Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user.

Copyright © 2018 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Author: Marc Liu Released: November 9, 2018

Trend Micro’s Writing Style DNS technology is integrated into Trend Micro™ ScanMail™ for Microsoft™ Exchange (ScanMail) since version12.5 Service Pack 1. This Best Practice Guide provides in-depth information about ScanMail Writing Style design, configuration as well as troubleshooting. This also serves as a guideline to help customers develop a set of best practices when using ScanMail Writing Style feature against Business Email Compromise (BEC) threats.

This Best Practice Guide should be read in conjunction with the Trend Micro™ ScanMail™ for Microsoft™ Exchange 12.5 Service Pack 1 Administrator Guide and Installation and Upgrade Guide.

This Best Practice Guide was written by Marc Liu. Additional information was provided by the members of the Trend Micro ScanMail for Microsoft Exchange engineering group.

The following conventions are used in this manual:

UPPER CASE

This document does not cover the basic administration procedures for Trend Micro™ ScanMail™ for Microsoft™ Exchange or common industry technologies in great detail. Readers must have the following knowledge base to fully understand the content:

● Good knowledge of the Trend Micro™ ScanMail™ for Microsoft™ Exchange functions and administration. The Administrator’s Guide and the Administration Courseware can be used as an information source.

● Good knowledge of Microsoft™ Exchange system administration

● Basic knowledge of Microsoft™ SQL administration

● Basic knowledge of Microsoft™ Active Directory (or any other supported LDAP server) administration

● Good knowledge of the SMTP protocol

This contains an overview of Writing Style technology that was introduced in ScanMail 12.5 Service Pack 1. Topics here are expanded and discussed in detail in the succeeding chapters.

Using Business Email Compromise (BEC) scams, an attacker uses the same or similar account name to spoof the identity of a High Profile User (HPU), to initiate fraudulent wire transfers. The attacker typically uses the identity of a top-level executive to trick the target or targets into sending money into the attacker's account. Also known as Man-in-the-Email scams, BEC scams often target businesses that regularly send wire transfers to international clients and may involve the use of malware, social engineering, or both. For more information, see FBI Public Service Announcement.

With the integrated Antispam Engine, ScanMail performs the following to effectively protect organizations against BEC scams:

Scan incoming email messages from external networks with specified High Profile Users' account names, to block social engineering attacks

The Writing Style Verification adds an additional layer of security to corporate email messages. Trend Micro considers the writing style of a person as their “Biological-ID” (Bio-ID). The writing style Bio-ID is generated based on the historical data of user email messages. Trend Micro scans old email messages of desired users to learn their particular writing style, and creates a model for each user. The subsequent incoming email messages are then compared with the existing models of each user to determine the authenticity of these email messages.

Trend Micro Writing Style DNA is the 3rd-layer solution provided by Trend Micro Anti-Spam Engine (TMASE) to against BEC threats.

Layer 1: Behavior

Layer 2: Intention

Layer 3: Writing Style DNA

Typically, to generate a writing style model for 1 single HPU, TMASE needs to extract metadata from 500 to 800 email messages sent by that HPU.

Trend Micro considers the writing style of a person as their “Biological-ID” (Bio-ID). By leveraging writing style analysis that comes with Writing Style DNA, ScanMail scans the written email messages of a desired individual to learn their particular writing style, and then generates a writing style model on the email system for authorship identification. This writing style model is a set of properties or features explored with automated methods that uniquely identify the way an individual composes email messages. ScanMail then uses the model to compare with the incoming email messages claimed to be sent from the individual in protected mailboxes to identify the authorship.

This chapter describes the recommended configuration for Writing Style feature.

ScanMail utilizes Trend Micro Writing Style Cloud service to generate writing style module for each HPU. So ScanMail must have Internet connection to the Trend Micro Writing Style Cloud service.

The BEC feature in ScanMail detects a probable scam or attack using email messages that appear to be from a high-profile user, such as a corporate user from the executive team. Trend Micro recommends protecting those users by adding their account to the high-profile users list.

Follow these steps to enable BEC check, complete Writing Style Training, and enable Writing Style Verification:

1. Click Advanced Spam Prevention > Advanced Spam Prevention Settings from the main menu.

The Advanced Spam Prevention Settings screen appears.

2. Select Enable Advanced Spam Prevention and Business Email Compromise check from the Advanced Spam Prevention screen.

3. Add High Profile Users

a. Search the High Profile Users from the active directory under User Account in Active Directory field.

b. Click Add to add user to the High Profile Users list on the right side.

Pay attention on the following points:

ScanMail loads the display name of HPU from AD automatically, and you have to ensure the name is correct.

If the HPU has a middle name, you have to input it manually.

Once the HPU is added, you cannot modify the HPU’s first/middle/last name. You have to delete the HPU and add it again with the correct first/middle/last name.

4. Click Save.

After adding HPU, configure Writing Style Training Settings. The writing style verification for high-profile users requires ScanMail to analyze and learn the specific pattern for each user. You must train ScanMail before using the writing style verification feature.

1. Click Advanced Spam Prevention > Writing Style Training Settings from the main menu.

2. The Writing Style Training Settings screen appears.

3. Under Manual Training section, click Start Training.

4. ScanMail starts analyzing email messages of the configured users for their writing style, and displays the progress on the screen.

To configure target users, refer to the topic Configuring Advanced Spam Prevention Scan Targets.

