4 Methods for Reducing Excessive Customer Monitoring Email Alerts

4 Methods for Reducing Excessive Customer Monitoring Email Alerts

by | Dec 20, 2018 | Email Security

Monitoring and alert notifications are the bread and butter of Managed Service Providers. Without a proper monitoring solution in place, a Managed Service Provider would have an extremely difficult and almost impossible time managing their client’s IT Infrastructure. Naturally, with monitoring come email alerts. And the more you monitor, the more email alerts you will have to put up with, right?

Wrong.

I recently penned a new Altaro eBook on the subject of monitoring, and while the book was about MSP monitoring more holistically, I wanted to pair it with a blog post that specifically talked about handling excessive alerts as well. So if you want to know more about boosting your MSP through monitoring, read the free eBook Best Practices for Mastering MSP Customer Monitoring.

Moving on, there are many monitoring solutions out there that allow MSPs, as well as their clients, to receive notifications via automated ticket creation, emails, phone, or text. These options are all great and very critical to providing outstanding service to clients. However, there is a finite limit to how many different alerts and notifications can occur at one time before they start to lose their benefit and just become “noisy alerts”. 

The human brain can only focus on so much in one day, and spamming employee inboxes with multiple daily alerts for every little issue for every client starts to become overwhelming, and the truly important alerts become easily missed. MSPs need to limit the amount of email spam to ultimately be successful.

How to Reduce Excessive Customer Monitoring Email Alerts


Out of all the places I’ve worked in IT, the number one thing they all have in common is an extremely massive amount of email alerts. When starting a new IT job at a company, one of the very first tasks everyone does is to create filters for their email alert spam. With the number of email alerts that typically flow through each day, it’s too much to have them go to the main inbox. 

Other non-alert-related emails are then easily missed. The unfortunate trade-off of this is that now that alerts are going to a separate email folder, they can be easily missed if that folder isn’t checked continuously, making it very easy to miss alerts. MSPs can help reduce email alerts by using the following 4 guidelines:

Method 1 – Use Dashboards Where Possible


Not every alert needs to come via email. In many cases, a dashboard should be used to convey alerts to personnel instead. For example, we don’t need to get spammed on a client “disk space” report every day. Instead, make a dashboard that the operations team can review daily and solve the issues. This type of alert makes much more sense and prevents the IT staff from creating inbox filters or deleting such emails every day.

For the helpdesk, dashboards can be used for providing ticketing metrics and client outages. There are many monitoring software solutions out there that provide dashboard capabilities. I also highly recommend looking into the PowerShell Universal Dashboard, as it allows MSPs to create their own dashboards and integrate them with other applications’ APIs to essentially provide one single pane of glass for multiple applications. Be sure to check out one of our previous posts that explains how to get started with the PowerShell Universal Dashboard. A simple example with code and screenshot from our how to post on PUD is shown below as an example:

Dashboard

Method 2 – Only Send Alerts to Those Who Need Them


Email alerts should only be sent to the teams that are responsible for dealing with them. Don’t send email alerts on low disk space to the Network Engineers that only deal with telcos, routers, firewalls, and switches. Rarely should an email alert get sent to the entire engineering department. Emails can be hard enough to keep up as it is. Reduce this by keeping email alerts that IT staff receive relevant to their roles and responsibilities.

Properly labeled and maintained distribution groups play a key role in this step.

Method 3 – Reduce E-Mail Reports


On the operational side, it’s very easy to go report crazy. We want our daily reports on metrics like low disk space on servers, VMs that are showing high CPU utilization, Hypervisors that are over-utilized, etc. These are all very important metrics to monitor and keep track of, however, the amount of “daily reports” emailed to teams can start to build up quickly. Instead of just adding another “daily report” to email, combine reports where they fit. For example, make a “Server Health” report covering all of these important metrics we mentioned previously in just one email. 

Not only should MSPs look for ways to combine their email reports in a single email, but also to send their email reports out only if there is an issue that needs to be visible. We don’t need a daily email report that shows all of our servers are in good health, that’s what a dashboard is for. Alert the team only when they need to be alerted.

For example, look at one of my previous posts on using PowerShell with HTML to mail out server storage information. You could easily add other metrics into a report like this with similar syntax, which can prove valuable.

Method 4 – Mute Alerts During Maintenance


This one is big. I’ve seen it often where engineers are doing maintenance and forget to “mute” alerts. Now the entire department gets a flurry of email alerts due to monitored components being down. Some people start looking into the outage alerts and end up wasting their time to discover that it’s just a scheduled maintenance event where the alerts are not muted. 

No matter what monitoring system is in place, this always happens. MSPs need to have processes in place that prevent these situations from happening. Have a monitoring system in place that allows engineers to mute their alerts ahead of time for a one-time schedule or ensure all staff is proficiently trained on how to properly mute unnecessary alerts. Believe it or not, I’ve seen instances where these steps were forgotten, and needless alerts were created.

Wrap Up


Email alerts are an absolute must for MSPs to be successful. However, they need to be careful so they don’t cause “Email Alerts Numbness” for the IT staff. The risk of having too many daily email alerts might cause critical issues to slip through the cracks.   
Managing Mailbox Retention and Archiving Policies in Microsoft 365

Managing Mailbox Retention and Archiving Policies in Microsoft 365

by | May 15, 2020 | Email Security

Microsoft 365 (formerly Office 365) provides a wide set of options for managing data classification, retention of different data types, and archiving data. This article will show the options a Microsoft 365 administrator has when setting up retention policies for Exchange, SharePoint, and other Microsoft 365 workloads and how those policies affect users in Outlook. It’ll also cover the option of an Online Archive Mailbox and how to set one up.

How To Manage Retention Policies in Microsoft 365


There are many reasons to consider labeling data and using retention policies. But before we discuss these, let’s look at how Office 365 manages your data in the default state. For Exchange Online (where mailboxes and Public Folders are stored if you use them), each database has at least four copies spread across two data centers. 

One of these copies is a lagged copy, which means the replication to it is delayed to provide the option to recover from a data corruption issue. In short, a disk, server, rack, or even data center failure doesn’t mean you lose your mailbox data.

Further, the default policy (for a few years now) is that deleted items in Outlook stay in the Deleted Items folder “forever” until you empty it, or they are moved to an archive mailbox. If an end-user deletes items from their Deleted Items folder. In that case, they’re kept for another 30 days (as long as the mailbox was created in 2017 or later), meaning the user can recover it by opening the Deleted Items folder and clicking the link.

Where to find recoverable items in Outlook, Microsoft 365

Where to find recoverable items in Outlook

This opens the dialogue box where a user can recover one or more items.

