Anti-Phishing settings
Expand all | Collapse all
With the help of the Anti-Phishing protection module, you can protect your company mailboxes against phishing, spoofing, conversation hijacking, BEC attacks and malicious links that can be sent in email messages.
Phishing links lead to fraudulent websites designed to steal the personal data of users, such as bank account details. A phishing attack can be disguised, for example, as a message from your bank with a link to its official website. If you click the link, you are redirected to an exact copy of the bank's website, and the browser might even display the bank website's address. However, you are actually on a spoofed (fake) website. All of your actions on the website are tracked and can be used to steal your personal data.
In spoofing and conversation hijacking attacks, malicious senders forge email addresses and content of the messages to be considered trustworthy by the recipients.
By means of email address spoofing or conversation hijacking, BEC attackers hold themselves out as persons the email recipients should trust to gain illegal advantages.
Malicious links lead to web resources designed to spread malware.
The application detects phishing, spoofing and malicious links according to the detection rules developed by the Kaspersky experts. Kaspersky regularly updates rules and methods of detecting phishing and malicious links.
While scanning messages for phishing, spoofing, BEC attacks and malicious links, the application analyzes not only links, but also the message subject, contents, design features, and other message attributes. The scan makes use of Kaspersky Security Network (KSN) cloud services. With the help of KSN, the application receives the latest information about phishing links and malicious links before they appear in the Kaspersky databases.
When creating a security policy, you can specify the Anti-Phishing settings.
Anti-Phishing mode
You can enable one of the following operation modes:
Actions to be taken by the application
In the Action area, specify what the application must do with messages in which it detects phishing and malicious links along with unclear content similar to phishing:
- Delete and quarantine message
The whole message is deleted from the user mailbox and moved to Quarantine.
- Move to Junk Email folder
The message is moved from its original folder to the Junk Email folder.
- Allow through
The message remains unchanged in the user mailbox.
- Tag the subject
You can add a custom tag to the subjects of affected messages. If necessary, change the tag in the entry field under the Tag the subject check box.
This option is available for the Allow through and Move to Junk Email folder actions.
- Delete permanently: deleted messages cannot be recovered
To view this option, you must open the Other options drop-down list. The whole message is deleted from the user mailbox beyond recovery.
Note that if you select Enforced mode: supplementary detection of unclear content similar to phishing, messages containing only unclear content similar to phishing will not be deleted permanently, but moved to Quarantine.
Notifications
In the Notifications area, configure notifications that will be sent automatically:
Allowlist
In the Allowlist area, configure allowed senders:
- Allow messages from the following senders
This option allows you to configure allowed senders. These senders are considered trusted and messages from them are skipped from processing.
To configure allowed senders:
- Select the Allow messages from the following senders check box.
- Click the Select button.
The Sender allowlist window opens.
- Click the Add sender button.
The Add a sender to the allowlist window opens.
- In the Specify a complete email address or a mask entry field, provide an email address or several email addresses that should be added to the allowlist separated by semicolons or line breaks.
If you want to allow several senders at once, you can use masks. For instance, if you specify the *@example.com mask, the allowlist contains all email addresses from the @example.com domain. You can also copy and paste a list of email addresses / masks separated by semicolons or line breaks in the entry field.
- Click Validate.
The provided email addresses / masks are displayed in the list.
If the email addresses / masks are entered incorrectly, they are displayed in the list in a red font, and you must introduce changes to save them.
- Click Save to save the list of provided addresses / masks.
- If you want to delete an email address / mask from the list:
- Click the Delete () button next to the email address / mask.
- Click Save.
- Do not check allowed senders' SPF
This option allows you not to consider results of Sender Policy Framework (SPF) check for allowed senders.
New messages with the Phishing status from an allowed sender remain in the original folder, but only if the SPF check verifies the sender's authenticity.
An SPF check is a verification that an email message received from a domain comes from a host authorized by that domain's administrators. During an SPF check, the IP address of the message sender is compared with the list of host names and IP addresses of possible message sources for the domain.
If the result of the SPF check is "pass" and the message sender is in the allowlist, this message remains unchanged in the user mailbox.
Otherwise, it is considered that the SPF check has revealed violations of the message sender's authenticity. Therefore, this message is processed according to the policy settings for phishing.
To disable checking of allowed senders' SPF:
- Select the Do not check allowed senders' SPF check box.
- Click Save.
Page top