Message Search

Cloud Email Protection includes a very powerful, detailed message search capability. Not only can you search for specific message data, you can search for message characteristics identified by Cloud Email Protection.

One of the strengths of Cloud Email Protection is that message search isn't just a blank slate, nor is it just a starting place for you to define each and every search criteria. In many places, you can jump to a message search results page with one or more search criteria pre-defined. For example, if you start on the Dashboard, click Domain Spoofs, and then click Show Messages, you'll be taken to a message search results page with the following criteria pre-defined:

Date range: The range you have set on the Dashboard page
Attack Type: Domain Spoof
Trust Score Range: 0.0 to 5.1

When a search has been run, fields that were used for the search are outlined in orange.

This topic explains all of the fields on the Search Messages>Filters page.

NOTE:

Active Content and QR Code are available only if your organization is configured for Cloud Gateway.

Content

Search Field	Description
From, To, Reply-To, Subject	These are all collected from the respective fields in message headers when messages are ingested by Cloud Email Protection. Enter all or part of any email address or subject line. The search for these fields is partial matching, case insensitive. For example, if you enter "pens" in the Subject field, messages with subjects such as "Shop My Etsy Pens Store," "That's too expensive for me," and "Please buy some pens from Amazon" will all be found. Limited to 100 characters.
Sending Domain	Enter one or more sender domains, separated by commas. Messages that match any of the domains will be found in a search. Limited to 100 characters.
IP Address	Enter a single IP addresses or CDR. Messages that contain the IP address will be found in a search. Limited to 100 characters.

Search Field

Description

From, To, Reply-To, Subject

These are all collected from the respective fields in message headers when messages are ingested by Cloud Email Protection. Enter all or part of any email address or subject line. The search for these fields is partial matching, case insensitive. For example, if you enter "pens" in the Subject field, messages with subjects such as "Shop My Etsy Pens Store," "That's too expensive for me," and "Please buy some pens from Amazon" will all be found.

Limited to 100 characters.

Sending Domain

Enter one or more sender domains, separated by commas. Messages that match any of the domains will be found in a search.

Limited to 100 characters.

IP Address

Enter a single IP addresses or CDR. Messages that contain the IP address will be found in a search.

Limited to 100 characters.

Scoring

Search Field	Description
Trust Score Range	This defines the upper and lower bounds of the Trust Score of messages that will be found in a search, including the values you select. Drag the lower and upper bound sliders to change the range.
Attack Type	Click in the field to select one or more attack types. Messages that match any of the selected attack types will be found in a search.
Authenticity Score Range	This defines the upper and lower bounds of the Authenticity Score of messages that will be found in a search, including the values you select. Drag the lower and upper bound sliders to change the range.
Message ID	Enter a single message ID in this field to search for a specific message in Cloud Email Protection that matches the message ID. Limited to 100 characters.
Matched Policy	This defines a single policy that a message must have been enforced on to be found in a search. The list of policies that you can choose from includes all policies in Cloud Email Protection: enabled (and active), disabled, and on-demand policies (see On-demand Policies).
Enforcement	This defines whether a message has been enforced by any policy, and how. Select one option from: All Messages (default) - Messages that were enforced in any way. Pending - Messages that match a policy where enforcement is defined but the enforcement has not happened yet. Moved to Inbox Enforced - Messages that have been enforced by policy. Sub-categories of enforcement can also be selected: Moved (to any folder) Move to default Junk Folder Deleted Enforcement failed - Messages that matched a policy with an enforcement action but were not enforced by the policy. This is usually because the MS enforcement API returned an error. Enforcement not attempted - Messages where enforcement was never attempted. This could be because the message matched no policies or the message matched a policy without an enforcement action. This search parameter is useful for finding messages to enforce with on-demand policies.
Hostname	Enter a single PTR hostname to an IP address. Messages that contain the hostname will be found in a search. Limited to 100 characters.
Search Skipped Messages	Skipped messages are messages that are not scored in the data pipeline and are not matched by policies or CDRs. Messages maybe skipped based on your Processing Exception configurations or by default if the Microsoft SCL score is >= 5 or if the data pipeline determined it is not valid for some other reason.
Contains Active Content	Enable to search for messages containing active content.
Contains QR Code	Enable to search for messages containing QR Code.
Received between	This defines the date range within which to search for messages.
Authenticity Score Range	This defines the upper and lower bounds of the Authenticity Score of messages that will be found in a search, including the values you select. Drag the lower and upper bound sliders to change the range.
Domain Reputation Range	This defines the upper and lower bounds of the Domain Reputation range of messages that will be found in a search, including the values you select. Drag the lower and upper bound sliders to change the range.
IP Reputation Range	This defines the upper and lower bounds of the IP Reputation score range of messages that will be found in a search, including the values you select. Drag the lower and upper bound sliders to change the range.
Attachment	This field is available only when attachment scanning is enabled in organization settings (see Organization Settings), and has 5 options: has any attachment - Finds any messages with any attachment. has a likely malicious attachment - Finds any messages with at least one attachment that Cloud Email Protection has determined to be likely malicious. has attachment name - Finds messages with attachment file names that contain all or part of what is entered in this filed. Like with other text search fields, this is partial matching, case insensitive. has attachment filename extension - Finds messages with attachment file names that have any of the entered extensions. File name extensions are the part of a file name that follows the rightmost period. Enter one or more extensions, separated by commas. Like with other text search fields, this is partial matching, case insensitive. For example, if you enter PROP, it will find a file named system.properties. has an attachment hash of - Finds messages that match the entered hash. A hash is produced by a cryptographic algorithm to uniquely identify the contents of a file. If any changes are made to a file, the hash produced for that file changes, usually significantly, so it is easy to determine if a file has changed if you compare the original and current hashes. This is a full, case-sensitive match. Limited to 100 characters.
Domain Tags	Click in the field to select one or more domain tags. Messages that match any of the selected domain tags will be found in a search.
Direction	This defines the directionality of a message. Click in the field to select one or more directions, from: Inbound - Messages that were sent into your organization from somewhere outside your organization. In the Direction column, inbound message are indicated with a icon. Outbound - Messages that were sent from within your organization to somewhere outside your organization. In the Direction column, inbound message are indicated with a icon. Internal - Messages that started and ended within your organization. In the Direction column, inbound message are indicated with a icon.