Frequently Asked Questions
International Standard
An All-In-One Inbound/Outbound Email Security is an email security solution that can be integrated with a company’s mail server to enhance security. SECUMAIL is an email security service for enterprises that provides tailored security features for comprehensive inbound and outbound email protection within an optimized environment.
The All-In-One Inbound/Outbound Email Security is an integrated email security solution that can effectively address all email-related issues from reception to transmission in one go. It combines SpamGUARD to block spam and ReceiveGUARD, an intelligent solution for blocking phishing emails, ensuring that only safe emails are received. SendGUARD protects the outbound email segment.
What security data needs to be synchronized between the inbound and outbound email security systems?
These include fraudulent or similar email addresses. Since these are email addresses created by attackers that may appear legitimate, it is crucial to synchronize them between the inbound and outbound email security systems to prevent related threats. Additionally, synchronizing data related to emerging malware, suspicious account compromises, and other similar information is recommended. This enhances the accuracy and efficiency of security inspections, effectively strengthening an organization’s email security.
Targeted email attacks are sophisticated forms of attacks that focus on specific individuals. These attacks not only target the individuals directly but also exploit vulnerabilities in email servers and security solutions. Therefore, to effectively block attacks against specific targets, it is necessary to address not only direct attacks on the target but also circumvention attacks. This is why common security requirements are essential.
First, safety checks for email addresses registered in the whitelist. If an email address or domain is registered in the whitelist, emails from that address are generally considered trustworthy. However, with the increasing threat of targeted email attacks, it is necessary to inspect emails from whitelisted addresses for the potential of targeted email attacks. This measure aims to exclude the possibility of emails from whitelisted addresses being propagated through compromised accounts or containing malware.
Second, the capability to change the folder structure of the email security solution. To prevent hackers from analyzing the folder structure of the email security solution to bypass the detection of malware or malicious activities, it is essential to periodically change the folder structure.
Third, compatibility of security data for incoming and outgoing emails. Security data compatibility assists in preventing user errors or hacking attacks. Even if a user account is compromised or an attack occurs through a malicious email address, compatible data allows for the swift detection and response to such incidents. Moreover, it enhances the speed and detection rate of inspecting malware and phishing emails, improving the overall performance of the email security solution with faster inspection and response times.
The key consideration of international standards is to address targeted email attacks by not relying on specific technologies and considering all possibilities associated with such attacks. As a result, common security requirements are designed to account for various attack types, and non-compliance may leave vulnerabilities to certain targeted email attacks.
ReceiveGUARD incorporates a Virtual Area (VA) in which it can analyze emails and stores it after encrypting the data. Through this VA, the device can automatically generate filtering criteria for the next-received emails based on the analysis of previous data. This function is what distinguishes it as an intelligent-learning mail firewall device.
We provide reports through the admin account of ReceiveGUARD. These reports include statistics on why emails were blocked, the frequency of such blocks, and other relevant information to assist you in more effective email management.
The Virtual Area (VA) within ReceiveGUARD directly examines malicious code files, and its configuration environment is entirely distinct from that of a regular PC. Consequently, opening malicious code files within the VA poses no risk of infecting the device with a virus whatsoever.
ReceiveGUARD conducts direct inspections of executable files and attachments in emails through the Virtual Area (VA) to assess their safety. This approach ensures a high level of accuracy when inspecting attached files in emails. Furthermore, it can detect viruses such as ransomware by utilizing regularly updated antivirus engines.
ReceiveGUARD employs a fundamentally distinct analysis approach in contrast to other APT devices. Instead of relying on pre-existing filtering data, it analyzes emails in real time, based on accumulated data within the device. This approach enables various unique analyses that other devices cannot perform, such as URL endpoint tracking, attachment forgery analysis, and the reliability level testing.
Both SpamGUARD and ReceiveGUARD serve as inbound email security devices. SpamGUARD is designed to block promotional emails, while ReceiveGUARD is specifically employed to block fraudulent and hacking emails. While many email systems typically rely solely on SpamGUARD, incorporating ReceiveGUARD introduces a two-step filtering process. This involves first blocking promotional emails and then blocking fraudulent and hacking emails, ultimately ensuring that you only receive safe emails.
Most malware is discovered and registered on sites like VirusTotal a few days after its detection. Known malware is accompanied by detailed information, but newly emerging malware patterns are not yet registered, making detection challenging using conventional methods. Such cases are classified as novel or new malware.
The ultimate goal of malware is to control or disrupt the operation of a user’s computer. Zero-day malware is characterized by engaging in malicious activities such as unauthorized access to memory, deletion and creation of files, and data manipulation, all without the user’s permission, in order to achieve these objectives.
Our ReceiveGUARD solution detects malware through the utilization of virtual machine technology for file execution and behavioral analysis. This technology addresses delay issues when dealing with a large volume of inbound emails and enhances efficiency by appropriately allocating resources based on the type of file inspection.
The ITU-T X.1236 standard emphasizes a multi-layered inspection approach rather than relying on specific technologies. Initially, the first-stage antivirus inspection detects malicious files, ransomware, and other attachments in emails. As undetected attachments may potentially contain novel malicious files, the second-stage behavioral analysis inspection analyzes the behavior of attachments in a Windows environment, identifying any attempts to forcibly install within specific folders or alter system settings. This multi-step inspection approach evaluates malware from multiple perspectives, enhancing detection rates and effectively utilizing the resources of virtual machine technology.
The ‘URL Endpoint Tracking’ feature examines all links within received emails to detect malicious code. With an increase in attacks hiding malware not only in the email body but also within attachments or large compressed files, it has become crucial to open and inspect all inactive links within emails to identify any suspicious behavior. This is the core functionality of the URL endpoint tracking feature.
