add-on.
Admin users can choose to quarantine emails containing attachments of specified types.
Select Quarantine emails with attachments of these specified file types. Then, select or deselect file attachment extensions from the presented list.
If an email is sent to a protected user containg an attachment of a specified type, Coro quarantines the email message and triggers a Forbidden attachment type ticket.
note
Use the Custom file types box to enter additional file extensions not listed.
To learn more about types of sensitive data to monitor for access and exposure in email sharing, see User Data Governance.
Specifying the default email quarantine folder
Important
This feature is not applicable if you have enabled and configured the Inbound Gateway email proxy add-on. In this scenario, quarantined emails are stored in Coro's dedicated secure storage.
Specify the default folder location where malicious emails are stored for Microsoft 365 and Gmail. The options are:
- Dedicated Suspected folder : ( default setting ) All quarantined emails are stored in a dedicated Suspected folder in the email service. Coro creates this folder at a first detection and stores malicious emails within it thereafter.
- System trash folder : All quarantined emails are stored in the system (Microsoft 365/Gmail) trash folder.
note
When the default quarantine folder is changed, quarantined emails are not transferred between folders.
To set the default email quarantine folder, use the Quarantine folder selector:
All quarantined emails are now stored in the selected folder.