Copyright 2018 Trend Micro Incorporated. All rights reserved.

Size: px

Start display at page:

Poppy Green
5 years ago
Views:

2 Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Copyright 2018 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Author: Marc Liu Released: November 9, 2018

4 Trend Micro s Writing Style DNS technology is integrated into Trend Micro ScanMail for Microsoft Exchange (ScanMail) since version12.5 Service Pack 1. This Best Practice Guide provides in-depth information about ScanMail Writing Style design, configuration as well as troubleshooting. This also serves as a guideline to help customers develop a set of best practices when using ScanMail Writing Style feature against Business Compromise (BEC) threats. This Best Practice Guide should be read in conjunction with the Trend Micro ScanMail for Microsoft Exchange 12.5 Service Pack 1 Administrator Guide and Installation and Upgrade Guide. This Best Practice Guide was written by Marc Liu. Additional information was provided by the members of the Trend Micro ScanMail for Microsoft Exchange engineering group. The following conventions are used in this manual: UPPER CASE

5 This document does not cover the basic administration procedures for Trend Micro ScanMail for Microsoft Exchange or common industry technologies in great detail. Readers must have the following knowledge base to fully understand the content: Good knowledge of the Trend Micro ScanMail for Microsoft Exchange functions and administration. The Administrator s Guide and the Administration Courseware can be used as an information source. Good knowledge of Microsoft Exchange system administration Basic knowledge of Microsoft SQL administration Basic knowledge of Microsoft Active Directory (or any other supported LDAP server) administration Good knowledge of the SMTP protocol

6 This contains an overview of Writing Style technology that was introduced in ScanMail 12.5 Service Pack 1. Topics here are expanded and discussed in detail in the succeeding chapters. Using Business Compromise (BEC) scams, an attacker uses the same or similar account name to spoof the identity of a High Profile User (HPU), to initiate fraudulent wire transfers. The attacker typically uses the identity of a top-level executive to trick the target or targets into sending money into the attacker's account. Also known as Man-in-the- scams, BEC scams often target businesses that regularly send wire transfers to international clients and may involve the use of malware, social engineering, or both. For more information, see FBI Public Service Announcement. With the integrated Antispam Engine, ScanMail performs the following to effectively protect organizations against BEC scams: Scan incoming messages from external networks with specified High Profile Users' account names, to block social engineering attacks The Writing Style Verification adds an additional layer of security to corporate messages. Trend Micro considers the writing style of a person as their Biological-ID (Bio-ID). The writing style Bio-ID is generated based on the historical data of user messages. Trend Micro scans old messages of desired users to learn their particular writing style, and creates a model for each user. The subsequent incoming messages are then compared with the existing models of each user to determine the authenticity of these messages. Trend Micro Writing Style DNA is the 3 rd -layer solution provided by Trend Micro Anti-Spam Engine (TMASE) to against BEC threats. Layer 1: Behavior Layer 2: Intention Layer 3: Writing Style DNA

Typically, to generate a writing style model for 1 single HPU, TMASE needs to extract metadata from 300 to 500 email messages sent by that HPU.

7 Typically, to generate a writing style model for 1 single HPU, TMASE needs to extract metadata from 300 to 500 messages sent by that HPU. Trend Micro considers the writing style of a person as their Biological-ID (Bio-ID). By leveraging writing style analysis that comes with Writing Style DNA, ScanMail scans the written messages of a desired individual to learn their particular writing style, and then generates a writing style model on the system for authorship identification. This writing style model is a set of properties or features explored with automated methods that uniquely identify the way an individual composes messages. ScanMail then uses the model to compare with the incoming messages claimed to be sent from the individual in protected mailboxes to identify the authorship.

This chapter describes the recommended configuration for Writing

ScanMail utilizes Trend Micro Writing Style Cloud service to

So ScanMail must have Internet connection to the Trend Micro

The BEC feature in ScanMail detects a probable scam or attack

such as a corporate user from the executive team.

Training, and enable Writing Style Verification: 1.

8 This chapter describes the recommended configuration for Writing Style feature. ScanMail utilizes Trend Micro Writing Style Cloud service to generate writing style module for each HPU. So ScanMail must have Internet connection to the Trend Micro Writing Style Cloud service. The BEC feature in ScanMail detects a probable scam or attack using messages that appear to be from a high-profile user, such as a corporate user from the executive team. Trend Micro recommends protecting those users by adding their account to the high-profile users list. Follow these steps to enable BEC check, complete Writing Style Training, and enable Writing Style Verification: 1. Click Advanced Spam Prevention > Advanced Spam Prevention Settings from the main menu. The Advanced Spam Prevention Settings screen appears. 2. Select Enable Advanced Spam Prevention and Business Compromise check from the Advanced Spam Prevention screen.

