General

Share

Is this article helpful?

Last updated:

Defend - FAQs

General

  • The goals include the following:
    • Stop sophisticated inbound attacks.
    • Educate and empower users.
  • Yes, the servers that automatically process emails are cloud-based.
  • Defend will scan and implement teachable moments for inbound emails, and data is displayed in the Defend admin console. For outbound emails, we process the emails to remove teachable moments, and we store relationship data to reference when the outside contact emails the user again.
  • Cloud-based email, such as Microsoft 365, is required for Defend to function properly. G Suite is not supported.
  • No, the analysis is performed in real time and will not slow down the functionality of your email.
  • BitDefender is integrated into Defend and is active for all customers.
  • Yes, some blue teachable moments can be turned off in the admin console.
  • Yes.
  • When Defend says an email is bad, but it's actually a clean, non-malicious email.
  • When a bad email is sent and Defend doesn't detect it.
  • Defend is initially run in silent mode to help the Defend console learn and understand user behavior and sending patterns.
  • If you do not want a specific user's emails processed by Defend, ensure that their email address is not in the Defend user group.
  • Notifications can be enabled in the Defend console.
  • This action does not affect future emails because there's capacity for user error.

Detection

  • Yes.

  • The logic is non-linear. It takes in many factors, including:

    • Sending address
    • Authentication results
    • Mail route
    • Links
    • Link text
    • Language
    • Intro
    • Sign off
    • Obfuscation techniques
    • Images

    These are all weighted against each other to determine if an email is an impersonation attempt.

  • Yes, this feature is a setting controlled in the Defend console.
  • Yes, this feature is a setting controlled in the Defend console.
    • Links
    • Destination of links and if they are on any blocklists
    • Link text for any coercive language
    • URL for malicious information
    • File type
    • File name
    • Obfuscation of the file extension
    • Anti-virus scan
    • Javascript scan
    • Comparison against malware hashes
    • Bit-Defender

Configuration

  • Defend is fully configured on a customer's Microsoft 365 tenancy and does not require any configuration of a SEG (Secure Email Gateway). Configuration includes the following items:
    • Mail flow rules
    • Send or receive connectors
    • Distribution group
    • Adding an accepted domain
    • Accepted domains
    • Remote domains
    • Connectors
    • Public DNS information
  • When you add your domain to Microsoft 365, it's called an accepted domain. The functionality of an accepted domain means that users in this domain can send and receive mail.
  • Seven weeks.
  • Any user that is part of the Defend user group distribution list.
  • Yes, silent mode is still useful for ironing out any teething issues that might be experienced.
  • There is an additional mail flow hop, but this is negligible. We process a large percentage of emails within a second.

Security Center

  • Email metadata such as sender, recipients, subject line, timestamp, and message ID, along with details of the analysis that the software has done.

    For up-to-date information, see the Data Processing Addendum on egress.com/legal.

  • This means the email is likely a phish.
  • 40 days.
    • User: A user mailbox
    • Linked User: A mailbox linked to a user account in another forest
    • Shared: A shared mailbox
    • Other: A mailbox that could be a meeting room
    • Processing: A mailbox that is loading or still being calculated

  • If you add an allow list entry with no authentication, then attackers could easily spoof the address, and it would bypass Defend.

    To maintain the security of the email system, it is advised that allow list entries be created with the maximum amount of authentication possible. Allow lists should ideally be temporary.

  • The email goes to the user's deleted items folder.
  • The ability to create allow or deny list entries.
  • Yes, the Defend console dashboard shows real time and past statistics.

Teachable Moments

  • You can only decide when teachable moments are shown and whether they are formatted as inserted images or HTML.
  • No.
  • No.
  • Chinese (Mandarin) Simplified, Dutch, English, French, French Canadian, German, Hungarian, Italian, Japanese, Norwegian, Portuguese, Portuguese (Brazil), Spanish , and Spanish (Latin America).
  • If Microsoft quarantines the email before it gets through Defend, it won't include teachable moments. However, if the email bypasses Microsoft upon entry into your environment and does reach Defend, it will include teachable moments and then sent to quarantine.

Link Scanning or Rewriting

  • When rewriting URLs, Defend looks at three key things to determine if a particular link is bad. First, we check existing block lists, and then we look at the age of the domain. The number of hops and locality of each hop to reach the end destination are also analyzed.
  • No.
  • Yes. However, the end URL does not get rewritten.

Was this article helpful?

2 out of 2 found this helpful

Can't find what you're looking for?

Contact Support