Email security

When connected via cloud app API, does Coro scan Microsoft 365 and Gmail emails before they reach the recipient's inbox?

No, the Coro API scans emails after they have reached the recipient's inbox, and API rules are then applied.

Does Coro protect shared email addresses?

Yes, Coro protects shared email addresses.

For more information, see Protecting a Microsoft 365 shared mailbox.

Can Coro connect to a Microsoft G-level licensing product, for example, Office365 GovG1?

No, Coro cannot connect to a Microsoft G-level licensing product.

Does Coro's email phishing protection scan emails once received?

Yes, all incoming emails are scanned as soon as they are received.

I am utilizing Google Workspace Sync for Microsoft Outlook and am having difficulty downloading the Outlook plug-in since my admin account is setup with Google Workspace. Is there a downloadable file available for the Outlook Email Feedback plug-in?

Unfortunately, this is not possible. With add-in distribution, the add-in is linked to your organization's Microsoft 365 business account, which is needed for the add-in to work properly.

When an Admin User blocks a domain or email, does a retroactive scan delete the blocklisted emails from the inboxes of all protected users?

Previous emails are never deleted. Only the current emails from the sender/domain from which the administrator blocked the sender/domain, as well as all subsequent emails from this sender/domain, are deleted.

Does Coro store my incoming/outgoing emails and disclose sensitive information?

Coro does not store emails from its customers. Only emails associated with tickets are temporarily stored in a privacy-preserving manner.

Does Coro support Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF)?

Currently DKIM and SPF are not supported by Coro.

Can emails flagged by Coro be redirected to folders other than the Coro Suspected folder?

Yes, you can specify the default folder where phishing emails are stored for Microsoft 365 and Gmail.

The options are:

  • Dedicated Suspected folder : This is selected by default. All quarantined emails are stored in the dedicated Coro Suspected folder.
  • System trash folder : All quarantined emails are stored in the system (Microsoft 365/Gmail) trash folder instead of the dedicated Coro Suspected folder.

For further information, see Specifying the default email quarantine folder.

What happens when emails with attachments of specific file types are quarantined?

These are treated as phishing emails. Incoming emails containing attachments of the file types defined are automatically quarantined, and Coro creates a Forbidden attachment type ticket to record the event.

For further information, see Quarantined email attachments by file type.

Does Coro auto remediate (block and delete) emails that are confirmed to contain malware?

Deletion is only performed when the sender or sender's domain is explicitly added to a blocklist by an admin user.

Does Coro's email security layer detect malware/phishing before they reach the inbox?

By default, Coro detects malware/phishing as soon as an email reaches an inbox, not before. If any of these problems are discovered, the email is either moved to the Suspected folder or deleted.

Alternatively, you can use the Secure Messages add-in to detect malware/phishing in emails before they reach the inbox.

Coro’s Secure Messages add-in is a sender-to-recipient email encryption service that offers a secure digital messaging system that transforms how you communicate, collaborate, and share data with your customers and business partners. Secure Messages utilizes an advanced two-part encryption mechanism that initiates as soon as a message is sent. The Secure Messages add-in is available for Microsoft Outlook 365 and Gmail.

For further information, see Secure Messages.

When evaluating emails, does the Specific Keywords option search include email address domains or the sender/recipient address?

No, the Specific Keywords option only searches the content of emails and shared files (subject, body, attachments, and attachment filenames)

Does Coro detect outgoing phishing?

While not included by default, the Secure Messages add-in expands Coro's functionality to detect outgoing phishing.

For further information, see Secure Messages.

If I have a protected user that reports an email as junk, does Coro perform any action?

No, Coro does not perform any action on emails reported as 'Junk' by a protected user.

How are Malware in Email attachment tickets resolved in Coro?

Coro scans an email's attachments and identifies potential malware. If malware is detected, the email is deleted and moved to the specified suspected folder for all recipients. The ticket is automatically closed by Coro.

For further information, see Malware in email attachments.

If an O365 Admin approves/releases a suspected email within O365 will Coro still flag it?

Actions performed externally are not monitored by Coro, and therefore in this situation, Coro would flag it.

What happens when 'Quarantine emails with attachments of these specified file types' is enabled?

When ‘Quarantine emails with attachments of these specified file types’ is enabled, emails containing any of the file types specified are moved to your selected quarantine folder. A corresponding Forbidden Attachment Type ticket is created and automatically closed by Coro. The logic by which Coro scans the email for any suspicious behavior remains the same (e.g. Coro checks if the sender is on the Blocklist/Allowlist).

What type of ticket is created for an email quarantined due to having an attachment of a specific file type?

The ticket type created is dependent on the detectors which are triggered. Attachments of a specific file type are treated as a Forbidden Attachment Type ticket, and the email is moved to your selected quarantine folder. The Forbidden Attachment Type ticket is automatically closed by Coro.


Prior to the release of Coro v3.0, tickets created for suspected email phishing attempts were classified as Email Phishing. Email Phishing tickets are no longer supported and are only retained for tickets created before the release of Coro v3.0, with the new label: Email Phishing [Deprecated].

Can the Secure Messages add-on encrypt and send large file attachments?

The maximum file size for a single message attachment is 40 MB, with a total file size of 100 MB for all attachments.

What does the BETA tag indicate for Inbound Gateway?

The BETA tag indicates that the Inbound Gateway is open for external testing but might have bugs or limitations. It is meant for Email Security customers interested in the testing phase. Coro recommends not using it for full production or mission-critical purposes.


Please send any issues to and watch for official release updates.

How long will Inbound Gateway be in Beta?

Hovering your pointer over the BETA tag in the console displays the expected duration of the Inbound Gateway BETA stage.

How can I purchase and enable Inbound Gateway?

For assistance with purchasing and setting up the Inbound Gateway, contact our sales team.

How much does it cost to purchase Inbound Gateway?

Inbound Gateway is an add-on for the Email Security module. For more information, contact our sales team, or visit Pricing.

How do I configure Inbound Gateway to work with my email service?

For information on configuring the Inbound Gateway, see Configure the Inbound Gateway

How do I manage quarantined emails?

For information on managing quarantined emails, see Manage quarantined emails

Is Inbound Gateway compatible with email services other than Microsoft or Google?

Yes, the Inbound Gateway is compatible with any email service, provided the customer owns the domain, allowing Coro to update the DNS records.


Free Gmail versions are not supported, due to domain ownership by Google.

What is the difference between Warning-Only and Block modes? Which one should I select?

Warning-Only mode: Emails suspected of phishing or malware are marked with warnings without being blocked; it is suitable for testing or when business continuity is a priority.

Block mode: Emails suspected of phishing or malware are blocked, quarantining them securely until admin user review, offering higher security and control.


Coro admins select the mode best suited for their business needs.

What does an email marked as 'SUSPECTED' mean?

The 'SUSPECTED' tag alerts you to exercise caution with the email. In Warning-Only mode, Coro Inbound Gateway flags suspicious emails without blocking, allowing recipients to review them.

Is it possible to send encrypted messages from a mobile device using Secure Messages?

The Secure Messages portal can be accessed on mobile devices through a web browser. For Google Workspace accounts, the Secure Messages Gmail add-in, which is supported on both web and mobile platforms of Gmail, secures outbound messages sent from Gmail. For Microsoft 365 accounts, the Secure Messages Outlook add-in is currently only supported on web platforms.

Does Coro detect and remediate spam emails?

Coro does not function as a spam filter and does not directly identify spam emails. However, due to the nature of such messages, Coro's phishing and malware detection mechanisms can sometimes be triggered leading to identification of spam as malicious.