Typically, endpoint tracking functionality is considered implemented when links up to the 30th iteration are examined. While the technology for inspecting malicious behavior in virtual environments has rapidly advanced, there are still limitations. The number of links to be inspected can exponentially increase as multiple redirections may be concealed within a single link. Therefore, checking up to the 30th link is generally deemed to provide a sufficient level of security in most situations.
A representative secondary security measure involves converting links within the email body into images.
Recently, there has been an increase in time-gap attacks where hackers initially send benign emails and later link them to malicious code before users open the emails. The post-URL inspection feature is designed to prevent such time-gap attacks. This ensures that even if an email is received safely initially, connecting malicious code when the user opens it can be prevented.
First, an initial URL endpoint tracking inspection is conducted on the received email, and legitimate emails are delivered to the mailbox. Subsequently, every time a user opens the email and clicks on a link, post-URL inspection is performed on that specific link. If any suspicious behavior or malicious activity is detected, it plays a role in blocking the email or link, or notifying the user of potential issues.
‘URL Endpoint Tracking’ inspects the links in the email body for malicious behavior when the email first arrives. In contrast, ‘Post-URL Inspection’ continuously verifies the safety of specific links each time a user clicks on them, even after the email has entered the mailbox. It examines all links, not just when receiving the email but also after it has entered the mailbox, aiming to prevent users from being exposed to malicious code.
A ‘Look-alike Domain’ refers to a domain that has been crafted to closely resemble a legitimate one. Hackers modify the domain slightly to create an address that appears trustworthy, aiming to confuse and deceive users. In this manner, hackers send emails containing realistic content, such as requests to verify quotes, in an attempt to trick users into clicking on links or opening attachments within the email. Consequently, users may become vulnerable to attacks by malicious links or attachments embedded in the email.
The criteria for determining look-alike domains are subjective, and using a single criterion can lead to a high false positive rate or, conversely, a low detection rate. Therefore, when assessing look-alike domains, employing various criteria to differentiate the level of risk can reduce false positives and enhance the ability to detect actual threats. This multilayered approach enables more accurate detection of look-alike domains, ultimately strengthening the security of both users and organizations more effectively.
Within the company, each user utilizes a unique email address, and the email addresses used for communication are also distinct for each user. Look-alike domain attacks occur when users are deceived by addresses that resemble their familiar email addresses, leading them to open malicious emails or click on links. Therefore, it is essential to categorize the risk level for each user to implement customized security measures, constituting a crucial factor in providing more effective protection against security threats. A user-centric approach considers and offers effective methods to address the risks faced by each user for prevention.
Forged Header’ is a hacking technique where the attacker forges the sender’s email address to deceive the recipient. In this type of attack, the hacker typically manipulates either the username or domain part of the original email address when sending emails. Through this, the hacker disguises themselves as someone else or as a reputable entity, aiming to trick the recipient into trusting the email. Forged header is a form of social engineering attack commonly used to impersonate businesses, financial institutions, government agencies, or other trusted organizations. In more sophisticated forms, recent variations include intelligent techniques where the attacker’s address changes when the recipient clicks the reply button.
The primary method for checking forged header involves verifying compliance with email communication regulations during email transmission. To achieve this, sender authentication methods such as DMARK (Domain-based Message Authentication, Reporting, and Conformance) and DKIM (DomainKeys Identified Mail) are used. However, relying solely on checking regulatory compliance may still leave room for some types of attacks to bypass detection. Therefore, in ITU-T X.1236 standard, efforts are made to differentiate various types of sender attacks, enabling the utilization of specialized email security features tailored to each type.
‘Look-alike Domain’ and ‘Account Take-over (ATO)’ attacks share the similarity of forged header, but there is a difference in the displayed sender’s email address visible to the recipient. In ‘Look-alike Domain’ attacks, the attacker creates a similar email address using a legitimate domain to deceive the recipient. On the other hand, ‘ATO’ attacks involve the attacker gaining access to the actual sender’s email account and using it to send emails. In other words, both attacks often lack malicious elements in the email, making them challenging to detect, unlike header spoofing attacks.
Generally, a ‘Sender Location Change’ implies the registration of the IP address on a blacklist. In targeted email attacks, email addresses or senders deviating from the usual pattern of exchanging emails can be considered as potential risks for users. For instance, if a user regularly exchanges emails with business partners in Country A and suddenly receives an email from the same address but originating from Country B, the email sender’s IP address from Country B may be perceived as a deviation from the usual pattern, raising concerns as a potential risk for that specific user.
The sender’s IP address, email server, and email transmission route are crucial pieces of security information that can be utilized to detect attacks such as user account hacking or email server tampering. Importantly, these criteria can categorize a sender as a potentially risky source for specific users while being considered normal for others. Therefore, to defend against targeted email attacks, personalized email security technologies should be applied, taking into account individual user characteristics and patterns.
First, a basic inspection is conducted to verify the user registration status and blacklist registration of the email sender. This helps identify malicious or untrusted sources. Subsequently, a comparison between the current email sender information and previous sender information is made, and if a pattern difference is detected, measures such as blocking the email or issuing a warning are implemented. This helps prevent email fraud attacks and safeguards against potential risks such as the unauthorized disclosure of important information or incorrect fund transfers. Additionally, features are provided to facilitate effective management of risky senders by users or security administrators, considering factors like overseas business trips or global network issues.
ReceiveGUARD operates before reaching the mail server. As a result, it does not impact any of the emails that are currently in use, ensuring uninterrupted email communication.
ReceiveGUARD detects look-alike domains that are difficult to distinguish with the human-eye, and it provides warnings to both administrators and users. When replying to received emails, it can detect forged headers and issue warnings to the administrators and users. Moreover, it maintains records of the recipients when receiving mail from the same account, and if there’s a change in the sender, it alerts both administrators and users.
