In this article, you will learn everything about the Email Fraud Prevention module.
1. Description
2. How does Email Fraud Prevention work?
3. HEIMDAL Agent - Email Fraud Prevention
4. Email Fraud Prevention view
5. Email Fraud Prevention settings
DESCRIPTION
Email Fraud Prevention scans and prevents email fraud by intercepting Inbound and Outbound communications, comparing them with pre-registered signatures, and detecting whether changes have been made or not. This helps flag down the BEC attacks before they have a chance of convincing you to hand over sensitive info.
HOW DOES EMAIL FRAUD PREVENTION WORK?
The service starts when you install the HEIMDAL Agent or when you do a Group Policy check (if Email Fraud Prevention is Enabled in your Group Policy) and if Outlook is running. If there is no Outlook instance running when checking the Group Policy, the Email Fraud Prevention service will check every 5 minutes if Outlook has been started and it will try to start the Email Fraud Prevention module. The module will intercept every email from the Inbox and Sent folders and send it for validation. A partial response is received in 10 minutes and a final result will be received in 24 hours. If the final/partial status is Infected, the email will be moved to Heimdal - EFP subfolder under the Inbox folder. If the email was initially infected (moved to HeimdalInfectedMails), and then it is considered uninfected in the final result, the email will be moved back to the initial folder. The first time Email Fraud Prevention is activated (and only once), we scan the Inbox folder for the last X days (7 by default, configurable from GP) and all infected emails will be moved under the Inbox subfolder named In assessment and Malicious for those with final status of infected. To intercept emails, we created a secondary application named Email Fraud PreventionMonitor. If this application is closed, the module will try to start it, checking its connection every 10 minutes. Also, if the Email Fraud Prevention service is closed, this secondary app should be closed. Emails are saved in C:\Users\Public\Documents\Heimdal Security\, (if this path is blocked, we cannot read/write emails). Currently, Email Fraud Prevention filters the emails on the main email account if multiple email accounts are configured.
HEIMDAL AGENT- EMAIL FRAUD PREVENTION
The HEIMDAL Agent displays information about the Scanned emails, the Malicious emails, and the Risk Assessment emails.
The information displayed on the HEIMDAL Agent - Email Fraud Prevention section is reported to the HEIMDAL Dashboard -> Email Protection -> Email Fraud Prevention.
EMAIL FRAUD PREVENTION view
The Email Protection - Email Fraud Prevention view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the emails scanned by the HEIMDAL Agent when Outlook is running. On the top, you see a statistic regarding the number of Scanned emails, the number of Malicious emails, and the number of Emails in risk assessment.
The collected information is placed in the following views: Inbound, and Outbound.
- Inbound
This view displays a table with the following details: To, From, Date, Subject, Resolution, and Risk Score.
You can select one or multiple emails and take the following actions:
Delete - will delete the mail from Outlook;
Restore - will restore the email to the initial folder - where the email was intercepted;
Cancel - will cancel one of the actions above if were not been processed yet. - Outbound
This view displays a table with the following details: To, From, Date, Subject, Resolution, and Risk Score.
You can select one or multiple emails and take the following actions:
Delete - will delete the mail from Outlook;
Restore - will restore the email to the initial folder - where the email was intercepted;
Cancel - will cancel one of the actions above if were not been processed yet.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Status.
EMAIL FRAUD PREVENTION settings
Email Fraud Prevention scans and prevents email fraud by intercepting Inbound and Outbound communications, comparing them with pre-registered signatures, and detecting whether changes have been operated or not. This helps flag down the BEC attacks before they have a chance of convincing you to hand over sensitive info.
Email Fraud Prevention - turn ON/OFF the Email Fraud Prevention module;
General Settings
Agent Balloon Notifications - displays a pop-up notification each time a file is moved inside/outside the Email Fraud Prevention folder;
Agent Balloon Notifications Persistence - display the pop-up notifications until they are closed;
Disable Outlook Suspicious activity warnings - disable/enable the Outlook suspicious activity warnings. When this option is turned ON, the HEIMDAL Agent will change the value on the ObjectModelGuard key in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Outlook\Security path (the key will be created if it does not exist) from 0 (enable) to 2 (disable);
LAST DAYS TO SCAN - allows you to increase or decrease the number of days you want HEIMDAL Security's Email Fraud Prevention to scan your Outlook inbox. The first time the Email Fraud Prevention module is activated (and only once), it scans the inbox for the last X days (7 by default). Whenever Email Fraud Prevention moves a mail to the infected folder, we show a popup on the agent side, warning the user with the following text: “We detected a malicious email and we have moved it away from the inbox” and if Email Fraud Prevention detects that the email is not infected and was moved to In assessment folder, the client popup will have the following text: "False-positive detected, we have restored an email to your inbox” and the mail will be moved back to the original folder.
Here is a short video on Email Fraud Prevention: