Email came in with subject starting with ***UNCHECKED***

Created by Yves Lacombe, Modified on Tue, 12 Jan, 2021 at 3:54 PM by Yves Lacombe


SYMPTOM


Email comes in with subject line ***UNCHECKED*** -- it looks like a spam and it contains a zipped attachment.


Example:





ISSUE


Proofpoint didn't tag it as a spam via conventional means (for instance, the IP reputation of the sender is neutral or good) and the zip file is encrypted with a password.  So proofpoint is warning you "hey, this email came in but we weren't able to look at the attachment because it's passworded/encrypted".



FIX


You can create a rule to block passworded zip files. 





If attachment is (click on the type) ... do quarantine.  This is what you get when you use the attachment type selector.  You need to pick "undecipherable".