ReceiveGUARD stands out from other APT devices in several ways. While other APT devices primarily focus on detecting network APT and are limited to inspection in attachment files within emails, ReceiveGUARD is specifically designed for email security. It does not only inspects attachments, but also examines emails that do not contain malicious files. It adopts a machine learning approach to understand emails from organizations or enterprises that lack standardized filtering, allowing it to develop a customized filtering system for them. In addition, the file inspection method of other APT devices may often bypasses inspection if a queue is generated due to frequent undelivered emails. In contrast, ReceiveGUARD efficiently performs inspections to facilitate flexible data sharing.
The Cube engine operates using AI learning. It acts as an ‘attachment and URL inspection device’ and performs initial virus detection (vaccine check) on files. If no issues are found during the vaccine check, the files then undergo behavioral analysis inspections. These inspection areas cover attachment files, URLs in the email body (download inspection), and URLs within attached documents. It directly accesses the maliciousness of URLs to up to their endpoints. Moreover, it executes files downloaded from URLs to verify their maliciousness.
The email block could occur due to various filtering rules such as different IP addresses, sending routes, look-alike domains, or look-alike email addresses that led to the blocking. In other words, there may be a possibility of forgery or modification. To address this, you have the option to use the “Send and Allow” buttons at the top of the blocked email report. This allows you to re-learn and deliver the email to the intended recipient. However, if a malicious URL attachment is detected, it will be blocked once more and noted in the Undelivered Report.
Pressing the “Allow” button triggers the email-learning process, but does not automatically deliver the email to the recipient. If you wish to both receive the email and have it recognized as ‘legitimate’, you should use the “Send and Allow” button. Subsequently, if emails with the same information are received afterwards, they will not be blocked as they are then considered as legitimate emails.
The Email Security Reporting System provides users with a report that verifies the safety of received emails. In this process, the report is generated based on collected data regarding the email security status of the domain or server. Additionally, the system evaluates the risk level of all emails, regularly offering blocked email information to security administrators and users. If an email with suspected security issues is delivered, a warning message, along with the email subject, prompts the user to exercise caution.
Email security involves not only the system itself but also considerations for the roles of users and administrators. Due to instances where users lack an understanding of email security or fail to recognize security measures, vulnerabilities can arise. Therefore, email security reporting systems play a crucial role in enhancing security awareness and response for both users and administrators. Implementing detailed reports, summary reports, and similar features enables effective awareness and response to security threats.
In one case, a cybersecurity consulting firm effectively utilized email security reporting from a consulting perspective. The firm’s client was targeted in an attempted account takeover attack, but the email security reporting system detected this, allowing for preemptive action to prevent information leakage. Therefore, such cases serve as excellent examples highlighting the importance of email security reporting systems. Effectively leveraging email security reporting systems enables businesses and clients to address a variety of potential threats.
It can be divided into three categories as follows:
Firstly, when the sender intentionally or unintentionally leaks important files and information.
Secondly, when the sender’s account is compromised by hackers, leading to the spread of malicious viruses to third parties.
Thirdly, when users send emails to fraudulent or suspicious addresses.
First, the outbound email is checked to ensure it complies with conditions set by the administrator, such as the subject, body, and attached files. Subsequently, it is sequentially examined for the presence of malicious code and whether the email address is associated with malicious activities. If everything appears to be in order, it undergoes approval from the administrator before being sent. In addition to these basic checks, auxiliary features like queue management and prevention of bulk email sending may be employed.
Email encryption technology is designed not only to ensure the confidentiality of emails during transmission but also to enhance the management of emails that have already been sent. This includes features such as email encryption settings, tracking the number and location of email views, and control over who can access and view the emails.
To prevent email information leaks, a recall feature is essential, allowing the sender to set limits on the number of views and the time duration for email access. This feature helps prevent email leakage from compromised recipient accounts by enabling senders to retract or limit access to the email.
The ‘Attachment Transmission Management’ function refers to a feature associated with sending email that allows effective management and tracking of files attached during transmission. This functionality is designed to efficiently monitor attached files, detecting any attempts at leakage, for instance. The implementation method often involves enhancing security by changing the download links of files stored in the cloud to links provided by a security solution, thereby separating them from the cloud storage.
The typical process involves three main steps. First, when sending an email with a file download link from the cloud in the email body, the outgoing email security solution downloads the file. Subsequently, the outgoing email security solution or a separate storage space saves the file and generates a secure link for downloading. Finally, the download link from the cloud storage is replaced with the secure link, and the cloud storage link is deleted. This way, the outgoing email security solution separates the cloud storage and file downloads, effectively preventing information leakage by detecting any attempted breaches.
To effectively block targeted email attacks, managing the leakage of attachments from sent emails is crucial. For instance, when uploading attachments to cloud storage and sharing links, indiscriminate access permissions can pose a risk of leaking emails, documents, user information, and more. Recognizing and managing such situations is now incorporated as a feature in the ITU-T X.1236 standard.
In a corporate environment where the internal network is separate from the external network, when a sender attaches a link for a large file download, it is stored in the internal network. This makes it difficult for recipients who do not have access to the internal network to download the file. Considering this scenario, security features have been included in the requirements to store large files in the external network rather than the internal network, enabling recipients to easily download them.
All-In-One Security
An All-In-One Inbound/Outbound Email Security is an email security solution that can be integrated with a company’s mail server to enhance security. SECUMAIL is an email security service for enterprises that provides tailored security features for comprehensive inbound and outbound email protection within an optimized environment.
The All-In-One Inbound/Outbound Email Security is an integrated email security solution that can effectively address all email-related issues from reception to transmission in one go. It combines SpamGUARD to block spam and ReceiveGUARD, an intelligent solution for blocking phishing emails, ensuring that only safe emails are received. SendGUARD protects the outbound email segment.