Recovering deleted items in Exchange Online, Microsoft 365

Recovering deleted items in Exchange Online

If an administrator deletes an entire mailbox, it’s kept in Exchange Online for 30 days, and you can recover it by restoring the associated user account. Additionally, it’s also important to realize that Microsoft does not back up your data in Microsoft 365. Through native data protection in Exchange and SharePoint Online, they ensure they’ll never lose your current data, but if you have deleted an item, document, or mailbox for good, it’s gone. There’s no secret place where Microsoft’s support can get it back from (although it doesn’t hurt to try), hence the popularity of third-party backup solutions such as Office 365 Backup.

Litigation Hold – the “not so secret” secret


One option that I have seen some administrators employ is to use litigation or in-place hold (the latter feature is being retired in the second half of 2020), which keeps all deleted items in a hidden subfolder of the Recoverable Items folder until the hold lapses (which could be never if you make it permanent). 
Note that you need an E3 or Exchange Online Plan 2 for this feature to be available. This feature is designed to be used when a user is under some form of investigation and ensures that user can purge no evidence, and it’s not designed as a “make sure nothing is ever deleted” policy. However, I totally understand the job security it can bring when the CEO is going ballistic because something super important is “gone.”

Litigation hold settings for a mailbox, Microsoft 365

Litigation hold settings for a mailbox



Retention Policies


If the default settings and options described above don’t satisfy the needs of your business or regulatory requirements, the next step is to consider retention policies. A few years ago, there were different policy frameworks for the different workloads in Office 365, showing the on-premises heritage of Exchange and SharePoint. Thankfully, we now have a unified service that spans most Office 365 workloads. Retention in this context means the data can’t be deleted until the retention period expires.

There are two flavors here: label policies that publish labels to your user base and letting users pick a retention policy by assigning individual emails or documents a label (only one label per piece of content). Note that labels can do two things that retention policies can’t do: firstly, they can apply from the date the content was labeled, and secondly, you can trigger a disposition / manual review of the SharePoint or OneDrive for Business document when the retention expires.

Labels only apply to objects that you label; it doesn’t retroactively scan through email or documents at rest. While labels can be part of a bigger data classification story, anything that relies on users remembering to do something extra to manage data will only work with extensive training and for a small subset of very important data. You can (if you have E5 licensing for the users in question) use label policies to automatically apply labels to sensitive content based on a search query you build (particular email subject lines or recipients or SharePoint document types in particular sites, for instance) or to a set of trainable classifiers for offensive language, resumes, source-code, harassment, profanity, and threats. You can also apply a retention label to a SharePoint library, folder, or document set.

As an aside, Exchange Online also has personal labels similar to retention labels but created by the users themselves instead of being created and published by administrators.

A more holistic flavor, in my opinion, is retention policies. These apply to all items stored in the various repositories and can apply across several different workloads. Retention policies can also ensure data is retained for a set period AND disposed of after the expiry of the data, which is often a regulatory requirement. A quick note here, if you’re going to play around with policies, is that they’re not instantaneously applied – it can take up to 24 hours or even 7 days, depending on the workload and type of policy – so prepare to be patient.

These policies can apply across Exchange, SharePoint (which means files stored in Microsoft 365 Groups, Teams, and Yammer), OneDrive for business, and IM conversations in Skype for Business Online / Teams and Groups. Policies can be broad and apply across several workloads or narrow and only apply to a specific workload or location in that workload. 

An organization-wide policy can apply to the workloads above (except Teams, you need a separate policy for its content), and you can have up to 10 of these in a tenant. Non-org-wide policies can be applied to specific mailboxes, sites, or groups, or you can use a search query to narrow down the content that the policy applies to. The limits are 10,000 policies in a tenant, each of which can apply to up to 1000 mailboxes or 100 sites.

Especially with org-wide policies, be aware that they apply to ALL selected content. So if you set it to retain everything for four years and then delete it, data will automatically disappear after four years. Note that you can set the “timer” to start when the content is created or when it was last modified; the latter is probably more in line with what people would expect. Otherwise, you could have a list that someone updates weekly disappear suddenly because it was created several years ago.

To create a retention policy, log in to the Microsoft 365 admin center, expand Admin centers, and click on Compliance. In this portal, click on Policies and then Retention under Data.

Retention policies link in the Compliance portal, Microsoft 365

Retention policies link in the Compliance portal

Select the Retention tab and click “New Retention Policy”.

Retention policies and creating a new one, Microsoft 365

Retention policies and creating a new one


Give your policy a name and a description, select which data stores it’s going to apply to and whether the policy is going to retain and then delete data or just delete it after the specified time.

Retention settings in a policy, Microsoft 365

Retention settings in a policy


Sensitivity labels are outside of the scope of this article but are related. Instead of classifying data based on how long it should be kept, these policies classify data based on the security needs of the content. You can then apply policies to control the flow of emails with this content or automatically encrypt documents in SharePoint. You can also combine sensitivity and retention labels in policies.

Conflicts


Since multiple policies can be applied to the same piece of data and perhaps even retention labels are in play, there could be a situation where conflicting settings apply. Here’s how these conflicts are resolved.
Retention wins over deletion, ensuring nothing you expected to be retained is deleted, and the longest retention period wins. If one policy says two years and another says five years, it’ll be kept for five. 
The third rule is that explicit wins over implicit. So, if a policy has been applied to a specific area, such as a SharePoint library, it’ll take precedence over an organization-wide general policy. 
Finally, the shortest deletion policy wins so that if an administrator has chosen to delete content after a set period, it’ll be deleted then, even if another policy applies that requires deletion after a longer period of time. Here’s a graphic that shows the four rules and their interaction:

Policy conflict resolution rules. Microsoft 365

Policy conflict resolution rules (courtesy of Microsoft)

As you can see, building a set of retention policies that really work for your business and don’t unintentionally cause problems is a project for the whole business, working out exactly what’s needed across different workloads rather than the job of a “click-happy” IT administrator.

Archive Mailbox


It all started with trying to rid the world of PST-stored emails. Back in the day, when hard drives and SAN storage only provided small amounts of storage, many people learned to “expand” the capacity of their small mailbox quota with local PST files. The problem is that these local files aren’t backed up and aren’t included in regulatory or eDiscovery searches. Office 365 largely solved part of this problem by providing generous quotas; the Business plans provide 50 GB per mailbox, whereas the Enterprise plans have 100 GB limits.
If you need more mailbox storage, one option is to enable online archiving, which provides another 50 GB mailbox for the Business plans and an unlimited (see below) mailbox for the Enterprise plans. There are some limitations to this “extra” mailbox: it can only be accessed online, and it’s never synchronized to your offline (OST) file in Outlook. 
When you search for content, you must select “all mailboxes” to see matches in your archive mailbox. ActiveSync and the Outlook client on Android and iOS can’t see the archive mailbox, and users may need to manually decide what to store in which location (unless you’ve set up your policies correctly).
For these reasons, many businesses avoid archiving mailboxes altogether, just ensuring all mailbox data is stored in the primary mailbox (after all, 100 GB is quite a lot of emails). Other businesses, particularly those with a lot of legacy PST storage, find these mailboxes fantastic and use either manual upload or even drive shipping to Microsoft 365 to convert all those PSTs to online archives where the content isn’t going to disappear because of a failed hard drive and where eDiscovery can find it.
For those that really need it and are on E3 or E5 licensing, you can also enable auto-expanding archives, which will ensure that as you use up space in an online archive mailbox, additional mailboxes will be created behind the scenes to provide effectively unlimited archival storage.
To enable archive mailboxes, go to the Security & Compliance Center, click “Information Governance,” and then click the “Archive tab.”

