Identifying phishing in email¶
The process diagram details Coro's phishing in email inspection process:
Coro first determines whether the sender or the entire domain from which the email was received is on the Blocklist:
- If yes, the email is deleted for all protected users.
- If no, Coro then determines whether the sender or the entire domain from which the email was received is on the Allowlist.
- If neither the sender nor the domain is on the Blocklist or Allowlist, the email is scanned for phishing.
- If phishing is detected, the email is quarantined immediately and moved to the Suspected folder (offsite from the recipient.)
- If no phishing is detected, the email is then scanned for domain impersonation by searching for signatures that should be present but are not.
- If domain impersonation is detected, the email is quarantined immediately and moved to the Suspected folder (offsite from the recipient.)
If the email passes both phishing and malware inspections, it is stored as normal in the recipient's inbox.
To learn more about protected and non-protected users, see Users and groups.
Phishing attempts in QR codes¶
Coro can identify phishing attempts in URLs encoded as QR codes in emails.
This mechanism is initiated when phishing URLs encoded as QR codes are detected within an email, and the email contains one or more predefined words in the subject line.
This mechanism generates the same ticket type (Email Phishing) as text-based phishing email links.
Downloading suspicious emails for further inspection¶
Email Phishing tickets have an additional action enabling you to download the suspicious email (in .eml format). This allows you to directly examine potentially malicious emails before taking any further action. This download action applies to both open and closed Email Phishing tickets.
Make sure that you download suspicious .eml files to a secure and isolated network segment to prevent any disruption to your other services.
A .eml file is an email message saved by an email application, such as Microsoft Outlook or Apple Mail. It contains the content of the message, along with the subject, sender, recipient(s), and date of the message. .eml files may also store one or more email attachments, which are files sent with the message.
You can open .eml files with:
Email programs, such as Microsoft Outlook, Apple Mail, and Mozilla Thunderbird.
Web browsers, including Google Chrome, Microsoft Edge, and Internet Explorer.
Plain text editor, such as Microsoft Notepad, and Apple TextEdit.
Word processors such as Microsoft Word.
Downloading suspicious emails in .eml format¶
To download a potentially malicious email in .eml format:
Select Ticket Log from the toolbar:
From the Type filter, filter the Ticket Log for Email Phishing tickets.
Select an individual Email Phishing ticket, and then click ACTIONS:
Select Download Eml File:
The Download the EML file confirmation dialog is displayed:
Click CONFIRM to download the .eml file.
A confirmation message is displayed:
After the .eml file is downloaded, locate and open in order to view the contents of the email.