Skip to main content
Email Protection
Updated over a month ago

What is Email Protection?

Many cyber attacks on companies start with malicious emails. Relying on default security from cloud email providers can leave the company vulnerable to cyber attacks exploiting the weak point of human nature and a lack of thorough email protection.

Emails are one of the most efficient vectors attackers use because almost every company uses email, and usually, every employee receives many emails daily.


Email security threats:

Phishing

Hackers use phishing to trick people into giving away sensitive information, such as passwords or credit card details, by posing as a trustworthy entity or person.​​ They also gather information about businesses to draft personalized and convincing messages that are more likely to succeed on a person or a group of users within a company.

Malware

Malware is any program or code designed to harm or exploit computer systems, including viruses, worms, Trojans, and other types of malicious software. Email is an ideal delivery mechanism for malware. Malware can be attached directly to an email or embedded in documents shared as attachments or via cloud-based storage. Once installed on a computer, malware may steal sensitive information or encrypt a user’s files.

Ransomware

This malware encrypts a victim's files or data and demands payment in exchange for the decryption key, often causing significant damage to businesses.

Spoofing

Hackers disguise themselves as someone's identity to gain unauthorized access to private files.

Guardz Email Protection Capabilities

Guardz uses an API-based approach to email protection.

When integrated with Microsoft, a journaling rule is created, which directs sent and received emails from the tenant to Guardz. Based on this, we can scan the emails that were received as soon as they're received (outgoing emails will be ignored). The emails are saved for the purpose of scanning by multiple tools, and when processing is complete, they are deleted.

When integrated with Google, Guardz subscribes to the "events" and performs scans based on that.

When integrated with Google, we'll subscribe to the "events" and perform the scan based on that.

We utilize the following capabilities when mail has been delivered to a user inbox:

  • Scan users’ mailboxes

  • Scan group/shared mailboxes

  • Virus filtering

  • Suspicious attachments filtering

  • Quarantine risky emails

  • Block/Allow senders and domains

  • AI-Enhanced Scanning

  • And more

AI-Enhanced Scanning

Leveraging AI threat detection improves the accuracy of risk identification and categorization. Suspicious emails are scanned to differentiate between spam and real threats such as phishing, scams, etc., and to add some context around why the email was flagged. Emails will be tagged with a threat type, and each detection will provide a reason. "Threats" and "Reasons" will be included in the following areas of the platform:

  • Detection & Response page (for admins)

  • Caution banner (for users)

  • Quarantine notification (for users)

  • User portal (for users)

Email Protection Settings

The email protection settings can be found in the Security Controls > Email Protection and can be changed based on the needs and preferences of the customer. Here, you can configure how emails are scanned and handled. These are the areas of the security control:

Email Scan:

Here you can activate or deactivate Impersonation Detection.

  • Impersonation Detection - Impersonation Detection verifies if the sender's alias resembles any user within your company. When this setting is turned on, its primary function is to identify and prevent impersonation attempts, malicious emails, phishing, or targeted attacks from seemingly known sources. One such logic behind this feature is to detect mismatches between the sender’s alias and email address and flagging the email as suspicious.

Spam Detection

Spam Detection Toggle: Under the "Email Protection Scan" section, you'll find a new "Spam Detection" option. You can now easily toggle spam detection on or off. Disabling it means that new issues won't be generated.

Emails that are categorize as spam will be treated according to the organization’s configuration in "Email Protection" security control. There is also an option to configure spam emails to be automatically moved to the spam folder.

Note: Issues created for emails categorized as spam will be under a different section in the Issues page.

Customizable Spam Handling: You can decide how to handle detected spam emails. Choose from:

  • Add a banner and move the email to the junk/spam folder (Recommended).

  • Add a banner and quarantine the email.

  • Add a caution banner to the email.

Caution Banner and Quarantine:


Users will see a banner at the top of the email, warning them that the email contains suspicious content.

  • Users can take the following actions:

    • Mark as Safe - The email will be marked as safe, and the issue with this email address will be resolved.

    • Report and Delete - The email address will be reported to Guardz, the issue related to this email address will be resolved, and the email will be deleted.*

      *In Google, it will move the Trash folder, and in Microsoft will be deleted forever.

Quarantine - Emails will be removed from the inbox and sent to the "quarantine zone." Quarantined emails are permanently deleted after the retention period. Admins can adjust the retention period including several days before deletion.

To review quarantined emails by threat level in the platform navigate to "Detection and Response" then filter by the "Email Protection" security control, and switch the view to "Inbox."

The action that is taken for emails at each risk level can be adjusted in the Caution Banner and Quarantine settings.

These are the risk levels and action options for each (note that high risk emails require an action):

  • High risk: Caution banner or quarantine

    • High risk emails introduce potentially serious threats into an organization and should be treated with strict security whenever possible. Quarantine is the suggested way to handle such emails.

  • Medium risk: No action or caution banner or quarantine

    • Medium risk emails are identified as a potential threat but the organizations tolerance for risk should be balanced with the potential of some false positives. Use of the caution banner is the recommended action.

  • Low risk: No action or caution banner

    • Low-risk emails are marked by a lower confidence that they are malicious and have a higher likelihood of being false positives or spam. No action or a caution banner is recommended.

  • Admin-Only Quarantine:

    • In the Advanced area of the Caution Banner and Quarantine settings, you can toggle on and off Admin-Only Quarantine. This setting limits quarantine email management to admins only. Users will no longer see quarantine notifications or have access to the quarantine zone. Only admins can view, release, or delete quarantined emails.