The Archive tab, Microsoft 365

The Archive tab

Then click on a user’s name to be able to enable the archive mailbox.

Archive mailbox settings, Mod admin, Microsoft 365

Archive mailbox settings

Once you have enabled archive mailboxes, you’ll need a policy to ensure that items are moved into the necessary cadence. Go to the “Exchange Admin Center” and click “Compliance Management – Retention Tags.”

Exchange Admin Center - Retention tags, Microsoft 365

Exchange Admin Center – Retention tags


Here you’ll find the Default 2 year move to archive tag or you can create a new policy by clicking on the + sign.

Exchange Retention tags default policies, Microsoft 365

Exchange Retention tags default policies

Pick “Move to Archive” as the action, give the policy a name, and select the number of days that have to pass before the move happens.

Creating a custom Move to archive policy, Microsoft 365

Creating a custom Move to archive policy

Note that online archive mailboxes have NOTHING to do with the Archive folder you see in the folder tree in Outlook. This is just an ordinary folder that you can move items into from your inbox for later processing. This Archive folder is available on mobile clients, and also, when you’re offline, you can swipe in Outlook mobile to automatically store emails in it.

Conclusion


Now you know how and when to apply retention policies and retention tags in Microsoft 365, as well as when online archive mailboxes are appropriate and how to enable them and configure policies to archive items.
Ransomware: Best Practices for Protecting Backups

Ransomware: Best Practices for Protecting Backups

by | Oct 21, 2020 | Email Security

Cybercriminals devastate organizations around the globe by locking up computers and encrypting data, then demanding thousands of dollars for the decryption keys. This type of malware, known as “ransomware,” represents one of the greatest security threats to technology infrastructure. It has caused the complete failure of some organizations. This article teaches you the best practices for protection from ransomware and allows you to educate your staff, harden your Windows ecosystem, and protect your backups from infection.

Educate Yourself for Protection from Ransomware


Ransomware usually enters the organizations when unsuspecting non-technical users download comprised files. Once activated, it runs with the security permissions of the account that opened it. The malware quickly spreads through the network, planting more copies of its executable as traps for other users. Then, it encrypts every file that it can access. Unfortunately, that includes backups and system recovery files.

Ransomware creators create variations rapidly, making it difficult for antivirus to detect. You only have two viable choices for recovery: pay the ransom or recover from a backup. Both options carry risks; many ransomware distributors will not provide keys after payment, and you might not have any useful backups that escaped the malicious encryption.

Educate Your Staff for Protection from Ransomware


Ransomware attacks usually start the same way as other types of malware: through a user that opens an infected file. User education is your most effective tool in ransomware mitigation. A few ways to approach staff training:
  • Hold training sessions, create, and share material that explains social engineering, email scams, baiting, and phishing attacks.
  • Teach users about the proliferation of infected files through download sites and e-mail.
The National Institute of Standards and Technology (United States) maintains a list of free and low-cost cybersecurity educational material. It includes a section on “Employee Awareness Training”.

Protect User Devices


Ransomware, like most other malware, enters through user devices. Focus the bulk of your technological ransomware protections there.
  • Employ policies and programs to discourage or prevent users from accessing suspicious files. Filter emails with executable attachments and block users from enabling Microsoft Office macros.
  • Enforce regular endpoint operating system and software patching.
  • Deploy and maintain antimalware programs such as antivirus and intrusion prevention.
  • Remove Adobe Flash and take steps to secure software that can run otherwise non-executable files, such as Java and web browsers.
  • Prevent applications running from the AppData, LocalAppData, or Temp special folders.
  • Install commercial web filtering tools.
  • Block SMB shares on non-server systems.
Group Policy can help with some of these tasks. 

Prevent Ransomware from Spreading


A proper defensive stance anticipates infection. Take these steps to proactively harden your datacenter to impede ransomware’s movement.
  • Restrict administrative accounts to the fewest possible individuals and require them to use standard accounts for non-administrative functions.
  • Create allow lists for known-good applications and block other executables.
  • Firewall traffic into your datacenter.
  • Shut down or block all unnecessary file shares.
  • Disable user access to the volume shadow copy service (VSS).
  • Audit and constrain users’ write permissions on file servers.
  • Require users to store important documents in protected folders.
  • Deploy intrusion detection tools.
  • Do not map network shares to drive letters.
  • Disable RDP, VNC, and other easily compromised remote access methods.
Train administrative staff on remote management tools, such as PowerShell Remoting, which can perform most tasks (including file copy) through a secured keyhole on port 5985 or 5986.

Protection from Ransomware for Backups


Properly protected backups will save your organization if ransomware strikes. Follow these best practices to secure them:
  • Create and implement a thorough disaster recovery plan that includes regular full backups. Check out The Backup Bible for much more information on that topic.
  • Use a Managed Service Account, not a user account, to operate backup 
  • Limit backup location ownership and write access to the backup application’s service account.
  • Create a dedicated network for backup, isolated from user networks.
  • If a vendor requires antivirus exclusions, ensure that their unprotected locations do not contain any data and remove any line of sight or access from their systems to vital network shares.
  • Encrypt backups using a key saved to a location that ransomware cannot access.
  • Capture frequent full offline backups.
  • Frequently transfer full backups to cloud storage using a method that ransomware cannot hijack (such as a two-factor-protected vault)
  • Regularly test your ability to restore from backup.
Group Policy can help with several of these points. Your backup software, such as Altaro VM Backup, can help with offline storage, offsite transmission, and encryption. Remember that some sophisticated ransomware knows how to operate backup programs, so you must always maintain offline backups.

You have multiple options for isolating networks. Most commonly, users must access server resources through firewalls and routers. Servers operate on their own network(s). You can then create a specific network just for the backup devices. Use your routers, firewalls, and access permissions to lock down ingress traffic for that network.

