PRE-Crime™ targeted attack defense preemptively detects the most sophisticated in-progress Business Email Compromise (BEC) attacks targeting you, your suppliers and your clients, preventing the cybercrime.
RMail's Active Tracker™ technology actively monitors outbound email activity by IP, providing valuable information on who is reading emails, where they are being read from, on what devices, and more. If hazardous activity is detected, RMail instantly delivers an Email Eavesdropping™ alert to admins and/or senders, depending on your specific configuration.
As an admin, you can determine what constitutes "hazardous" activity by managing granular configurations in the RPortal admin interface. BEC attacks often involve a cybercriminal hacking and spoofing emails to impersonate a legitimate sender, with the goal of accessing sensitive information or financial gain (such as wire fraud). Email Eavesdropping™ alerts can accurately detect BEC attacks in progress and alert victims in time to prevent theft.
This article covers the following topics:
- Active Tracker™ Report
- Email Eavesdropping™ Report
- Aggregate Admin Report
- Admin Configurations in RPortal
Active Tracker™ Report
The report indicates the green security level of the email open zone that triggered the notification, the number of opens, number of locations where your company’s email was viewed, and a world map highlighting the geographic location where the open took place.
The report then lists all activities with your email, details, timestamped, per geo location and IP address, plus the geo location risk level.
The details may include:
(M) The email was opened on a mobile device
(N) Content delivery network delivered email data to viewer via webmail client
(V) The email was opened from a VPN anonymizer
(S) Activity determined to be caused by a server
(E) Activity determined to be an expert user
(R) Activity determined to be related to a Russian-centric device
(K) Activity determined to be related to nefarious behavior of masking data
(B) Activity determined to be related to automation scripts or bots
Lastly, the email provides the original message details like original recipient, original sender (in the admin report), sent time and transaction ID, and includes a deep forensic meta data record in case IT security needs to do further investigation on a particular message.
Email Eavesdropping™ Report
If the Active Tracker TM technology identifies unusual activity patterns, RMail generates an Email
Eavesdropping™ instant alert, and notifies in real-time IT admins (an optionally senders).
The Email Eavesdropping™ Alerts include all the email forensics so that IT security specialists
can validate it and take immediate action after the hook is in, before consummation of the cyberattack. An example of a cyberattack that this can help prevent is wire fraud.
Aggregate Admin Report
Admins can receive an Aggregate Report, where they can analyze the metrics of all emails sent in their company, in a given period of time (daily, weekly, monthly, quarterly) and compare it against the previous period.
Admin Configurations in RPortal
The Email Active Tracker solution is configured in RPortal. If you do not have access to RPortal and you are a Customer Administrator, contact your Sales or Customer Success representative. Note that the settings described below may not be available to all RPortal users. If you cannot follow the steps described below, contact you Sales or Customer Success representative.
To configure the Active Tracking solution, follow these steps:
1. Start by accessing RPortal
2. Access the Company Accounts module
3. Press on the Settings tab.
4. Select the Pre-Crime option from the left menu. When the Eavesdropping Alert option is enabled, a series of settings will become visible.
5. Configure the Sender Notification Sensitivity by selecting:
- Notification option: Notify on first activity, Notify of unique activity by IP or Notify on every activity
- Alerts to include: Green, Yellow and/or Red
- Security Throttle:
Low: Single-factor activity tracking - it only tracks opening.
Medium: Multi-factor activity tracking - it tracks opening and international delivery status.
High: Multi-factor activity tracking plus VPN detection and analysis - it tracks opening, international delivery status, and it analyzes whether a VPN has been used to open the email in question.
6. Configure the Admin Notification Sensitivity by clicking on the Edit button
Select Notification Options for each Alert Type and add the email addresses that you want to notify for each Alert Type
7. Configure the Alert Email Exclusion Rules by clicking on the Edit button.
There are two available tabs: "Domain" and "Email Address". Enter a domain name or an email address and choose the alert exclusion options, whether you want to exclude Green, Yellow, Green & Yellow, or Red alerts.
8. Configure the Base Risk Zones: Admins or MSPs can configure what constitutes a Green, Yellow and Red alert to them
9. In the Countries tab, Admins can set which countries are green, yellow and red zones by clicking on the Add/Edit button
Set the Risk Zones depending on where it would be expected or unexpected that the company’s business emails are opened. By default, any country that is not manually set to green or red will be yellow. Use the arrows to move zones to the right or left as applicable.
For convenience RPost offers three standard pre-sets: Hot Zone Policy, US & Vacation Spot Policy and US & European Vacation Spot Policy
10. Admins can whitelist IPs by manually entering the CIDR lists. This allows, for example, to exempt specific networks in Red Zones from triggering red alerts.
11. Admins may also choose to whitelist specific networks,
Specific cities,
or specific states
12. Configure the Custom Risk Zones: The custom risk zone will allow you to receive a specific type of alert based on the criteria setup. You may add one or more combinations of the available criteria for a specific alert.
Note: Base Risk Zones are overridden by Custom Risk Zones configuration.
13. Configure the Anomalous Activities. This setting allows you to override the Base Risk Zones and Custom Risk Zones. The list of anomalous activities corresponds with the ones you see at the bottom of the Active Tracker and Eavesdropping reports.
Note: If the risk level assigned to an Anomalous Activity rule exceeds that of both a Base Risk Zone rule and a Custom Risk Zone rule, the risk level of the Anomalous Activity rule takes precedence.
Except:
- If a Base Risk Zone rule triggers a risk level higher than that of an Anomalous Activity rule, then the higher Base Risk Zone rule takes precedence, OR
- If a Custom Risk Zone rule overrides the Base Risk Zone rule, and the Anomalous Activity rule is not configured to override the Custom Risk Zone rule, then the Custom Risk Zone rule takes precedence
14. Go to the Aggregate Reports settings to choose to which users the report will be sent and with what periodicity
15. Go to Settings>Others to configure the Email Footer Message. This custom text may, for example, explain what the Eavesdropping alert is and what to do if they receive a red alert.