What security data needs to be synchronized between the inbound and outbound email security systems?
These include fraudulent or similar email addresses. Since these are email addresses created by attackers that may appear legitimate, it is crucial to synchronize them between the inbound and outbound email security systems to prevent related threats. Additionally, synchronizing data related to emerging malware, suspicious account compromises, and other similar information is recommended. This enhances the accuracy and efficiency of security inspections, effectively strengthening an organization’s email security.
Targeted email attacks are sophisticated forms of attacks that focus on specific individuals. These attacks not only target the individuals directly but also exploit vulnerabilities in email servers and security solutions. Therefore, to effectively block attacks against specific targets, it is necessary to address not only direct attacks on the target but also circumvention attacks. This is why common security requirements are essential.
First, safety checks for email addresses registered in the whitelist. If an email address or domain is registered in the whitelist, emails from that address are generally considered trustworthy. However, with the increasing threat of targeted email attacks, it is necessary to inspect emails from whitelisted addresses for the potential of targeted email attacks. This measure aims to exclude the possibility of emails from whitelisted addresses being propagated through compromised accounts or containing malware.
Second, the capability to change the folder structure of the email security solution. To prevent hackers from analyzing the folder structure of the email security solution to bypass the detection of malware or malicious activities, it is essential to periodically change the folder structure.
Third, compatibility of security data for incoming and outgoing emails. Security data compatibility assists in preventing user errors or hacking attacks. Even if a user account is compromised or an attack occurs through a malicious email address, compatible data allows for the swift detection and response to such incidents. Moreover, it enhances the speed and detection rate of inspecting malware and phishing emails, improving the overall performance of the email security solution with faster inspection and response times.
The key consideration of international standards is to address targeted email attacks by not relying on specific technologies and considering all possibilities associated with such attacks. As a result, common security requirements are designed to account for various attack types, and non-compliance may leave vulnerabilities to certain targeted email attacks.
Inbound Security
ReceiveGUARD is an intelligent mail firewall device that can preemptively respond to Advanced Persistent Threat (APT) attacks efficiently. Once the device is installed in the server room, you can immediately begin utilizing the ReceiveGUARD services it offers.
ReceiveGUARD is an appliance device, which means it may have a finite operational lifespan. While there isn’t a predefined duration for the device’s lifespan, you can replace the storage space (HDD) inside the device as necessary, ensuring its continued functionality.
ReceiveGUARD is an appliance device, and installation is straightforward. Once the device is installed in the server room and connected via a LAN line, the installation process is complete. Basic configuration typically takes around 30 minutes, after which you can commence using ReceiveGUARD’s services. The learning period for ReceiveGUARD to properly filter emails spans about two weeks, and once completed, you will only receive safe emails.
The SCM 117 model of ReceiveGUARD is capable of managing daily email volumes spanning from 800,000 to 1 million emails. Even when faced with a substantial influx of emails, it can process them in real-time without any issues. In fact, many large enterprises, such as H Corporation and L Corporation, are currently using ReceiveGUARD for real-time email delivery.
ReceiveGUARD incorporates a Virtual Area (VA) in which it can analyze emails and stores it after encrypting the data. Through this VA, the device can automatically generate filtering criteria for the next-received emails based on the analysis of previous data. This function is what distinguishes it as an intelligent-learning mail firewall device.
We provide reports through the admin account of ReceiveGUARD. These reports include statistics on why emails were blocked, the frequency of such blocks, and other relevant information to assist you in more effective email management.
The Virtual Area (VA) within ReceiveGUARD directly examines malicious code files, and its configuration environment is entirely distinct from that of a regular PC. Consequently, opening malicious code files within the VA poses no risk of infecting the device with a virus whatsoever.
ReceiveGUARD conducts direct inspections of executable files and attachments in emails through the Virtual Area (VA) to assess their safety. This approach ensures a high level of accuracy when inspecting attached files in emails. Furthermore, it can detect viruses such as ransomware by utilizing regularly updated antivirus engines.
While ReceiveGUARD is an appliance-based solution, we offer a rental service called R-Cloud for customers who may find purchasing the appliance financially challenging. With this service, you can enjoy ReceiveGUARD’s robust security features at a more affordable price.
ReceiveGUARD employs a fundamentally distinct analysis approach in contrast to other APT devices. Instead of relying on pre-existing filtering data, it analyzes emails in real time, based on accumulated data within the device. This approach enables various unique analyses that other devices cannot perform, such as URL endpoint tracking, attachment forgery analysis, and the reliability level testing.
Do I need to enter the ID and password for automatic access when checking the ‘Undelivered Reports’?
The initial settings require you to enter the IP address and password for security reasons, but you have the option to switch to the automatic authentication method. When your company administrator changes the login authentication method to automatic authentication in [Settings > System Settings > Undelivered Reports], all subsequent Undelivered Reports will be automatically connected without the need for manual entry.
This setting can only be set by your company’s administrator. If you wish to make changes, please request your company’s administrator to do so in [Settings > System Settings > Undelivered Reports > Undelivered Reports Sending Time].
For security reasons, you can establish a connection to ReceiveGUARD through the most recently received Undelivered Report. By clicking “Check Blocked Mail” in the most recent Undelivered Report, it will synchronize with ReceiveGUARD, and the entire email will be displayed.
This issue could arise if Undelivered Reports are disabled in your settings. If you wish to receive Undelivered Reports, you should contact your company’s administrator and request them to enable Undelivered Reports in the settings under [Settings > System Settings > Undelivered Reports].
This occurs because there are no blocked emails in your settings. Undelivered Reports are sent when there are blocked emails to report.
ReceiveGUARD employs a fundamentally distinct analysis approach in contrast to other APT devices. Instead of relying on pre-existing filtering data, it analyzes emails in real time, based on accumulated data within the device. This approach enables various unique analyses that other devices cannot perform, such as URL endpoint tracking, attachment forgery analysis, and the reliability level testing.
