This article is an overview of the module. Click here to visit the functionality article.
Heimdal™ Email Fraud Prevention scans and prevents email fraud by intercepting Inbound and Outbound communications, comparing them with pre-registered signatures, and detecting whether changes have been operated or not. This helps flag down the BEC attacks before they have a chance of convincing you to hand over sensitive info.
The module starts when you install the Heimdal Thor Agent or when you do a Group Policy check (if Heimdal™ Email Fraud Prevention is Enabled in your Group Policy) and if Outlook is opened. If there is no Outlook instance opened when checking the Group Policy, the Heimdal™ Email Fraud Prevention service will check every 5 minutes if Outlook has been opened and it will try to start the Heimdal™ Email Fraud Prevention module.
In order to activate the module, you need to go on your Endpoint Settings - Email Protection section:
Heimdal™ Email Fraud Prevention will intercept every email from the Inbox and Sent folders and send it for validation. A partial response is received in 10 minutes and a final result will be received in 24 hours. If the final/partial status is Infected, the email will be moved to Heimdal - Heimdal™ Email Fraud Prevention subfolder under the Inbox folder. If the email was initially infected (moved to HeimdalInfectedMails), and then it is considered uninfected in the final result, the email will be moved back to the initial folder.
The first time Heimdal™ Email Fraud Prevention is activated (and only once), we scan the Inbox folder for the last X days (7 by default, configurable from GP) and all infected emails will be moved under the Inbox subfolder named "In assessment" and Malicious for those with final status of infected.
To intercept emails, we created a secondary application named Heimdal™ Email Fraud PreventionMonitor. If this application is closed, the module will try to start it, checking its connection every 10 minutes. Also, if the Heimdal™ Email Fraud Prevention service is closed, this secondary app should be closed.
Information about Heimdal™ Email Fraud Prevention performances can be seen in the dashboard if you click Heimdal™ Email Fraud Prevention from the left menu of the Heimdal Dashboard homepage.
Enable Heimdal™ Email Fraud Prevention - by enabling this option Heimdal™ Email Fraud Prevention will become active.
LAST DAYS TO SCAN - this slider allows you to increase or decrease the number of days you want Thor to scan your inbox. The first time the Heimdal™ Email Fraud Prevention is activated (and only once), we scan the inbox for the last X days (7 by default)
Enable Agent Balloon Notifications - by enabling this option you will receive a pop-up notification each time a file is moved inside/outside the Heimdal - Heimdal™ Email Fraud Prevention folder.
- by enabling this option will allow you to see notifications until you close it.
Whenever Heimdal™ Email Fraud Prevention moves a mail to the infected folder, we show a popup on the agent side, warning the user with the following text: “We detected a malicious email and we have moved it away from the inbox” and if Heimdal™ Email Fraud Prevention detects that the email is not infected and was moved to In assessment folder, the client popup will have the following text: “False positive detected, we have restored an email to your inbox” and the mail will be moved back to the original folder.
new checkbox on Heimdal™ Email Fraud Prevention tab that will disable/enable the outlook suspicious activity warnings.
On Agent a registry key will be modified for this with the values (2 -> disable, 0 -> enable). This registry key value can be found at the following path in regedit: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Outlook\Security
Delete, Restore and Cancel commands
IMPORTANT: The commands are performed from the dashboard only.
In the Heimdal Dashboard, you can select one or more emails and take actions (Restore, Delete, and Cancel) for each and every one of them.
Delete - will delete the mail from Outlook
Restore - will restore the email to the initial folder - where the email was intercepted
Cancel - will cancel one of the actions above if were not processed yet
We save emails in C:\Users\Public\Documents, but the user can block this location and we aren’t able to read/write emails.
Type lets you define which type(s) of email to search for. The definition by type are:
Normal - Clean/Legitimate email delivered to the intended recipient(s)
Spam - Email detected by Heimdal™ Email Fraud Prevention email security as spam
Virus - Email detected containing virus & other malware by Heimdal™ Email Fraud Prevention
ATP - Email detected as containing Advanced Threats by Heimdal™ Email Fraud Prevention
SPF Block - Email detected as violating the defined Sender Policy Framework
Blacklisted - Email that is blacklisted by you or another administrator in Heimdal™ Email Fraud Prevention
Whitelisted - Email that is whitelisted by you or another administrator in Heimdal™ Email Fraud Prevention
Attach Block - Email with attachment defined by you or another administrator in Heimdal™ Email Fraud Prevention
Status lets you define which status on email to search for. The definition by type are:
Delivered - Clean/Legitimate email delivered to the intended recipient(s)
Quarantine - Quarantined Email by Centium email security
Rejected - Rejected Email by Centium email security
Queue - Email in a queue for delivering to your server