MailSentry - E-Mail Fraud Prevention scans and prevents email fraud by intercepting Inbound and Outbound communications, comparing them with pre-registered signatures, and detecting whether changes have been operated or not. This helps flag down the BEC attacks before they have a chance of convincing you to hand over sensitive info.
The module starts when you install the Heimdal Thor Agent or when you do a Group Policy check (if MailSentry is Enabled in your Group Policy) and if Outlook is opened. If there is no Outlook instance opened when checking the Group Policy, the MailSentry service will check every 5 minutes if Outlook has been opened and it will try to start the MailSentry module.
MailSentry - E-Mail Fraud Prevention will intercept every email from the Inbox and Sent folders and send it for validation. A partial response is received in 10 minutes and a final result will be received in 24 hours. If the final/partial status is Infected, the email will be moved to Heimdal - MailSentry subfolder under the Inbox folder. If the email was initially infected (moved to HeimdalInfectedMails), and then it is considered uninfected in the final result, the email will be moved back to the initial folder.
The first time MailSentry is activated (and only once), we scan the Inbox folder for the last X days (7 by default, configurable from GP) and all infected emails will be moved under the Inbox subfolder named "In assessment" and Malicious for those with final status of infected.
To intercept emails, we created a secondary application named MailSentryMonitor. If this application is closed, the module will try to start it, checking its connection every 10 minutes. Also, if the MailSentry service is closed, this secondary app should be closed.
Information about MailSentry performances can be seen in the dashboard if you click MailSentry -> E-Mail Fraud Prevention from the left menu of the Heimdal Dashboard homepage.
Delete, Restore and Cancel commands
In the Heimdal Dashboard, you can select one or more emails and take actions (Restore, Delete, and Cancel) for each and every one of them.
Delete - will delete the mail from Outlook
Restore - will restore the email to the initial folder - where the email was intercepted
Cancel - will cancel one of the actions above if were not processed yet
We save emails in C:\Users\Public\Documents, but the user can block this location and we aren’t able to read/write emails.
Type lets you define which type(s) of email to search for. The definition by type are:
Normal - Clean/Legitimate email delivered to the intended recipient(s)
Spam - Email detected by MailSentry email security as spam
Virus - Email detected containing virus & other malware by MailSentry
ATP - Email detected as containing Advanced Threats by MailSentry
SPF Block - Email detected as violating the defined Sender Policy Framework
Blacklisted - Email that is blacklisted by you or another administrator in MailSentry
Whitelisted - Email that is whitelisted by you or another administrator in MailSentry
Attach Block - Email with attachment defined by you or another administrator in MailSentry
Status lets you define which status on email to search for. The definition by type are:
Delivered - Clean/Legitimate email delivered to the intended recipient(s)
Quarantine - Quarantined Email by Centium email security
Rejected - Rejected Email by Centium email security
Queue - Email in a queue for delivering to your server