Attachment and URL Analysis

Fortra Cloud Email Protection is capable of analyzing attachments to messages and URLs in message bodies, and using the results of that analysis, in addition to identity intelligence, to determine the overall trust of a message.

There are two levels of malicious content analysis possible in Cloud Email Protection:

  • Basic collection of attachment information, such as name and file extension, which can be used in Search and Policy.
  • Scanning of attachments for indicators of malicious intent, to enhance scoring and message classification.

URL analysis will:

  • Extract URLs from:
    • The text/HTML MIME parts of messages, including base URLs from head sections.
    • Microsoft Office and Adobe Acrobat documents attached to messages.
  • Parse both http and https schemes.
  • Will display URLs in message details views, but those URLs will not be clickable.
  • Identify URLs that use common URL shorteners and identify websites behind those URL shorteners.

Using Attachment Analysis

Once attachment analysis is enabled, you can use the results of attachment analysis in different ways.

Using Attachment Analysis Results in Search and Policy

You will notice a new option on your Analyze > Search Messages page. The same field will also appear in Manage > Policies when you want to create or edit a policy.

Searching for messages with an attachment.
Searching for messages with an attachment

If you are only collecting attachment name information the following options will be available for you to search and set policy on :

  • has any attachments

  • has attachment name:

  • has attachment filename extension:

If you have enabled attachment scanning then all of the options will be available for search and policy.

Searching for attachments: with attachment scanning enabled.
Searching for attachments: with attachment scanning enabled

NOTE: Wildcard matching or partial entries in attachment name search is not supported. E.g. "attachment name is 'foo.*.bar'" will not match "foo.banana.bar"

Attachment Scan Results

When attachment scanning is enabled, Cloud Email Protection uses the results of the scan in it's scoring models and message classification models. For example you will see the "Malicious Attachment" message classification like below in the Message Details. (NOTE: Coming soon you will also be able to expand the malicious attachment classification to see details on the malicious components that were detected.)

Attachment scanning results in the message details pane.
Attachment scanning results in the message details pane

Details of the Attachment Scan

Cloud Email Protection attachment scanning is focused on identifying potentially malicious behaviors in document based attachments. It is not a sandbox and does not try to force malicious code to execute.

Cloud Email Protection will unpack, de-obfuscate, and perform static analysis of the following types of files:

  • Archive file formats (zip/rar/tar/{gz/gzip/tgz}/{bz2/bzip2/tbz2/tbz}/cab)
  • Office files, PDF, MHTML, email files, image files, flat data files, RTF
  • Flash, video formats, Javascript, VBA

Using URL Analysis

URL analysis is available in both message search and policy creation. In both cases, you can select Likely Malicious URL from the Attack Type drop-down list to be included in the search or policy filter.

Select this to include messages with likely malicious URIs in searches or policies.
Select this to include messages with likely malicious Lin searches or policies.