writing style best practice guide micro cloud app... · after cas finishes the training mode build,...

Writing Style Best Practice Guide | August 2018

of 15| Trend Micro Writing Style Best Practice Guide

Contents About This Book ............................................................................................................................................ 3

Preface ...................................................................................................................................................... 3

Authors ...................................................................................................................................................... 3

TMCAS Writing Style Introduction ................................................................................................................ 4

How TMCAS Trains the Writing Style Model ................................................................................................ 6

The Training logic in TMCAS ...................................................................................................................... 6

How to Configure TMCAS Writing Style Prevention Feature ........................................................................ 7

Configure High Profile User Exception List ............................................................................................. 11

Configure Advanced Spam Prevention Approved/Blocked Send List ..................................................... 11

Enable Smart Protection Network Feedback .......................................................................................... 12

How to View Writing Style Detection Result On CAS Admin Console ........................................................ 13

How to Troubleshoot With Writing Style Issue .......................................................................................... 14

False Negative Issue ................................................................................................................................ 14

False Positive Issue .................................................................................................................................. 14

FAQ .............................................................................................................................................................. 15



About This Book

Preface Welcome to the Trend Micro Cloud App Security Writing Style Best Practice Guide. This document serves

as a guideline to help customers develop a set of best practices when using TMCAS Writing Style as an

additional level prevention against of the BEC attack.

This document provides in-depth information about CAS Writing Style architecture, configuration as well

as troubleshooting.

Authors This Best Practice Guide is written by Nickel Xu. Additional information was provided by members of

TMCAS Engineering groups, including: Iceking Chen, Jing Liu, Zhi Zhang, as well as TMASE team.



TMCAS Writing Style Introduction

Cloud App Security integrates with Trend Micro's Writing Style DNA technology to scan the English email

messages of a desired individual to learn their particular Writing Style and generate a Writing Style

model. It then uses the model to compare with the incoming English email messages claimed to be sent

from the individual in your organization’s protected mailboxes to detect probable BEC attacks.

TMCAS integrates TMASE (TrendMicro AntiSpam Engine) to realize Writing Style analysis feature. It gets

the mails from “Sent Items” of the specific High Profile User(HPU) to build the Writing Style model.

For Example:

The admin added the CEO into the CAS’s high-profile users list, and enable the Writing Style prevention.

Firstly, CAS will get the mail meta data from CEO’s Sentbox, and send the mail meta data to Writing

Style backend to build the Writing Style mode.

After CAS finishes the training mode build, the Writing Style detection for CEO is ready now.

When a hacker uses the CEO’s name as a display name of an external mailbox to perform an attack on

the internal users, it can be detected by CAS’s Writing Style.



Additionally, each Writing Style training model is unique and associated with

the customer’s license and the mailbox



How TMCAS Trains the Writing Style Model

The Training logic in TMCAS

TMCAS gets mails from the High Profile User’s “SendItem” to build the Writing Style model.

If it is the first time for CAS to train from a specific user, CAS will get around 800 mails at most

from the “Sent Item” for training.

If it is not the first time and the Writing Style model is Not Completed, then CAS will get the

latest mails to train about every 2 hours.

If it is not the first time and the Writing Style model is Completed, then CAS will get the latest

mails to train about every 24 hours.



How to Configure TMCAS Writing Style Prevention

Feature

1. Add the High Profile User (HPU).

Add the HPU one by one.

CAS Admin Console Administration High Profile Users Add User

Add the HPU From Group

CAS Admin Console Administration Global SettingsHigh Profile Users Add

From Group



2. Enable Writing Style.

CAS admin console Exchange Online Policies Select the policy Advanced Spam

Protection Writing Style Analysis for BEC

Then check “Enable Writing Style analysis” to enable Writing Style scanning.

3. Configure the Scan Action.

The action can be configured as “Tag Subject”, “Add disclaimer” or “Pass”



Tag Subject

Add Disclaimer

4. Notify supposed sender (Optional)

CAS supports two ways to notify the supposed sender.

Attach the original email message



Allow the supposed sender to provide feedback

5. Notify administrator (Optional).

6. Save the settings to finish the TMCAS Writing Style configuration.



Configure High Profile User Exception List

In order to reduce the noises for Writing Style function, CAS supports the Admin to add the HPU

exception list. Here we can add the HPU’s personal email address or system email address which can

generate the notification to the HPU to the exception list to reduce the false positive detection.

CAS Admin Console Administration Global Settings High Profile User Exception List

Configure Advanced Spam Prevention Approved/Blocked Send List

In addition to reducing the noises for Writing Style function, the general approved sender list that still

works well with the personal email addresses and the system-generated email addresses, can help

reduce false positive incidents. The setting is applied for the whole CAS’s advanced spam prevention

feature.

CAS Admin Console ATP | Exchange Online Policy Advanced Spam Protection Approved/Blocked

Sender list



Enable Smart Protection Network Feedback It is recommended to encourage the customer to enable this function, to allow Trend Micro to collect

suspicious email information to improve its detection capabilities.

CAS Admin Console ATP | Exchange Online Policy Advanced Spam Protection



How to View Writing Style Detection Result On

CAS Admin Console

From The Security Logs

CAS Admin Console Logs Security Risk Scan

\

From the Dashboard

Top 5 Writing Style Analysis Violations by Recipient

Top 5 Targeted High Profile Users



How to Troubleshoot With Writing Style Issue

False Negative Issue If a mail with Writing Style violation which cannot be detected. It is recommend to check the following

items:

1. Whether the training mode of the HPU is completed.

2. The configured HPU with mail address should has the same/similar display name with the

display name of the sender.

3. The Advanced spam prevention and Writing style must be enabled. In addition, the policy must

be applied to this target recipient.

4. The sender address of the mail should not be in the exception list.

5. The sender address is not in the advanced spam prevention approved sender list.

6. The mail sender is not in the internal domain

7. If above are all OK, Please help collect the mail sample and contact Trend Micro Technical

Support for further help.

False Positive Issue If the mail is detected by CAS Writing Style as false positive. It is recommend to check the items below:

If it is a HPU’s personal email or trusted system generated notification mail or trusted external

mail sender with the same display name of HPU, then you can add the mail sender address to

HPU Exception List.

8. For more concern about the samples, please help collect them and contact Trend Micro

Technical Support for further help.

https://success.trendmicro.com/






FAQ

Is the Writing Style only in CAS and SMEX products?

Yes. Currently it is only available in CAS and SMEX

What will happen if the user moves all sent items to the pst?

Currently CAS only read mail from Sent Items.

If the Writing Style model is not completed. CAS will read the latest mails in Sent Items, about every

2 hours.

If the Writing style model is completed. CAS will read the latest mails in Sent Items, about every 24

hours.

Is the first name & last name case sensitive?

No. It is not case sensitive.

Do we have a list of the meta data that we share back with our backend?

The followings will be shared with backend:

(1) From address (Train & Scan) (2) Subject (Train & Scan) (3) Features of Mail body: TMASE will get the features of mail body. (Train & Scan) (4) Mail message ID (Currently CAS only upload this meta data when do scan)

How the WS is meets the GDPR policy?

CAS has reviewed Writing Style feature with legal team, and legal team confirmed it is compliant.

To which email address will the feedback button be sent? Reply to? Or display email?

The feedback button is just a URL. After clicking, the feedback is completed to TMASE backend. The

URL contains the information which can specify the scanned mail in Writing Style backend.

How many users are supported by HPU?

A maximum of 500 high profile users is supported.

writing style best practice guide micro cloud app... · after cas finishes the training mode build,...

Documents