Pay attention on the following points: ScanMail loads the display name of HPU from AD automatically, and you have to ensure the name is correct.

9 3. Add High Profile Users a. Search the High Profile Users from the active directory under User Account in Active Directory field. b. Click Add to add user to the High Profile Users list on the right side. Pay attention on the following points: ScanMail loads the display name of HPU from AD automatically, and you have to ensure the name is correct. If the HPU has a middle name, you have to input it manually. Once the HPU is added, you cannot modify the HPU s first/middle/last name. You have to delete the HPU and add it again with the correct first/middle/last name. 4. Click Save. After adding HPU, configure Writing Style Training Settings. The writing style verification for high-profile users requires ScanMail to analyze and learn the specific pattern for each user. You must train ScanMail before using the writing style verification feature. 1. Click Advanced Spam Prevention > Writing Style Training Settings from the main menu. 2. The Writing Style Training Settings screen appears.

10 3. Under Manual Training section, click Start Training. 4. ScanMail starts analyzing messages of the configured users for their writing style, and displays the progress on the screen. To configure target users, refer to the topic Configuring Advanced Spam Prevention Scan Targets. If you want to stop the process before it completes, click Stop Training. 5. Click Training Report to view the training result.

Under Regular Training section, select Enable Regular Training on this server, and then select the schedule as desired.

11 The writing style of users may change over time. It is important to update the user writing style model on a regular basis. 1. Click Advanced Spam Prevention > Writing Style Training Settings from the main menu. 2. The Writing Style Training Settings screen appears. 3. Under Regular Training section, select Enable Regular Training on this server, and then select the schedule as desired. ScanMail will analyze the writing style of the configured users according to the configured schedule. To configure target users, refer to the topic on Configuring Advanced Spam Prevention Scan Targets. 4. Click Save. 5. Click Training Report to track the latest regular training result.

Once the writing style training is completed, enable Writing Style Verification. 1. Click Advanced Spam Prevention > Writing Style Verification Settings from the main menu. 2.

12 Once the writing style training is completed, enable Writing Style Verification. 1. Click Advanced Spam Prevention > Writing Style Verification Settings from the main menu. 2. The Writing Style Verification Settings screen appears. 3. Select Enable Writing Style Verification Settings from the Writing Style Verification Settings screen. 4. The Notification Settings are enabled by default. To know the details about the notifications, refer to the topic on Writing Style Post-verification. Notify supposed sender: Click Show details, and configure the settings for the account to use to send notification message to the expected sender.

Add disclaimer for email message recipients: Click Show details, and configure the disclaimer message to display at the top of every BEC suspicious email message body.

13 Add disclaimer for message recipients: Click Show details, and configure the disclaimer message to display at the top of every BEC suspicious message body. Note that the disclaimer contents are customizable. Notify security/it group: Click Show details, and configure the addresses of security/it group members that ScanMail will notify if it detects a suspicious message. 5. Add necessary Approved Senders. This exception list specifies the addresses to skip from Writing Style Verification. Some examples are personal addresses of HPU, or system addresses to send system-generated notifications. A maximum of 500 addresses is supported. 6. Click Save.

The ScanMail Server Management console allows you to view all of the ScanMail servers on a network. You will only see servers with the same type of Activation Code.

14 The ScanMail Server Management console allows you to view all of the ScanMail servers on a network. You will only see servers with the same type of Activation Code. View all ScanMail servers in a forest when you install ScanMail with Exchange 2016, 2013 or You can utilize the Server Management function to replicate Advanced Spam Prevent settings form a central ScanMail server to other ScanMail servers to ensure that all the ScanMail servers keep the same configuration. 1. Click Server management to open the Server Management screen. 2. Select target servers. 3. Click Replicate. The Replication Settings screen appears. 4. Select the settings that you want to replicate: Click All settings if you want to replicate all the configurations to the target server(s). Click Specified settings and set Advanced Spam Prevention to replicate this setting to the target server(s). 5. Click Deploy. 6. A screen appears showing a progress bar and the ongoing status of the replication.

Writing Style training reports are generated out after ScanMail completes a manual training or regular training. This chapter discusses the Writing Style Training results.

