Email Analysis Reasons

AV Engine Detection

Mesh antivirus / anti-malware engines matched with a known/similar signature/threat.

Sandbox Detection

Mesh Dynamic Sandbox engines returned a malicious verdict after the detonation of email and/or its attachments.

URL - Malware

URL found in email was detected as Malware.

URL - Phishing

URL found in email was detected as Phishing.

RBL - URL

URL found in email was listed on a Real-time Block List (RBL).

RBL - Other

IP address or other component of email was listed on a RBL.

SPF-Fail

Inbound email’s sending IP has failed Sender Policy Framework (SPF) checks.

SPF-SoftFail

Inbound email’s sending IP has produced a fail but is treated as a “soft fail” due to sender’s record.

SPF-PermError

SPF record for sending domain is misconfigured or could not be parsed, producing a “PermError”.

SPF-Neutral

Sender’s SPF record is in “neutral” mode.

SPF-Pass

Sender’s envelope-from domain has passed SPF checks.

SPF-None

Sender has no SPF record or the domain could not be resolved

DKIM-Fail

Inbound email has failed DomainKeys Identified Mail (DKIM) integrity checks.

DKIM-TempFail

Inbound email DKIM record could not be retrieved or verified.

DKIM-Neutral

Inbound email has a returned a DKIM=neutral verdict within the email headers. This can be due to a misconfiguration or fail.

DKIM-Pass

Inbound email has passed DKIM integrity checks.

DKIM-None

Sender does not have DKIM configured.

DMARC-Fail

Inbound email has failed Domain-based Message Authentication (DMARC) checks.

DMARC-SoftFail

Inbound email has failed DMARC checks but sending domain has action set to “none”.

DMARC-PermError

DMARC for sending domain is misconfigured or could not be parsed, producing a “PermError”.

DMARC-TempError

Inbound email DMARC record could not be retrieved or verified.

DMARC-Pass

Inbound email has passed DMARC checks.

DMARC-None

Sender does not have DMARC configured.

Content - 419

Email contains financial related fraud / large sums of money / inheritance scam.

Content - BEC

BEC (Business Email Compromise) threats are emails that appear to come from a known or trusted source making a legitimate request. Typically this indicates an impersonation attempt.

Content - Brand IMP

Emails contains content that impersonates the recipient company’s brand.

Content - Crypto

Email contains mentions of crypto currency, commonly associated with ransom / sextortion scams.

Content - Evasive

Email content is obfuscated/obscured.

Content - Explicit

Email contains explicit content not appropriate for work.

Content - Financial

Email contains financial related material.

Content - Homoglyph

Email contains a homoglyph attack or is using characters from multiple alphabets.

Content - Infomail

Email contains “infomail” content such as newsletters or automated emails. Emails containing “Unsubscribe” links or certain email headers will trigger this filter.

Content - Marketing

Email contains marketing content.

Content - Medical

Email contains content associated with medication or drugs.

Contnet - NDR

Email is a Non Delivery Receipt (NDR).

Content - SEO

Email contains Search Engine Optimization (SEO) content

Content - Supply Chain

Emails contains content that impersonates well known supply chain brands. For example, Microsoft or Google.

Content - Structural

Structure of email is poor or contains suspicious characteristics commonly associated with spam.

Domain - Freemail

Sender or reply-to is a freemail domain such as Gmail, Hotmail, or Yahoo.

Header/Envelope Mismatch

The header-from sending address, reply-to, and/or envelope-from address do not match.

Display Name Match

Display name of email matches or is similar to an existing user within the recipient's organization.

User Name Match

Username portion of sender's email address matches or is similar to an existing user within the recipients organization.

Domain - Recently Reg

Sending domain has recently been registered, modified, or purchased.