Protect Backups from Ransomware No single “right way” exists for isolating a network. At the extreme, you can completely isolate your backup network, known as an “air gap.” This requires all systems that participate in backup to have their own presence directly on the backup network. The network itself has no gateway or other connection to the rest of the network. A proper full air gap typically requires a fully virtualized datacenter to properly execute, as you have no other way to both provide network access from users to services and prevent network membership from servers to the backup network within the same operating system instance.

Hypervisor Server Complete air gaps require the hypervisor and backup systems to have no external network connectivity of any kind, which can make maintenance, patching, and offsite difficult transmissions difficult. Every compromise that you make to accommodate these problems reduces the effectiveness of the air gap.

Surviving a Ransomware Attack


These best practices can help you to mitigate your risks and minimize the spread of an attack. 
  • Immediately disconnect affected systems, including wireless and Bluetooth systems, from the network.
  • If the ransomware has a timer that increases the bounty price or counts down to a full lockout, rolling back the BIOS clock may delay the trigger.
  • Research the specific malware afflicting you. Many victims have shared their keys to older or well-known strains.

Protection from Ransomware and the Ongoing Journey 


Nothing can fully protect you from ransomware, and this war will never end. Remain vigilant, keep watch on CVEs, and keep your backups and maintenance cycles in mind. The approaches presented here can ensure that you safely make it through an assault.
How to Recover Deleted Emails in Microsoft 365

How to Recover Deleted Emails in Microsoft 365

by | Jan 30, 2022 | Email Security

When the CEO realizes they deleted a vital email thread three weeks ago, email recovery suddenly becomes an urgent task. Sure, you can look in Outlook’s Deleted Items folder, but how can you recover what has undergone “permanent” deletion? This article reviews how you can save the day by bringing supposedly unrecoverable email back from the great beyond.

Deleted Email Recovery in Microsoft And Office 365


Email Recovery for Outlook in Exchange Online through Microsoft and Office can be as simple as dragging and dropping the wayward email from the Deleted Items folder to your Inbox. But what do you do when you can’t find the email you want to recover? First, let’s look at how email recovery is structured in Microsoft 365. There are a few more layers here than you might think! In Microsoft 365, deleted email can be in one of three states: Deleted, Soft-Deleted, or Hard-Deleted. How you recover an email and how long you must do so depends on the email’s delete status and the applicable retention policy. Email Recovery in Microsoft 365 Let’s walk through the following graphic and talk about how email gets from one state to another, the default policies, how to recover deleted emails in each state, and a few tips along the way.

Items vs. Email


Outlook is all about email, yet it also has tasks, contacts, calendar events, and other types of information. For example, just like email, you can delete calendar entries and may be called on to recover them. For this reason, the folder for deleted content is called “Deleted Items.” Also, when discussing deletions and recovery, referring to “items” rather than limiting the discussion to just email is common.

Policy


Various rules control the retention period for items in the different states of deletion. A policy is an automatically applied action that enforces a rule related to services. Microsoft 365 has hundreds of policies you can tweak to suit your requirements. See Overview of Retention policies for more information.

‘Deleted Items’ Email


When you press the Delete key on an email in Outlook, it’s moved to the Deleted Items folder. That email is now in the “Deleted” state, which simply means it moved to the Deleted Items folder. How long does Outlook retain deleted emails? By default – forever! You can recover your deleted mail with just a drag and drop to your Inbox. Done! If you can’t locate the email in the Deleted Items folder, double-check that you have the Deleted Items folder selected, then scroll to the bottom of the email list. Look for the following message: Outlook Deleted Items Folder If you see the above message, your cache settings may be keeping only part of the content in Outlook and the rest in the cloud. The cache helps to keep mailbox sizes lower on your hard drive, which in turn speeds up search and load times. Click on the link to download the missing messages.

But I Didn’t Delete It!


If you find content in the Deleted Items and are sure you did not delete it, you may be right! Administrators can set Microsoft 365 policy to delete old Inbox content automatically. Mail can ‘disappear’ another way. Some companies enable a personal archive mailbox for users. When enabled, by default, any mail two years or older will “disappear” from your Inbox and the Deleted Items folder. However, there is no need to worry. While missing, the email has simply moved to the Archives Inbox. A personal Archives Inbox shows up as a stand-alone mailbox in Outlook, as shown below.Stand-alone mailbox in Outlook  As a result, it’s a good idea to search the Archives Inbox if it is present when searching for older messages. Another setting to check is one that deletes email when Outlook is closed. Access this setting in Outlook by clicking “File,” then “Options,” and finally “Advanced” to display this window:Outlook Advanced Options If enabled, Outlook empties the Deleted Items when closed. The deleted email then moves to the ‘soft-delete’ state, which is covered next. Keep in mind that with this setting, all emails will be permanently deleted after 28 days.

‘Soft-Deleted’ Email


The next stage in the process is Soft-Deleted. Soft-deleted emails are in the Deleted-Items folder but is still easily recovered. At a technical level, the mail is deleted locally from Outlook and placed in the Exchange Online folder named Deletions, which is a sub-folder of Recoverable Items. Any content in the Recoverable Items folder in Exchange Online is, by definition, considered soft-deleted. You have, by default, 14 days to recover soft-deleted mail. The service administrator can change the retention period to a maximum of 30 days. Be aware that this can consume some of the storage capacity assigned to each user account, and you could get charged for overages.

How items become soft-deleted


There are three ways to soft-delete mail or other Outlook items.
  1. Delete an item already in the Deleted Items folder. When you manually delete something that is already in the Deleted Items folder, the item is soft-deleted. Any process, manual or otherwise, that deletes content from this folder results in a ‘soft-delete.’
  2. Pressing Shift + Delete on an email in your Outlook Inbox will bring up a dialog box asking if you wish to “permanently” delete the email. Clicking Yes will remove the email from the Deleted-Items folder but only perform a soft delete. You can still recover the item if you do so within the 14-day retention period.
Soft Deleting Items in Outlook
  1. The final way items can be soft-deleted is by using Outlook policies or rules. By default, no policies will automatically remove mail from the Deleted-Items folder in Outlook. However, users can create rules that ‘permanently’ (soft-delete) email. If you’re troubleshooting missing emails, have the user check for such rules, as shown below. You can click Rules on the Home menu and examine any created rules in the Rules Wizard below.
Microsoft Outlook Policies and Rules Note that the caution is a bit misleading as the rule’s action will soft-delete the email, which, as already stated, is not an immediate permanent deletion.