💎 Tip: From the All Customers View (MSP view), you can configure email protection settings to be global settings. These settings will be applied to all of your customers at once. You can override global settings for individual customers in their specific email protection settings (Single Customer View).


Email Quarantine and the User Portal:

The quarantine function will detect suspicious emails and relocate them into the “quarantine zone.” Then, an alert email will be sent to the end user to allow them to review the email in the user portal and take action as needed:

  1. Quarantine Notification email:

    When a risky email has been quarantined, it is removed from the mailbox, and the employee will receive a notification from Guardz in its place.

    In the body of the notification email, the user can view the email metadata details such as:

    • From email

    • To email

    • Subject

    • Date and time

    • Attachments (if any)

    The Review button will redirect the user to the User Portal.

  2. User Portal for Quarantined emails:

    If the user believes the quarantined email may be legitimate, they can click 'Review' in the notification email to see the email in the User Portal and take action.

  3. Take action on quarantined emails:

    Users can decide on the following actions from the quarantine list:

    • Restore: The email will be delivered to the inbox, resolving the issue.

    • Trash: The email will be deleted and won’t reach the inbox, resolving the issue.

Note:
Once a user restores or trashes a quarantined email, it will no longer be visible in the User Portal. Quarantined emails are automatically deleted after the retention period if no action is taken.

Sender Allow List and Block List

Admins can manually add specific email addresses or domains to the Allow List to ensure that all emails from that sender/domain are marked as safe, with no banner or quarantine. Similarly, email addresses or domains can be added to the Block List, ensuring that all emails from that sender/domain are blocked.

Senders Allow List

Adding to Allow List

Email File Type Filtering

Use Email File Type Filtering to block or unblock specific file types for each customer. This management capability is found in Security Controls > Email Protection > Block List. The block/unblock list for files can also be adjusted based on domain or address.

Key Highlights

  • Customizable File Type Blocking: Users can block or allow specific file types, such as WAV files, to tailor email security policies to their customers’ needs.

  • Global and Per-Customer Control: File type filtering can be managed at the global MSP level, but administrators can override these settings per customer.

Email Issue Handling

When viewing email issues, we recommend using the table view dropdown for better clarity:

  • Default View :

    Shows all issues across modules, types, and statuses, excluding "info" level severity (such as quarantined emails).

  • Quarantine View :

    Displays all quarantined emails with relevant columns for efficient handling.

  • Email View:

    Focuses on email-related issues (suspicious & quarantined), with columns tailored to email handling.

Admins can filter email issues by:

  • Sender, recipient, or subject

  • Threat type (e.g., virus, spam)

  • Risk score range

Email Issues and Remediations:

Email-related issues will notify of a risky email, and the risk score will determine its severity. Remediations can be applied to specific emails or senders.

  • To handle an issue, the user can choose to act on a single email or select multiple at the same time and then apply the same remediation to all of them.

  • To use the bulk operation, make sure the issues are from the same type and the status is not ‘closed.’

  • The admin will see the action details if the user remediates a quarantined email from their user portal.

    If the admin chooses to delete a quarantined email, when the end user enters the User Portal, they will be presented with a popup explaining the Admin's action.

Threat Management:

  • "Spam Emails" Issue Type: A new issue type, "Spam Emails," has been added to recognize unwanted spam emails that do not reach the risk threshold but are typically unwanted. An info-level issue will be generated under this type.

  • Admin Notifications: Admins who do not wish to receive alerts for spam-related issues can adjust their notification settings to avoid alerts for Info-level issues under My Profile -> Email Notification Settings.


FAQ Email Protection

  • Question: Will enabling Email Protection only enable it for activated users or everyone

    • 📍Answer: Yes, when you enable Email Protection, it'll impact all users with an active Guardz license.

  • Question: How can I test that the email protection is working?

    • 📍Answer: To test the email experience, follow these steps:

      • Make sure not to send it from an already whitelisted domain/sender (you can use your private email address as the sender).

      • Set the "Customer Facing Contact Info" in Main Menu > Organization Setting of your MSP tenant to reflect your contact info.

      • Put the following string in the body of the test email - uvKg0AcTmTFbTP1ANDJa.

  • Question: Can regular/private email accounts be protected?

    • 📍Answer: No, Guardz can only protect email accounts pulled from the connected business's primary directory. There is no option to protect private email addresses.

  • Question: What happens if I turn off the Spam Detection Toggle?

    • 📍Answer: If you turn off the Spam Detection Toggle under the "Email Protection Scan" settings, new spam-related issues will not be generated. However, this will not affect any other email protection features, such as phishing or malware detection.

  • Question: Can I customize how spam emails are handled for specific customers?

    • 📍Answer: Yes, under Customizable Spam Handling, you can choose different actions for spam emails, such as moving them to the junk folder, quarantining them, or adding a caution banner. These settings can be applied globally or tailored for individual customers from the All Customers View (MSP view) or the Single Customer View.

  • Question: I'm getting an error when trying to add a domain to the blocklist.

    • 📍Answer: here are two types of domains that cannot be blocklisted due to potentially harmful consequences:

      1. Your organization's own domains (to avoid any internal communication issues).

      2. External domains, as blocking them could be too broad and disruptive.

      For example, if you block a domain like Gmail, no emails from Gmail will be received, which could be problematic.

      If you still need to block specific emails, it’s recommended to block individual email addresses rather than entire domains, as this will have less impact on overall communication.

  • Question: Where can I find the emails in quarantine?

    • 📍Answer: Quarantined emails may be categorized under "Info" severity. To locate them, go to the Emails issues section and ensure you check the "Info" severity filter, as it’s unchecked by default. You can then search by sender, recipient, or subject.

Did this answer your question?