Both SpamGUARD and ReceiveGUARD serve as inbound email security devices. SpamGUARD is designed to block promotional emails, while ReceiveGUARD is specifically employed to block fraudulent and hacking emails. While many email systems typically rely solely on SpamGUARD, incorporating ReceiveGUARD introduces a two-step filtering process. This involves first blocking promotional emails and then blocking fraudulent and hacking emails, ultimately ensuring that you only receive safe emails.
Most malware is discovered and registered on sites like VirusTotal a few days after its detection. Known malware is accompanied by detailed information, but newly emerging malware patterns are not yet registered, making detection challenging using conventional methods. Such cases are classified as novel or new malware.
The ultimate goal of malware is to control or disrupt the operation of a user’s computer. Zero-day malware is characterized by engaging in malicious activities such as unauthorized access to memory, deletion and creation of files, and data manipulation, all without the user’s permission, in order to achieve these objectives.
Our ReceiveGUARD solution detects malware through the utilization of virtual machine technology for file execution and behavioral analysis. This technology addresses delay issues when dealing with a large volume of inbound emails and enhances efficiency by appropriately allocating resources based on the type of file inspection.
The ITU-T X.1236 standard emphasizes a multi-layered inspection approach rather than relying on specific technologies. Initially, the first-stage antivirus inspection detects malicious files, ransomware, and other attachments in emails. As undetected attachments may potentially contain novel malicious files, the second-stage behavioral analysis inspection analyzes the behavior of attachments in a Windows environment, identifying any attempts to forcibly install within specific folders or alter system settings. This multi-step inspection approach evaluates malware from multiple perspectives, enhancing detection rates and effectively utilizing the resources of virtual machine technology.
The ‘URL Endpoint Tracking’ feature examines all links within received emails to detect malicious code. With an increase in attacks hiding malware not only in the email body but also within attachments or large compressed files, it has become crucial to open and inspect all inactive links within emails to identify any suspicious behavior. This is the core functionality of the URL endpoint tracking feature.
Typically, endpoint tracking functionality is considered implemented when links up to the 30th iteration are examined. While the technology for inspecting malicious behavior in virtual environments has rapidly advanced, there are still limitations. The number of links to be inspected can exponentially increase as multiple redirections may be concealed within a single link. Therefore, checking up to the 30th link is generally deemed to provide a sufficient level of security in most situations.
A representative secondary security measure involves converting links within the email body into images.
Recently, there has been an increase in time-gap attacks where hackers initially send benign emails and later link them to malicious code before users open the emails. The post-URL inspection feature is designed to prevent such time-gap attacks. This ensures that even if an email is received safely initially, connecting malicious code when the user opens it can be prevented.
First, an initial URL endpoint tracking inspection is conducted on the received email, and legitimate emails are delivered to the mailbox. Subsequently, every time a user opens the email and clicks on a link, post-URL inspection is performed on that specific link. If any suspicious behavior or malicious activity is detected, it plays a role in blocking the email or link, or notifying the user of potential issues.
‘URL Endpoint Tracking’ inspects the links in the email body for malicious behavior when the email first arrives. In contrast, ‘Post-URL Inspection’ continuously verifies the safety of specific links each time a user clicks on them, even after the email has entered the mailbox. It examines all links, not just when receiving the email but also after it has entered the mailbox, aiming to prevent users from being exposed to malicious code.
A ‘Look-alike Domain’ refers to a domain that has been crafted to closely resemble a legitimate one. Hackers modify the domain slightly to create an address that appears trustworthy, aiming to confuse and deceive users. In this manner, hackers send emails containing realistic content, such as requests to verify quotes, in an attempt to trick users into clicking on links or opening attachments within the email. Consequently, users may become vulnerable to attacks by malicious links or attachments embedded in the email.
The criteria for determining look-alike domains are subjective, and using a single criterion can lead to a high false positive rate or, conversely, a low detection rate. Therefore, when assessing look-alike domains, employing various criteria to differentiate the level of risk can reduce false positives and enhance the ability to detect actual threats. This multilayered approach enables more accurate detection of look-alike domains, ultimately strengthening the security of both users and organizations more effectively.
Within the company, each user utilizes a unique email address, and the email addresses used for communication are also distinct for each user. Look-alike domain attacks occur when users are deceived by addresses that resemble their familiar email addresses, leading them to open malicious emails or click on links. Therefore, it is essential to categorize the risk level for each user to implement customized security measures, constituting a crucial factor in providing more effective protection against security threats. A user-centric approach considers and offers effective methods to address the risks faced by each user for prevention.
Forged Header’ is a hacking technique where the attacker forges the sender’s email address to deceive the recipient. In this type of attack, the hacker typically manipulates either the username or domain part of the original email address when sending emails. Through this, the hacker disguises themselves as someone else or as a reputable entity, aiming to trick the recipient into trusting the email. Forged header is a form of social engineering attack commonly used to impersonate businesses, financial institutions, government agencies, or other trusted organizations. In more sophisticated forms, recent variations include intelligent techniques where the attacker’s address changes when the recipient clicks the reply button.
The primary method for checking forged header involves verifying compliance with email communication regulations during email transmission. To achieve this, sender authentication methods such as DMARK (Domain-based Message Authentication, Reporting, and Conformance) and DKIM (DomainKeys Identified Mail) are used. However, relying solely on checking regulatory compliance may still leave room for some types of attacks to bypass detection. Therefore, in ITU-T X.1236 standard, efforts are made to differentiate various types of sender attacks, enabling the utilization of specialized email security features tailored to each type.