Recovering soft-deleted mail


You can recover soft-deleted mail directly in Outlook. Be sure the Deleted Items folder is selected, then look for “Recover items recently removed from this folder at the top of the mail column or the “Recover Deleted Items from Server” action on the Home menu bar. Recovering soft-deleted mail in Outlook Clicking on the recover items link opens the Recover Deleted Items window. Recover Deleted Items, Microsoft Outlook Click on the items you want to recover or Select All, and click OK. NOTE: The recovered email returns to your Deleted Items folder. Be sure to move it into your Inbox. If the email you’re looking for is not listed, it could have moved to the next stage: ‘Hard-Deleted.’ While users can recover soft-deleted emails, Administrators can also recover soft-deleted emails on their behalf using the ‘Hard-Deleted’ email recovery process described next (which works for both hard and soft deletions). Also, Microsoft has created two PowerShell commands that are very useful in this process for those who would rather script the tasks. You can search and restore soft-deleted emails using the Get-RecoverableItems and Restore-RecoverableItems cmdlets.

Hard-Deleted Email


The next stage for deletion is ‘Hard Delete.’ Technically, items are hard-deleted when items are moved from the Recoverable folder to the Purges folder in Exchange Online. Administrators can still recover items in the folder with the recovery period set by policy which ranges from 14 (the default) to 30 (the maximum). You can extend the retention beyond 30 days by placing legal or litigation hold on the item or mailbox.

How items become Hard-Deleted


There are two ways content becomes hard-deleted.
  1. By policy, soft-deleted email is moved to the hard-deleted stage when the retention period expires.
  2. Users can hard-delete mail manually by selecting the Purge option in the Recover Deleted Items window shown above. (Again, choosing to ‘permanently delete’ mail with Shift + Del results in a soft delete, not a hard delete.)
 

Recovering Hard-Deleted Mail


Once email enters the hard-delete stage, users can no longer recover the content. Only service administrators with the proper privileges can initiate recovery, and no administrators have those privileges by default, not even the global admin. The global admin does have the right to assign privileges so that they can give themselves (or others) the necessary rights. Privacy is a concern here since administrators with these privileges can search and export a user’s email. Microsoft’s online documentation Recover deleted items in a user’s mailbox details the step-by-step instructions for recovering hard-deleted content. The process is a bit messy compared to other administrative tasks. As an overview, the administrator will:
  1. Assign the required permissions
  2. Search the Inbox for the missing email
  3. Copy the results to a Discovery mailbox where you can view mail in the Purged folder (optional).
  4. Export the results to a PST file.
  5. Import the PST to Outlook on the user’s system and locate the missing email in the Purged folder.
 

Last Chance Recovery


Once hard-deleted items are purged, they are no longer discoverable by any method by users or administrators. You should consider the recovery of such content as unlikely. That said, if the email you are looking for is not recoverable by any of the above methods, you can open a ticket with Microsoft 365 Support. In some circumstances, they may be able to find the email that has been purged but not yet overwritten. They may or may not be willing to look for the email, but it can’t hurt to ask, and it has happened.

What about using Outlook to backup email?


Outlook does allow a user to export an email to a PST file. To do this, click “File” in the Outlook main menu, then “Import & Export” as shown below. Outlook Menu, Import Export You can specify what you want to export and even protect the file with a password. While useful from time to time, a backup plan that depends on users manually exporting content to a local file doesn’t scale and isn’t reliable. Consequently, don’t rely on this as a possible backup and recovery solution.

Alternative Strategies


After reading this, you may be thinking, “Isn’t there an easier way?” A service like Office 365 Backup allows you to recover from point-in-time snapshots of an inbox or other Microsoft 365 content. Having a service like this when you get that urgent call to recover mail from a month ago can be a lifesaver.

Before We Go


As you can see, it’s become abundantly clear that having a robust recovery strategy is not just an option but a necessity. Below are compelling arguments to illustrate why a well-structured recovery strategy is pivotal in the realm of email management in Microsoft 365:
  • Unexpected Deletions are Inevitable: Accidental deletions are more common than one might think. Whether it’s the CEO or a new intern, anyone can mistakenly delete crucial emails. A recovery strategy ensures these accidents don’t turn into crises.
  • Compliance with Legal and Regulatory Requirements: Many industries are governed by stringent laws and regulations that mandate the retention of electronic communications, including emails, for specific periods. Having a recovery strategy in place ensures compliance with these legal obligations, thus avoiding potential legal ramifications and hefty fines.
  • Protecting Against Malicious Activities: Cyber threats are increasingly sophisticated, with emails often being the main target of malicious actors. An effective recovery strategy can be the difference between quickly restoring lost data and suffering prolonged downtime or permanent data loss.
  • Mitigating the Impact of Technical Failures: Technical glitches, system crashes, or server issues can lead to loss of email data. A recovery strategy ensures that you have backups and processes in place to restore lost emails, thereby minimizing operational disruptions.
  • Maintaining Business Continuity: Emails are often the lifeline of business communications. Loss of access to important emails can halt decision-making processes and project workflows. A sound recovery strategy maintains business continuity, ensuring that email data is always accessible, even in the event of accidental or malicious deletions.
  • Safeguarding Intellectual Property and Sensitive Information: Emails often contain proprietary information, trade secrets, and sensitive data. Loss of such emails not only affects business operations but can also lead to competitive disadvantages and breaches of confidentiality. A robust recovery strategy protects this vital information.
  • Ease of Administration and Time Efficiency: Time is of the essence in business. A recovery strategy streamlines retrieving deleted emails, saving valuable administrative time and effort that might otherwise be spent navigating complex recovery processes.
  • Cost-Effectiveness in the Long Run: While setting up a recovery strategy might seem like an upfront investment, it is cost-effective in the long run. It mitigates the risks of losing crucial business information, spending on legal battles due to non-compliance, or losing business due to operational delays.
  • Reinforcing User Confidence: Knowing there is a safety net for email recovery enhances user confidence in using the email system. Users are more likely to utilize the system effectively and without fear of irreversible mistakes.
  • Adaptability to Organizational Changes: As your organization evolves, so do your communication needs and practices. A flexible recovery strategy can adapt to these changes, ensuring that email recovery processes remain efficient and relevant.
The importance of a well-considered recovery strategy for Microsoft 365 cannot be overstated. It’s a critical component of modern business practices, ensuring your organization’s email communications remain resilient, compliant, and efficient. Remember, it’s not just about recovering a lost email; it’s about preserving the integrity and continuity of your entire business operation.

Summary


Users can recover most deleted emails without administrator intervention. Often, deleted emails simply sit in the deleted folder until manually cleared. When that occurs, email enters the ‘soft-deleted stage’ and is easily restored by a user within 14 days. After this period, the item enters the ‘hard-deleted’ state. A service administrator can recover hard-deleted items within the recovery window. After the hard-deleted state, the email should be considered uncoverable. Policies can be applied to extend the retention times of deleted mail in any state. While administrators can go far with web-based administration tools, the entire recovery process can be scripted with PowerShell to customize and scale larger projects or provide granular discovery. Using a backup solution designed for Microsoft 365, such as Altaro Office 365 Backup, is always a great idea.
What Are Email Data Leaks and How to Prevent Them

What Are Email Data Leaks and How to Prevent Them

by | Jan 3, 2024 | Email Security

According to our research published in Cyber Security Report, email continues to be the primary communication channel for many organizations, with over 333 billion emails sent and received daily. Based on projections, that figure will increase to almost 400 billion daily by 2026.