It also shows the count of processed email message of each HPU s mailboxes, as well as the reason of an unsuccessful training.

Insufficient number of email message: The HPU s mailbox Send Items folder has less than 300 email message or writing style training.

15 Writing Style training reports are generated out after ScanMail completes a manual training or regular training. This chapter discusses the Writing Style Training results. The training report shows each HPU s mailbox training status to help you identify which mailboxes completed the training and which did not. It also shows the count of processed message of each HPU s mailboxes, as well as the reason of an unsuccessful training. If the Writing Style Training does not encounter any error, it will show that the training completed successfully. A successful training may contain the following training results. Insufficient number of message: The HPU s mailbox Send Items folder has less than 300 message or writing style training. None: The HPU s mailbox Send Items folder has no message for writing style training. The HPU s mailbox Send Items folder has enough message for writing style training, and all the messages are processed. If the Writing Style Training encounters an error when processing just one particular HPU s messages, it will show that the training did not complete successfully. An unsuccessful training may contain both successful and unsuccessful training results. None:

The HPU s mailbox Send Items folder has no email message for writing style training.

Error: A large number of email messages (more than 40%) were not processed.

and identify whose training model is available for Writing Style Verification. 1.

16 The HPU s mailbox Send Items folder has no message for writing style training. The HPU s mailbox Send Items folder has enough message for writing style training, and all the messages are processed. Error: A large number of messages (more than 40%) were not processed. If the training is stopped the following error will appear: Once ScanMail completes a manual or regular training, you can view all the HPUs training models and identify whose training model is available for Writing Style Verification. 1. Under Training Model section, click on Click here to view all user training models. The Training Model screen appears. 2. Under Ready for Writing Style Verification? column, it tells whether each HPUs mailbox has the training model or not. If the result is Yes, the incoming messages with the same display name of the mailbox related HPU will trigger Writing Style Verification when it is enabled on the ScanMail server.

This chapter describes the following topics of Writing Style Verification:

Confirmation Links Writing Style Verification Logs and Reports Under

message sender Include feedback links in the confirmation message Enabling

message and send feedback to Writing Style backend server to improve the

17 This chapter describes the following topics of Writing Style Verification: Writing Style Verification Notifications Writing Style Verification Confirmation Links Writing Style Verification Logs and Reports Under Writing Style Verification Settings page, Notify supposed sender is enabled by default. The following 2 options are not enabled by default: Attach original message sender Include feedback links in the confirmation message Enabling these 2 options will let the supposed sender view the original message and send feedback to Writing Style backend server to improve the detection. Once a suspicious BEC message is detected by Writing Style Verification, the supposed sender will receive a confirmation similar to the following:

Add disclaimer for email message recipients is enabled by default.

18 Add disclaimer for message recipients is enabled by default. A warning message is added to the top of the suspicious BEC message body which alerts the recipients.

19 Notify security/it group is enabled by default. The security/it group will receive the [Writing Style Notification]. The original is also attached to the notification for security/it group to review.

When Include feedback links in the confirmation message is enabled, the supposed sender will see the feedback buttons at the bottom of the email body.

20 When Include feedback links in the confirmation message is enabled, the supposed sender will see the feedback buttons at the bottom of the body. Click Yes or No to confirm whether the message is indeed sent by you. By doing this, it will open a web browser and provide feedback to Trend Micro. And you will see the message Thank you for your confirmation when your confirmation is received.

View from Real-time Monitor Click Real-time monitor in the banner.

21 The Writing Style Verification log is a type of Advanced Spam Prevent log. Administrators can monitor or review the Writing Style Verification log via the following methods: View from Real-time Monitor Click Real-time monitor in the banner. The Real-time Monitor screen will display information about the server. The detection of Writing Style Verification is listed under Advanced spam incidents.

Query from Logs 1. Click Logs > Query. The Log Query screen displays. 2. Select the date range. 3. Select the type: Advanced Spam Prevention > Business Email Compromise. 4.

22 Query from Logs 1. Click Logs > Query. The Log Query screen displays. 2. Select the date range. 3. Select the type: Advanced Spam Prevention > Business Compromise. 4. Specify the number of items to display per page. 5. Select the Query targets for the query. Local server Remote server(s) a. Select the Server group from the drop-down. b. Click the server name in the Available Server(s) list, and click Add >> to include the server(s) to the Selected Server(s) list. 6. Click Display Logs. messages detected by Writing Style verification are categorized as Writing Style.