‘Look-alike Domain’ and ‘Account Take-over (ATO)’ attacks share the similarity of forged header, but there is a difference in the displayed sender’s email address visible to the recipient. In ‘Look-alike Domain’ attacks, the attacker creates a similar email address using a legitimate domain to deceive the recipient. On the other hand, ‘ATO’ attacks involve the attacker gaining access to the actual sender’s email account and using it to send emails. In other words, both attacks often lack malicious elements in the email, making them challenging to detect, unlike header spoofing attacks.
Generally, a ‘Sender Location Change’ implies the registration of the IP address on a blacklist. In targeted email attacks, email addresses or senders deviating from the usual pattern of exchanging emails can be considered as potential risks for users. For instance, if a user regularly exchanges emails with business partners in Country A and suddenly receives an email from the same address but originating from Country B, the email sender’s IP address from Country B may be perceived as a deviation from the usual pattern, raising concerns as a potential risk for that specific user.
The sender’s IP address, email server, and email transmission route are crucial pieces of security information that can be utilized to detect attacks such as user account hacking or email server tampering. Importantly, these criteria can categorize a sender as a potentially risky source for specific users while being considered normal for others. Therefore, to defend against targeted email attacks, personalized email security technologies should be applied, taking into account individual user characteristics and patterns.
First, a basic inspection is conducted to verify the user registration status and blacklist registration of the email sender. This helps identify malicious or untrusted sources. Subsequently, a comparison between the current email sender information and previous sender information is made, and if a pattern difference is detected, measures such as blocking the email or issuing a warning are implemented. This helps prevent email fraud attacks and safeguards against potential risks such as the unauthorized disclosure of important information or incorrect fund transfers. Additionally, features are provided to facilitate effective management of risky senders by users or security administrators, considering factors like overseas business trips or global network issues.
No, there are no complex requirements. You can receive the service by simply modifying the DNS information of your existing mail server. If you are planning to set up a new email infrastructure, implementing ReceiveGUARD alongside with SECUMAIL can significantly enhance your email security.
Spam-prevention appliance is widely used, and ReceiveGUARD is designed with the assumption that organizations (enterprises) already have such appliances in place. Hence, we strongly recommend the adoption of ReceiveGUARD for its services. Additionally, other APT appliances may operate on distinct security principles compared to ReceiveGUARD, so while using ReceiveGUARD alongside them can enhance security, ReceiveGUARD on its own offers comprehensive email security with its full range of features.
ReceiveGUARD operates before reaching the mail server. As a result, it does not impact any of the emails that are currently in use, ensuring uninterrupted email communication.
ReceiveGUARD detects look-alike domains that are difficult to distinguish with the human-eye, and it provides warnings to both administrators and users. When replying to received emails, it can detect forged headers and issue warnings to the administrators and users. Moreover, it maintains records of the recipients when receiving mail from the same account, and if there’s a change in the sender, it alerts both administrators and users.
ReceiveGUARD stands out from other APT devices in several ways. While other APT devices primarily focus on detecting network APT and are limited to inspection in attachment files within emails, ReceiveGUARD is specifically designed for email security. It does not only inspects attachments, but also examines emails that do not contain malicious files. It adopts a machine learning approach to understand emails from organizations or enterprises that lack standardized filtering, allowing it to develop a customized filtering system for them. In addition, the file inspection method of other APT devices may often bypasses inspection if a queue is generated due to frequent undelivered emails. In contrast, ReceiveGUARD efficiently performs inspections to facilitate flexible data sharing.
The Cube engine operates using AI learning. It acts as an ‘attachment and URL inspection device’ and performs initial virus detection (vaccine check) on files. If no issues are found during the vaccine check, the files then undergo behavioral analysis inspections. These inspection areas cover attachment files, URLs in the email body (download inspection), and URLs within attached documents. It directly accesses the maliciousness of URLs to up to their endpoints. Moreover, it executes files downloaded from URLs to verify their maliciousness.
The email block could occur due to various filtering rules such as different IP addresses, sending routes, look-alike domains, or look-alike email addresses that led to the blocking. In other words, there may be a possibility of forgery or modification. To address this, you have the option to use the “Send and Allow” buttons at the top of the blocked email report. This allows you to re-learn and deliver the email to the intended recipient. However, if a malicious URL attachment is detected, it will be blocked once more and noted in the Undelivered Report.
Pressing the “Allow” button triggers the email-learning process, but does not automatically deliver the email to the recipient. If you wish to both receive the email and have it recognized as ‘legitimate’, you should use the “Send and Allow” button. Subsequently, if emails with the same information are received afterwards, they will not be blocked as they are then considered as legitimate emails.
This issue is likely due to an incorrect encoding method used by the sender. You should notify the sender and provide them with the EML file for their review and correction.
This issue could be due to incorrect encoding settings in Outlook. Please review the encoding settings and select ‘Unicode’ in the encoding menu for receiving emails in Outlook.
This issue may be caused by errors in the sender’s email configuration, such as an incorrect IP or ID. We suggest contacting the sender to verify if the email has been returned to them, and to request that they resend it with the accurate information.
If an email is not appearing in ReceiveGUARD’s Undelivered Report, it might be due to threat detection and blocking based on filtering rules. You should verify whether the email was categorized as spam by ReceiveGUARD. If necessary emails have been mistakenly blocked, you can contact the administrator to review the spam-blocking settings and request the recovery of these emails. If you continue to encounter problems with receiving emails, you can also request the sender to resend them using the “Send and Allow” button to help train the system and prevent further blocking.
If you’ve received an Undelivered Report, it indicates that a threat was detected in the received email, and ReceiveGUARD blocked it based on filtering rules. To address this, the recipient should review the blocked content from the Undelivered Report received at the set time and, if it’s confirmed that there are no issues, click the “Send” button in the block report to deliver the email. If you wish to continue receiving the same type of email in the future, you can use the “Send and Allow” button to train the system. However, it’s important to note that if subsequent emails contain malicious files, come from different sending IP addresses, or include malicious URL in attachments, they will be blocked again and will be listed in the Undelivered Reports.