This means that more cyber-attacks are being spread via email. While it may seem like a simple thing, we need to make sure we know how to use email properly, what we’re sharing and who we’re sharing it with.

This article is about email leaks and how to prevent them.

What Is Data Leak? Why Do Data Leaks Happen?

A data leak is when sensitive data is exposed to someone(s) not authorized to see it. Data leaks can occur for two reasons: cybersecurity attacks and inadequate security measures.

Sensitive data includes Personal Identifiable Information (PII) and business data such as project plans, financial details, software code, and other similar types of data.

Personal Identifiable Information (PII) is any data that can be used to identify someone such as their first and last name, email address, phone number, passport number, driver’s license, social security number, and other personal information.

Malicious Methods That Cause a Data Leak

Attackers use various malicious methods that cause data leaks. Individuals or groups employ various methods to trick end users into gaining access to their data. Three common methods are phishing attacks, malware attacks, and brute-force attacks.

Malicious Methods That Cause a Data Leak

Phishing mail attacks are one of the most common malicious methods we see nowadays. According to our Cyber Security Report, almost 40% of attacks are delivered via phishing mails. We often see viruses or other types of malwares integrated into different file types, including Word, Excel, PDF, and archives.

Hackers develop sophisticated emails that look like the real thing and trick you into opening malicious links or attachments to gain access to your network. Phishing attacks are used in combination with social engineering to trick people into revealing their sensitive data by impersonating people.

Phishing attacks are carried out via email, SMS, voice and QR code scams.

Malware is a second method attackers use to try to penetrate your network. It is a broader term that covers various malicious software. This includes viruses, trojans, worms, ransomware, spyware, adware, keyloggers and more. According to our Ransomware attacks survey, 1 in 4 (23.9%) IT professionals say their organization has been the victim of a ransomware attack.

The best protection is Endpoint Detection and Response (EDR) on end user devices, strict firewall rules and security solutions that block internal and external malicious activities. You can read more about malware attacks here Malware vs. Viruses: Understanding the Threat Landscape.

In third place is a brute force attack. In such an attack, your username (email address) is loaded into brute force software, which then attempts to guess a password based on various password combinations stored in dictionaries. Dictionaries can be found for free on the Internet. The best practice here is to have a strong password and use multi-factor authentication.

Poor Security Practices That Cause Data Leaks

There are various reasons for data leaks.

First and foremost is a poor security culture. Your credentials are the first layer of attack. Never use weak passwords to protect your online accounts. If you are an IT administrator, you should enforce a password policy that prevents the use of weak passwords. You can read more in the next section.

When you log in with your account on a shared computer in your company or in public, always make sure that you have logged out. If you don’t and someone else, hypothetically a malicious person, gains access to your email, it could lead to a data leak.

If you are staying in a hotel or your favorite cafe, you should be very careful about which Wi-Fi network you use. There are many scenarios where a malicious person will try to eavesdrop on traffic on an open network.

The best thing to do is to set up a mobile hotspot and use the internet via your cell phone. You can also train your users to use a VPN for every connection, although this does carry the risk that a user might forget to use it on an untrusted network.

An inadequate security measure may also be that someone has unintentionally sent an email to the wrong external email address (misdelivery). Even a second of unintentional action can lead to significant problems for us.

This happens when a user accidentally sends sensitive information to the wrong email address. According to Verizon Data Breach Report 2022, there were 715 incidents, 708 with confirmed data disclosure, that compromised personal, medical, financial, and other data. 

Double-check to whom you are sending your email.

If you are using a bad password or a single password for more than one account, please change it immediately. Each account should have a different strong password. Now you are probably going to say how to memorize it!? You don’t need to see below.

Other bad practices usually relate to infrastructure and inadequate policies. You can find out more about this in the section “How to prevent data leaks”.

The Dangers of Bad Password Hygiene

Despite cybersecurity experts and companies advocating for a strong password culture, passwords in many organizations continue to be the weakest link. According to the Specops Breached Password Protection list, there are 2 billion breached passwords, and that number is increasing daily.

It is the responsibility of IT teams to enforce password policies in companies. This primarily includes the use of complex passwords with lower and upper-case letters, numbers and special characters.

Different security solution providers give different recommendations on the number of characters a password should have. The general rule of thumb is that more characters are better. Do not use less than 12 characters.

In the past we often enforced frequent password changes (every 30 days was popular). This has proven to be counterproductive, and both NIST in the US and GHCQ in the UK now recommend not to enforce frequent changes.

This just leads to people picking easier passwords and attaching the number or the name of the month to the end of their passwords for example.

You should also introduce a password history policy to prevent the reuse of old passwords. According to an Online Security Survey conducted by Google, 65% of people reuse their passwords. This is a major security issue.

In addition, you can introduce other password policies such as lockout policies, disabling accounts that are not being used, introducing multi-factor authentication (MFA), assessing password strength, monitoring account access, introducing SSO and others.

The bottom line is that today, just using a username and password for identifying a user isn’t adequate, wherever possible you must use strong authentication such as MFA, including phishing resistant MFA such as FIDO 2 hardware keys, or biometrics such as Windows Hello.

These measures stop 98%+ of all identity-based attacks.

One of the most common mistakes of poor password hygiene is sharing login credentials via email. Imagine if someone were to gain access to your email and find your password? This would mean that a malicious person would be able to compromise your integrity and your data.

Implement Password Managers

Don’t write down your password on sticky notes, notes or anywhere else. It’s best to use a password manager and store your passwords in secure and encrypted password vaults. Whenever you need your password for a service or device, log in to your password manager, copy it and then enter it.

Password Managers also provides you with extensions for your favorite browsers that allow you to retrieve your password when you need to log into your account.

This practice benefits users at all levels, from end users to IT administrators who manage many different systems.

What Should I Do if I Find My Address in an Email Leak?

If you find your address in an email leak, you should immediately change your password. A new password should follow the policy introduced in the previous section.

What Should I Do if I Find My Address in an Email Leak?

Use Password Managers to store your password, don’t store it written or printed on paper, stored in .txt or any other files on your machine, or shared via email. Password Managers are designed to do it most securely.

In case of email leaks that happen in organizations, you should inform relevant stakeholders and check if there were any suspicious activities done on affected services.

