Problem:
There was a false negative. A spam, phishing, or malicious email wasn't blocked by proofpoint. Why?
Explanation:
Unfortunately it can happen from time to time that Proofpoint fails to catch something. Either it's a new threat in the wild or simply a new spam wave that nobody has seen before and it hasn't hit any of the Proofpoint honeypots/spam traps. Since there isn't really any way to have a "perfect" catch rate, it would be a good idea to make sure you follow best practices when it comes to general security:
1. Have proofpoint in front of your domain(s)
2. Make sure you have a solid anti-virus solution running on people's workstations
3. Ideally, users should not be admins on their workstations, they should not be able to install or execute new applications without IT authorization.
4. Backups Backups Backups. Have proper backup policies for daily, weekly and monthly backups + offsite backups.
5. Test your backups. Make sure you can restore properly.
So what can I do?
1) REPORT THEM
When you see them in the message log, Report them as False Negatives. This goes directly to the cloudmark security team (a major component of Proofpoint's security solution). Usually they take action within the hour. What it does is it alters the spam/malware scoring of the email more towards the "bad mail" side and the more reports we get, the better the solution will work.
To report messages, you can do so from the message log, select the email that was delivered and from the action pull down, "report as false negative".
You can also block them by just using the block action in the message details by sender address. Note that this can have only limited effectiveness since attackers will often use changing "From" addresses. This is mostly good if it's a recurring semi-legit newsletter that doesn't change/rotate the FROM field.
2) IF RECURRING and not blocked after reporting, contact vircom support
If after doing (1) it's still happening, similar type of attack that isn't getting blocked, contact us. Open a ticket with vircom ([email protected]) - make sure you provide the permalink of the message in question.
3) IMPLEMENT Mitigation measures
What we mean by that is there are something you can do to reduce your security foot print.
GEO-IP Fencing
For instance, the vast majority of our client are north-america based, and only deal with north-american clients. So why not just use geo-ip blocking to block anything NOT from north america? You can always add exceptions to the rule (if sender is not from somethingsomething.uk for instance)...
HTML blocking
Another case we're seeing recently is the use of HTML attachments cross-linking to bad websites. So just block all .htm documents. You can always create exceptions for the occasional legit sender that might need to send html attachments
Make sure you use the antispoofing feature
Block emails that fail SPF/DKIM and DMARC.
Increase the spam aggressivity
If you go to EMAIL -> Spam settings, you can change the aggressivity slider.
The smaller the number, the more aggressive
The bigger the number, the less aggressive
Consider upgrading to the "plus" packages if you're not on them.
Proofpoint is rolling out new technology including the supernova engine that is doing very well with certain types of zero day and phishing attacks. You could consider trying it out. The "PLUS" packages include:
- SuperNova based engine, brand new engine that is designed to catch some of the harder to catch phishing attempts and BEC (Business Email Compromise)
- Email Warning Tags (you can tag messages if say, the sender's domain is less than a week old for instance which is highly suspicious). Currently 4 tags are supported: External Sender, New Domain registered recently, Unauthenticated Email and At risk GEO-IP zones. More tags are coming.
- Retraction of messages (you can pull/retract bad emails delivered to users from their inbox (office365 only)).
Display Name Spoofing
Often, C-Levels (managers, people with a public presence) get impersonated meaning, emails are sent with their Firstname/Lastname in the "friendly part" of the EMail address (ex: From: "Jim Smith" <[email protected]>) to fool your users. We can make impersonation rules preventing that. We just need the list of people (email addresses) of those you want us to create them for. Once you have your list, contact support and we'll generate the rules for you.
Lockdown Office365
If you're on office365 and you weren't originally setup by Vircom, it's possible your tenant wasn't locked down, you can easily do it yourself via the Vircom Portal or follow these instructions:
Make sure no secondary MX points directly to your MTA/O365
Your MX records should ONLY be proofpoint.
US: mx1-us1.ppe-hosted.com and mx2-us1.ppe-hosted.com
EU: mx1-eu1.ppe-hosted.com and mx2-eu1.ppe-hosted.com
Get a security checkup from Vircom.
This is a free service, we go through all your settings, your SPF/DKIM/DMARC stance and make recommentations. Just ask for one if this is a recurring problem.
Finally
This is a living document, we'll be adding other steps to help mitigate issues. So check it out once in a while.