Registration is necessary for this process. Please contact the administrator for assistance. You can enter the company’s country name and IP range in the [Settings > GDPR Country Management] section.
To add recipients as GDPR subjects, a separate registration process is necessary. You can manually register subjects by selecting the recipients in the [Settings > GDPR Subject Management] section. Alternatively, you have the option to perform batch registration using Excel/CSV files.
In such cases where the situation extends beyond the country or IP information provided by the EU, it is advisable to contact the administrator for further assistance.
This issue typically arises from incorrect settings on the mail server, leading to the distribution of reports to all recipients. If adjusting the mail server settings does not resolve the problem, you can navigate to [Settings > System Settings > Undelivered Report Management > Undelivered Report Recipient]. There, you can select the actual recipient for sending reports, ensuring that reports will only be sent to the selected recipients.
The RCPT Inspection in ReceiveGUARD verifies the actual email accounts used for receiving mail against the mail server. The issue you are encountering may be due to the incorrect settings on the mail server, causing it to mistakenly consider some unused accounts as active. To resolve this, you should contact the mail server administrator, and have them make the necessary adjustments.
For example, if the email account does not exist, you might encounter an error message as below:
<< RCPT TO:
>>550… No such user
This issue occurs because you have disabled the RCPT (mail account check communication) Inspection . To rectify this, you can change the RCPT inspection setting to ‘Enable’ in the system settings under [Settings > System Settings > Operation Management > Default Operation].
To adjust the delivery time settings for Admin Reports, you can navigate to [Settings > System Settings > Admin Report > Delivery Time] and select the time that suits your preference.
You can configure the warning message for each email domain of the companies. To do this, you can add or delete phrases in the [Settings > Email Phrase Settings] section.
You can request the administrator to adjust the number of IDs managed by ReceiveGuard. If the number of IDs exceeds the contracted limit, you can have the contract terms adjusted accordingly. To do this, contact the administrator and ask for the selection of IDs to align with the contracted number of IDs.
You can modify the settings by marking the ‘Delivered’ checkbox for Filtering in [Settings > System settings > Operation Management > Mail Delivery > Delivery of Filtered Mails].
The Email Security Reporting System provides users with a report that verifies the safety of received emails. In this process, the report is generated based on collected data regarding the email security status of the domain or server. Additionally, the system evaluates the risk level of all emails, regularly offering blocked email information to security administrators and users. If an email with suspected security issues is delivered, a warning message, along with the email subject, prompts the user to exercise caution.
Email security involves not only the system itself but also considerations for the roles of users and administrators. Due to instances where users lack an understanding of email security or fail to recognize security measures, vulnerabilities can arise. Therefore, email security reporting systems play a crucial role in enhancing security awareness and response for both users and administrators. Implementing detailed reports, summary reports, and similar features enables effective awareness and response to security threats.
In one case, a cybersecurity consulting firm effectively utilized email security reporting from a consulting perspective. The firm’s client was targeted in an attempted account takeover attack, but the email security reporting system detected this, allowing for preemptive action to prevent information leakage. Therefore, such cases serve as excellent examples highlighting the importance of email security reporting systems. Effectively leveraging email security reporting systems enables businesses and clients to address a variety of potential threats.
Outbound Security
An All-In-One Inbound/Outbound Email Security is an email security solution that can be integrated with a company’s mail server to enhance security. SECUMAIL is an email security service for enterprises that provides tailored security features for comprehensive inbound and outbound email protection within an optimized environment.
The All-In-One Inbound/Outbound Email Security is an integrated email security solution that can effectively address all email-related issues from reception to transmission in one go. It combines SpamGUARD to block spam and ReceiveGUARD, an intelligent solution for blocking phishing emails, ensuring that only safe emails are received. SendGUARD protects the outbound email segment.
What security data needs to be synchronized between the inbound and outbound email security systems?
These include fraudulent or similar email addresses. Since these are email addresses created by attackers that may appear legitimate, it is crucial to synchronize them between the inbound and outbound email security systems to prevent related threats. Additionally, synchronizing data related to emerging malware, suspicious account compromises, and other similar information is recommended. This enhances the accuracy and efficiency of security inspections, effectively strengthening an organization’s email security.
It can be divided into three categories as follows:
Firstly, when the sender intentionally or unintentionally leaks important files and information.
Secondly, when the sender’s account is compromised by hackers, leading to the spread of malicious viruses to third parties.
Thirdly, when users send emails to fraudulent or suspicious addresses.
First, the outbound email is checked to ensure it complies with conditions set by the administrator, such as the subject, body, and attached files. Subsequently, it is sequentially examined for the presence of malicious code and whether the email address is associated with malicious activities. If everything appears to be in order, it undergoes approval from the administrator before being sent. In addition to these basic checks, auxiliary features like queue management and prevention of bulk email sending may be employed.
Email encryption technology is designed not only to ensure the confidentiality of emails during transmission but also to enhance the management of emails that have already been sent. This includes features such as email encryption settings, tracking the number and location of email views, and control over who can access and view the emails.
To prevent email information leaks, a recall feature is essential, allowing the sender to set limits on the number of views and the time duration for email access. This feature helps prevent email leakage from compromised recipient accounts by enabling senders to retract or limit access to the email.
The ‘Attachment Transmission Management’ function refers to a feature associated with sending email that allows effective management and tracking of files attached during transmission. This functionality is designed to efficiently monitor attached files, detecting any attempts at leakage, for instance. The implementation method often involves enhancing security by changing the download links of files stored in the cloud to links provided by a security solution, thereby separating them from the cloud storage.