Note: Do not ignore security breach notifications, ignoring would put your account and data at risk.

How can I know if my account was leaked?

According to haveibeenpwned, as of November 2023, there are over 12 billion accounts leaked. If you want to check if your email or account was leaked, navigate to https://haveibeenpwned.com, enter your email address, and click Pwned?

You can also subscribe (for free) to get notified when future pwnage occurs and your account is compromised, there are also options for organizations to monitor their entire email domain, instead of just individual accounts

';--have I been pwned?

How To Prevent Data Leakage

From an IT management point of view, you should introduce access control and define who is allowed to do what. One of the most important measures is to introduce access control with minimum authorizations.

Your data should be encrypted regardless of where it is stored, both in transit and in storage. Even if a malicious person gains access to the data, they cannot read it.

Security is a shared responsibility. Make sure that you implement strong security protection on your network and endpoints and that your employees are trained in handling the data.

In addition, you should ensure continuous monitoring and logging of all activities that take place internally or externally on your services.

Please note that data leaks are not a one-off event, but an ongoing process that requires strong technology and employee awareness.

Many websites or client–server communications do not use TLS (SSL) certificates. This means that the communication between you and your server is in plain text and can be intercepted and read by a criminal.

Make sure that your website uses certificates, that communication is encrypted and that you renew them on time. Better yet, automate the process using a service like letsencrypt which not only ensures your certificates are renewed on time, but also offers free certificates. 

Make sure your infrastructure is always up to date at the physical and application level and patched with the latest updates. If our systems are not patched with the latest security updates, this poses a major security risk that can be exploited by attackers to gain access to our network.

To maintain security measures, you should apply compliance regulations and industry standards to prevent data breaches. Some of the factors that can lead to a data leak are shadow IT, poor data processing practices, lack of encryption, poor BYOD (Bring Your Own Device) practices, inadequate employee training and others.

How Hornetsecurity Can Help You Stay Protected Against Data Leaks

According to the World Economic Forum – The Global Risks Report 2022, 95% of all cyber security breaches are caused by human error. Malicious people (read hackers) try to exploit human psychology using phishing and social engineering.

To prevent it, organizations need to provide continuous training to employees on how to use technology and prevent data leaks.

That is where the Hornetsecurity Security Awareness Service comes into play. Security Awareness Services provides fully automated awareness benchmarking, spear-phishing simulation, and E-Training to sensitize and protect employees against cyber threats. Practically speaking, you can train and then challenge your employees by simulating sophisticated email attacks.

Service Awareness Service provides ESI (Employee Security Index) that continuously measures and compares employee security behavior across the organization and offers individual training needs.

Awareness dashboard in the control panel

Security Awareness Service also provides an e-learning hub for employees where they learn security content on how to handle phishing attacks in multiple languages.

That is not all.

Hornetsecurity provides several solutions that help you strengthen your security and prevent data leakage including fully automated, secure, and effective email encryption, the cloud-based corporate email platform with integrated spam and malware protection, email archiving service to ensure email data integrity & compliance for M365 and other email servers, powerful spam filtering and malware protection to stay ahead of cybercriminals and more.

You can read full insights into different Hornetsecurity solutions that help you stay safe. You can read more here Email Cloud Security Services from Hornetsecurity.

Remember, the best way to protect against malicious methods is to have a proper understanding and implementation of IT Security

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service, and Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam and malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Conclusion

Data leaks are a constant challenge that occurs in many organizations. There are two reasons for this. The first is when users accidentally share data by sending sensitive emails to the wrong email address or forgetting the USB stick with the data in a public café. The second is when malicious people attack our infrastructure with malware.

There is a solution for both cases. IT teams should implement strict security mechanisms from the physical to the application level, strict access control and good password policies and enforce MFA for all user accounts

Security is a shared responsibility. Employees should be trained in the proper handling of emails, passwords and anything that could put data at risk.

Hornetsecurity offers an e-training and security awareness service platform that allows you to educate and challenge your employees by exposing them to fake phishing attacks that look like real attacks.

In this article you learned all about data leaks and how to prevent them.

FAQ

What happens if data is leaked?

When sensitive data is leaked, it can have various consequences, such as privacy issues, financial losses, reduced customer satisfaction and business disruption. If our data is exposed, especially if we are vendors, it has a negative impact on our reputation. Any data leak should be taken seriously, and we must take all preventive measures to stop it.

Is it bad to leak your email?

It is considered bad and risky to pass on your e-mails. Malicious people can use them to target you with phishing and social engineering attacks. To protect your email, you should use or enforce a strong password and enable multi-factor authentication.

What does it mean when your password has been in a data leak?

If your password has been leaked, it means you are in trouble. A malicious person could access all of your online services that use this password and thus obtain and expose your data. If you use the same password for multiple services, a malicious person could try to access all services and compromise your reputation and the integrity of your data.

What do email hackers look for?

Hackers or hacker groups are looking for data with which they can blackmail you, demand money or pass on your data to third parties who could be of use to them.

Email Threats in 2024 Are Evolving – How Advanced Threat Protection Keeps Your Business One Step Ahead of Attacks

Email Threats in 2024 Are Evolving – How Advanced Threat Protection Keeps Your Business One Step Ahead of Attacks

by | Jan 31, 2024 | Email Security

The most common way that criminals gain access to your business is through malicious emails. This is often a phishing email, asking the recipient to change their corporate password with a link to a site, or to approve a parcel delivery, or in what’s becoming more common, scan a QR code on your phone to access a business application.

These risks are all real, and they are used to compromise businesses every day.

To make sure your business isn’t the next one in the headlines for all the wrong reasons, you need a strong and layered defense, that adapts and evolves with the ever-changing threat landscape.

In this article we’ll explore how Hornetsecurity’s email security services seamlessly integrates with your Microsoft 365 email services and protects you from simple, volume-based threats with smart tech, keeps you safe from advanced attacks such as spear phishing with Advanced Threat Protection (ATP), safeguards your users from malicious QR codes out of the box and if all of those layers fail, trains your users to spot and report malicious content.

We’ll go deep on ATP, without revealing details criminals can use to bypass your defenses.

Two Ways to Integrate With Exchange Online

There are two technical approaches to layer email security on top of Exchange Online in Microsoft 365:

  1. The first involves changing the Mail eXchanger (MX) records for your email domain (“company.com”) in the internet’s Domain Name System (DNS) to point to our service. All incoming mail will pass through our services, providing a clean feed to your user’s inboxes.
  2. The second method is creating an application in Entra ID (formerly Azure Active Directory, AAD), the identity platform underlying Microsoft 365 and giving it specific permissions to the Graph Application Programming Interface (API) that exposes user mailboxes. This second approach allows additional flexibility, such as the ability to reach into user’s mailboxes after an email has already been delivered and deleting it, if the system has determined that something was missed in the original delivery scan and the email is now identified as malicious.