Generate Report Administrators can generate Advanced Spam Prevention report under One-time Reports or Scheduled Reports to view these 2 items: Top Recipients of Messages with Suspicious Writing Style

23 Generate Report Administrators can generate Advanced Spam Prevention report under One-time Reports or Scheduled Reports to view these 2 items: Top Recipients of Messages with Suspicious Writing Style Top Display Names of Messages with Suspicious Writing Style 1. When generating a report, select all items under Advanced Spam Prevention report under the Content section. 2. View the report. Top Recipients of Messages with Suspicious Writing Style This shows the recipients that frequently receive probable BEC attacks through detected by writing style analysis during the selected time period. Top Display Names of Messages with Suspicious Writing Style This shows the High Profile User that were frequently targeted by BEC attacks through and detected by writing style analysis during selected time period.

24 This chapter describes the common troubleshooting skillset related to Writing Style feature. If a true BEC message is not detected by Writing Style Verification, it is recommended to check the following: 1. Both Advanced Spam Prevention and Writing Style Verification must be enabled. 2. Check whether the High Profile User s training mode is ready for Writing Style Verification. 3. Confirm that the High Profile User s address has the same/similar display name with the display name of the sender. 4. Check the address of the sender s misdetected which should not be in the exception list. 5. Check the sender which should not be an internal address. If the all items are checked, collect sample and contact Trend Micro Technical Support for further help. If a normal message is detected by Writing Style Verification, it is recommended to check the following: 1. If the message is sent from a High Profile User s personal account, or a trusted notification generation system, or a trusted external sender with the same display name of the High Profile User, then you can add the mail sender s address to the Approved senders list under the Writing Style Verification Settings page. 2. For concerns about the samples, please collect them and contact Trend Micro Technical Support for further help.

25 This chapter includes commonly asked questions regarding the configuration of ScanMail and the steps involved in addressing the situations. An Administrator needs to make sure the High Profile User mailbox(es) have at least 300 mails in the Sent Items folder of the mailbox. For writing style training, Trend Micro recommends to perform training on just one Exchange server. ScanMail can locate where the mailbox is and get sent items ( s) to do training under the same forest. Persons with very important positions like CxO, or a corporate user from the executive team should be added to the High Profile User list of writing style feature. Once fake s with same display name as these users have been received, the company is very likely to suffer losses. A notification of writing style feature can be sent to the supposed sender (that is, a High Profile User who has the same display name to the sender), recipients, and security/it group. You can access the ScanMail console, and navigate to Advanced Spam Prevention/Writing Style Verification Settings page to configure notification for Writing Style. By default, all of the three types of notifications are enabled: For supposed sender, there is a notification . You can enable "Attach original message from sender" if the High Profile Users want to read the suspected fake s, and enable "Include feedback links in the confirmation message" to add a feedback link to the end of the notification . You can also replace the default display name and address of notification sender by search user from Active Direction, or modify them on this page directly. For recipients, the notification is a disclaimer on the top of the suspected fake . You can modify the Disclaimer content on this page as preferred. For security/it group, there is a notification . You need to configure the security/it group address(es) to the Notify security/it group list by adding the address(es) directly or import from a txt page. You also can enable "Attach original message from sender" if the security/it group wants to read the suspected fake s. This setting is enabled by default.

26 ScanMail offers the following options to bypass writing style verification for a particular High Profile User. Option 1: Uncheck Enable Writing Style Verification under Writing Style Verification Settings section via ScanMail web console. Using this option will disable writing style verification for all High Profile User accounts. Option 2: Under Advanced Spam Prevention Settings, remove the High Profile User account from the list. Removing this High Profile User account from the list will also let this account bypass Business Compromise check. E.g. The CEO William uses these 2 names William and Bill in . Since 12.5 SP1, ScanMail supports the feature that a single High Profile User uses different names. Administrators can add the existing High Profile User with a different name to the High Profile User list in the configuration page. A maximum of 500 High Profile Users are supported. If the ScanMail server accesses the Internet through a firewall or proxy server, the following URL must be added to the firewall or proxy server to all the connection: Currently, Writing Style DAN supports messages written in English. More languages will be supported soon. Writing Style Verification scans Internet messages only. It bypasses internal s sent from HPU(s).

FAQ. Usually appear to be sent from official address

FAQ. Usually appear to be sent from official address FAQ 1. What is Phishing Email? A form of fraud by which an attacker masquerades as a reputable entity in order to obtain your personal information. Usually appear to be sent from official email address