The typical process involves three main steps. First, when sending an email with a file download link from the cloud in the email body, the outgoing email security solution downloads the file. Subsequently, the outgoing email security solution or a separate storage space saves the file and generates a secure link for downloading. Finally, the download link from the cloud storage is replaced with the secure link, and the cloud storage link is deleted. This way, the outgoing email security solution separates the cloud storage and file downloads, effectively preventing information leakage by detecting any attempted breaches.
To effectively block targeted email attacks, managing the leakage of attachments from sent emails is crucial. For instance, when uploading attachments to cloud storage and sharing links, indiscriminate access permissions can pose a risk of leaking emails, documents, user information, and more. Recognizing and managing such situations is now incorporated as a feature in the ITU-T X.1236 standard.
In a corporate environment where the internal network is separate from the external network, when a sender attaches a link for a large file download, it is stored in the internal network. This makes it difficult for recipients who do not have access to the internal network to download the file. Considering this scenario, security features have been included in the requirements to store large files in the external network rather than the internal network, enabling recipients to easily download them.
When using portal email services such as Gmail or Outlook for business purposes, it can be challenging to maintain focus on work due to the influx of various promotional and personal emails alongside work-related ones. Additionally, companies are susceptible to financial losses, network disruptions, data leaks, and other security incidents resulting from email-related issues. To efficiently manage emails and mitigate the risks of these problems, a dedicated business-specific email security service is necessary.
‘SECUMAIL’ is a business-specific email security service designed to enhance work efficiency by providing a secure email environment and various necessary features for work. It combines both blocking of phishing-mail and ReceiveGUARD’s proactive APT attack response features to offer a more robust and secure email security service.
The “All-In-One Inbound/Outbound Email Security” is an email security solution that can be integrated with a company’s mail server to enhance security. On the other hand, “SECUMAIL” is a secure email service designed for enterprises, providing an optimized environment with all the security features of the email security solution, which includes SpamGUARD, ReceiveGUARD, and SendGUARD.
SECUMAIL is an email service that includes the security features of the Mail Inspector Platform’s All-in-One email security solution, which consists of ‘SpamGUARD,’ ‘ReceiveGUARD,’ and ‘SendGUARD.’ When it comes to receiving emails, SECUMAIL effectively blocks various types of fraudulent and virus emails, ensuring that only safe emails are delivered to your inbox. On the sending side, it offers mail control features, which may seek approval from administrators before sending emails or retrieve of mistakenly sent emails. To combat various phishing emails, SECUMAIL offers features such as address filtering and secure mail. It is also compatible with Microsoft Outlook for ease of use.
SECUMAIL is an email service, while ReceiveGUARD is a mail firewall product. If your company operates a mail server and aims to enhance the security of your current mail system, it is advisable to implement ReceiveGUARD. On the other hand, if your company does not host a mail server and you seek email security, you can use the SECUMAIL service. You also have the flexibility to combine the robust security of ReceiveGUARD with the convenience of SECUMAIL for an integrated and convenient solution.
If you use SECUMAIL’s hosting service, you can enjoy secure email security without the need to purchase the ReceiveGUARD appliance separately. Secure email security is included as part of the email hosting service.
SECUMAIL uses a self-developed mail engine built upon on the Mail Inspector Platform, enabling us to offer a customizable mail service tailored to your specific requirements. You have the flexibility to choose the necessary functions that best meet your needs and make the most of what SECUMAIL has to offer.
Yes, SECUMAIL, through its included inbound email-filtering device ReceiveGUARD, can detect ransomware emails. ReceiveGUARD directly examines attachments and assesses whether there is any potentially harmful behavior that could affect your computer, allowing for the detection of new ransomware threats.
Emails frequently contain vital information related to individuals, businesses, or organizations. Therefore, control features are essential to prevent and respond to incidents of information leakage, even for emails that have already been sent. Furthermore, with the strengthened Personal Information Protection Act, these features are becoming more crucial and necessary for compliance and data security.
Please fill out the online inquiry form through the ‘Contact Us’ section on the Mail Inspector website’s top menu to submit your query.
Yes, you can synchronize SECUMAIL and Outlook without the need for any program installation. However, please be aware that this function is exclusively available for the ‘SECUMAIL Premium’ service. If you are using Outlook and wish to use SECUMAIL, you should sign up for the ‘SECUMAIL Premium’ service.
SECUMAIL provides reports that allow you to review the filtering outcomes of blocked emails.
No, SECUMAIL enables you to send large attachments without any issues. Moreover, it automatically converts large attachments into links for file downloads when sending, ensuring compatibility with Outlook as well.
SECUMAIL’s email archiving service provides a default storage period of one month. However, you have the flexibility to extend the storage period for a longer duration as required, and this can be configured at any time through the administrator account.
SECUMAIL typically offers a default email storage space of 1GB. If you find that you need more storage space, you can contact our support team to request an increase in storage capacity. Additionally, you can free up space by deleting old emails if necessary.
Yes, SECUMAIL’s secure email service offers multilingual supports and can send SMS notifications internationally, including countries like China and Japan.
If you use SECUMAIL’s “Secu Island” service, we provide a dedicated email server that is exclusively allocated for your company’s use.
When you adopt SECUMAIL’s service, administrator privileges are initially set up for specific accounts. Expanding administrator privileges is possible, and for any issues that cannot be resolved using administrator privileges, you can always contact us for assistance, and we will address these concerns within the Mail Inspector Platform.
All the features of SECUMAIL have been developed in-house. We will consider and develop additional features based on customer requests, especially if there is a demand for these features from multiple customers.
SECUMAIL can seamlessly handle large attachments without any issues. When sending large attachments, they are automatically converted into download links, allowing you to send them without any issues. This approach is also compatible with Outlook, ensuring a smooth email experience.