Hornetsecurity applies both methods, combining the best of both worlds for unsurpassed protection.

Dealing With Low Hanging Fruit

In our 2024 Cyber Security Report we saw that out of the 45 billion emails we scanned in 12 months, 36.4% were categorized as unwanted. That’s over a third of all emails that you want to keep out of your user’s inboxes. Out of that third, 3.6% were flagged as malicious.

Clearly you need a fast system to deal with the vast amount of junk quickly, which we do at the blocking phase, weeding out connections from known bad email servers, and traffic from known bad senders.

We have a 99.9% guaranteed spam detection and 99.99% virus detection, using 18 independent virus and phishing spam filters, and we scan both incoming and outgoing emails for spam, malicious URLs and viruses.

Hornetsecurity ATP - Stay ahead of email threats

Sometimes an email bounces, meaning it’s sent back as the address is unknown (or accidentally mistyped) which is useful for the sender to know. However, sometimes you get bounced emails because an attacker used your email as the sending address, we filter out these fake ones to protect against backscatter and bounce attacks.

It’s an Arms Race

The above services deal with most of the incoming undesirable and malicious emails. However, attackers spend a lot of time and effort changing their attack methods to bypass email filters. This is where ATP comes in.

One popular option is attaching an encrypted document to an email. Normally anti-malware engines can’t scan these and so might miss a malicious file, ATP uses Malicious Document Decryption to protect against this.

QR codes in emails is an attack type that’s gained momentum in the last few months, partly because QR codes are now such a normal part of life (restaurant menus, paying for car parking etc.), and partly because it moves the attack from the (often) corporate owned and managed PC to a user’s personal phone.

It neatly bypasses all the protections in place on the computer and the URL in the QR code often leads to a familiar looking login page. ATP has had built in QR code scanning for common file types (GIF, JPEG, PNG and BMP) for over a year.

ATP has many layers of protection such as the Sandbox Engine, which will open all attached files, identifying malicious attachments and if they are, the email is quarantined.

The Sandbox Engine looks at if the attached files show signs of detecting that they’re running in a VM or a sandbox, which is a dead giveaway that it’s malicious. It also uses a file system monitor to see if the attachment writes or alter files, a process monitor to see if the file starts a child process (popular in malicious Adobe PDF files).

There’s also a registry monitor to spot unusual values being stored in the registry (often used for persistence when the PC is restarted) and network monitoring to see if the document is trying to communicate with an endpoint on the internet, another unusual behavior for a document.

Memory is inspected from a forensic point of view (again, documents accessing memory in unusual ways is a strong indication that it’s malicious). Tying it all together is a Machine Learning engine that looks at the above signals, and over 500 indicators, and separates malicious files from benign ones with very high accuracy.

Freezing is another approach, if an email is suspicious, but not clearly classified as bad yet, it’s held back for a short time. New data may lead to a positive identification of a virus attachment for example.

All links in emails (URLs) are rewritten with a link to our secure web gateway, and scanned both when the email is received and when the user eventually clicks on it.

To work around this, attackers often include the links in attached files, which can’t be rewritten (it would alter the integrity of the document), but our engine still follows these links to verify if there’s any malicious payload on the target end.

One very important feature of cyber security tools is to let you know when bad things are afoot, and ATP provides real-time alerts when your organization is under a targeted email attack.

A related feature is Ex-Post alerts: if emails that have already been delivered are subsequently identified as malicious your IT team is notified.

As mentioned, these emails can be automatically deleted, but the user may already have clicked a link, or opened an attachment, so your response team might want to investigate these user accounts / devices further.

Human beings are still the weakest link, and our psychology is used against us when attackers employ social engineering tactics.

Our Targeted Fraud Forensics uses automated fraud attempt analysis and intention spoofing recognition to detect and prevent social engineering attacks.

It looks at the language of the email, looking for patterns that indicate malicious intent, espionage attacks, or if the text presents false facts to get the recipient to respond, as well as spotting forged sender identities.

Sending to the Right Recipients?

Another feature that’ll assist your overall email security posture is AI recipient validation, which will warn you if you’re including an unintended recipient, or if you’re missing a recipient that should have been included.

It’ll also warn you if the email contains sensitive information, like Personal Identifiable Information (PII), inappropriate wording or if you’re replying to a large distribution list. This analysis is done locally in the Outlook client, no data is sent to our service.

Of course, there’s a dashboard for administrators to see what warnings the users had, and what their response was, and an admin can also disable particular warning scenarios, exclude users from different warnings, and add external domains to be treated as internal ones.

Improving Your Human Firewalls

No protection system is completely foolproof, there will be times when a malicious email sneaks through your defences, at least temporarily, and this is where training your users is vital.

Many other services for this take a lot of administrator time, planning, scheduling, and following up with the users who fell for the simulated phishing attacks. Hornetsecurity’s Security Awareness Service is different, and is mostly set-and-forget.

Each user is tracked with an Employee Security Index (ESI), users who rarely click on simulated malicious links or attachments aren’t bothered with simulations, whereas repeat offenders receive more simulated attacks, as well as short, relevant video training content.

It also uses gamification to increase engagement amongst your users.

Stay ahead of the evolution of email threats in 2024 with Advanced Threat Protection from Hornetsecurity. Protect your business and your employees against sophisticated attacks. 

Don’t wait any longer; protect your email with Hornetsecurity and ensure the resilience of your digital assets.

Conclusion

Email is the most prevalent vector for attackers to compromise your users, and then used to further infiltrate your systems.

A comprehensive email hygiene service must deal with the easy threats, mass mailed spam and phishing, as well as advanced threats such as spear phishing and targeted email lures.

Hornetsecurity’s spam and malware filters, combined with Advanced Threat Protection, is the best defence. Add in the additional services such as AI Recipient Validation, along with Security Awareness Service and you have a winning combination.

FAQ

How does Hornetsecurity's Advanced Threat Protection (ATP) detect malicious documents?

ATP uses malicious document decryption, a sandbox engine and a machine learning engine to inspect file behavior, registry changes, network communication and memory access, achieving high accuracy in distinguishing malicious files.

What happens if an email is suspicious but not clearly identified as malicious by ATP?

Suspicious emails are temporarily held back using a freezing approach. During this time, new data may lead to positive identification, and all links are scanned through Hornetsecurity’s secure web gateway before being delivered to the user.

How does Hornetsecurity's Security Awareness Service engage users in training without extensive administrator involvement?

The Security Awareness Service employs an Employee Security Index (ESI) to track user behavior. It automatically tailors simulated attacks and video training content based on individual responses, utilizing gamification to enhance user engagement with minimal administrative effort.