Skip to content

Identifying phishing in email

The process diagram details Coro's phishing in email inspection process:

Coro first determines whether the sender or the entire domain from which the email was received is on the Blocklist:

  1. If yes, the email is deleted for all protected users.
  2. If no, Coro then determines whether the sender or the entire domain from which the email was received is on the Allowlist.
  3. If neither the sender nor the domain is on the Blocklist or Allowlist, the email is scanned for phishing.
  4. If phishing is detected, the email is quarantined immediately and moved to the Suspected folder (offsite from the recipient.)
  5. If no phishing is detected, the email is then scanned for domain impersonation by searching for signatures that should be present but are not.
  6. If domain impersonation is detected, the email is quarantined immediately and moved to the Suspected folder (offsite from the recipient.)

If the email passes both phishing and malware inspections, it is stored as normal in the recipient's inbox.

Phishing in email inspection process

To learn more about protected and non-protected users, see Users and groups.

Phishing attempts in QR codes

Coro can identify phishing attempts in URLs encoded as QR codes in emails.

This mechanism is initiated when phishing URLs encoded as QR codes are detected within an email, and the email contains one or more predefined words in the subject line.

Note

This mechanism generates the same ticket type (Email Phishing) as text-based phishing email links.

Downloading suspicious emails for further inspection

Email Phishing tickets have an additional action enabling you to download the suspicious email (in .eml format). This allows you to directly examine potentially malicious emails before taking any further action. This download action applies to both open and closed Email Phishing tickets.

Warning

Make sure that you download suspicious .eml files to a secure and isolated network segment to prevent any disruption to your other services.

A .eml file is an email message saved by an email application, such as Microsoft Outlook or Apple Mail. It contains the content of the message, along with the subject, sender, recipient(s), and date of the message. .eml files may also store one or more email attachments, which are files sent with the message.

You can open .eml files with:

  • Email programs, such as Microsoft Outlook, Apple Mail, and Mozilla Thunderbird.

  • Web browsers, including Google Chrome, Microsoft Edge, and Internet Explorer.

  • Plain text editor, such as Microsoft Notepad, and Apple TextEdit.

  • Word processors such as Microsoft Word.

Downloading suspicious emails in .eml format

To download a potentially malicious email in .eml format:

  1. Select Ticket Log from the toolbar:

    Acess the Ticket Log

  2. From the Type filter, filter the Ticket Log for Email Phishing tickets.

    Filter the Ticket log

  3. Select an individual Email Phishing ticket, and then click ACTIONS:

    Download action

  4. Select Download Eml File:

    Download eml file

    The Download the EML file confirmation dialog is displayed:

    Confirm eml download

  5. Click CONFIRM to download the .eml file.

    A confirmation message is displayed:

    eml Download request

  6. After the .eml file is downloaded, locate and open in order to view the contents of the email.