If you want to stop the process before it completes, click Stop Training.

5. Click Training Report to view the training result.

The writing style of users may change over time. It is important to update the user writing style model on a regular basis.

1. Click Advanced Spam Prevention > Writing Style Training Settings from the main menu.

2. The Writing Style Training Settings screen appears.

3. Under Regular Training section, select Enable Regular Training on this server, and then select the schedule as desired.

ScanMail will analyze the writing style of the configured users according to the configured schedule.

To configure target users, refer to the topic on Configuring Advanced Spam Prevention Scan Targets.

4. Click Save.

5. Click Training Report to track the latest regular training result.

Once the writing style training is completed, enable Writing Style Verification.

1. Click Advanced Spam Prevention > Writing Style Verification Settings from the main menu.

2. The Writing Style Verification Settings screen appears.

3. Select Enable Writing Style Verification Settings from the Writing Style Verification Settings screen.

4. The Notification Settings are enabled by default. To know the details about the notifications, refer to the topic on Writing Style Post-verification.

Notify supposed sender: Click Show details, and configure the settings for the account to use to send notification message to the expected sender.

Add disclaimer for email message recipients: Click Show details, and configure the disclaimer message to display at the top of every BEC suspicious email message body. Note that the disclaimer contents are customizable.

Notify security/IT group: Click Show details, and configure the email addresses of security/IT group members that ScanMail will notify if it detects a suspicious email message.

5. Add necessary Approved Senders.

This exception list specifies the email addresses to skip from Writing Style Verification. Some examples are personal email addresses of HPU, or system email addresses to send system-generated notifications. A maximum of 500 email addresses is supported.

6. Click Save.

The ScanMail Server Management console allows you to view all of the ScanMail servers on a network. You will only see servers with the same type of Activation Code. View all ScanMail servers in a forest when you install ScanMail with Exchange 2016, 2013 or 2010.

You can utilize the Server Management function to replicate Advanced Spam Prevent settings form a central ScanMail server to other ScanMail servers to ensure that all the ScanMail servers keep the same configuration.

1. Click Server management to open the Server Management screen.

2. Select target servers.

3. Click Replicate.

The Replication Settings screen appears.

4. Select the settings that you want to replicate:

Click All settings if you want to replicate all the configurations to the target server(s).

Click Specified settings and set Advanced Spam Prevention to replicate this setting to the target server(s).

5. Click Deploy.

6. A screen appears showing a progress bar and the ongoing status of the replication.

Writing Style training reports are generated out after ScanMail completes a manual training or regular training. This chapter discusses the Writing Style Training results.

The training report shows each HPU’s mailbox training status to help you identify which mailboxes completed the training and which did not. It also shows the count of processed email message of each HPU’s mailboxes, as well as the reason of an unsuccessful training.

If the Writing Style Training does not encounter any error, it will show that the training completed successfully.

A successful training may contain the following training results.

Insufficient number of email message:

The HPU’s mailbox Send Items folder has less than 300 email message or writing style training.

None:

The HPU’s mailbox Send Items folder has no email message for writing style training.

The HPU’s mailbox Send Items folder has enough email message for writing style training, and all the messages are processed.

If the Writing Style Training encounters an error when processing just one particular HPU’s email messages, it will show that the training did not complete successfully.

An unsuccessful training may contain both successful and unsuccessful training results.

None:

The HPU’s mailbox Send Items folder has no email message for writing style training.

The HPU’s mailbox Send Items folder has enough email message for writing style training, and all the messages are processed.

Error:

A large number of email messages (more than 40%) were not processed.

If the training is stopped the following error will appear:

Once ScanMail completes a manual or regular training, you can view all the HPUs’ training models and identify whose training model is available for Writing Style Verification.

1. Under Training Model section, click on Click here to view all user training models.

The Training Model screen appears.

2. Under Ready for Writing Style Verification? column, it tells whether each HPUs’ mailbox has the training model or not.

If the result is Yes, the incoming email messages with the same display name of the mailbox related HPU will trigger Writing Style Verification when it is enabled on the ScanMail server.

This chapter describes the following topics of Writing Style Verification:

Writing Style Verification Notifications

Writing Style Verification Confirmation Links

Writing Style Verification Logs and Reports

Under Writing Style Verification Settings page, Notify supposed sender is enabled by default.

The following 2 options are not enabled by default:

Attach original email message sender

Include feedback links in the confirmation message

Enabling these 2 options will let the supposed sender view the original email message and send feedback to Writing Style backend server to improve the detection.

Once a suspicious BEC message is detected by Writing Style Verification, the supposed sender will receive a confirmation email similar to the following:

Add disclaimer for email message recipients is enabled by default.

A warning message is added to the top of the suspicious BEC email message body which alerts the email recipients.

Notify security/IT group is enabled by default.

The security/IT group will receive the [Writing Style Notification]. The original email is

also attached to the notification for security/IT group to review.

When Include feedback links in the confirmation message is enabled, the supposed sender will see the feedback buttons at the bottom of the email body.

Click Yes or No to confirm whether the email message is indeed sent by you. By doing this, it will open a web browser and provide feedback to Trend Micro. And you will see the message “Thank you for your confirmation” when your confirmation is received.

The Writing Style Verification log is a type of Advanced Spam Prevent log. Administrators can monitor or review the Writing Style Verification log via the following methods:

View from Real-time Monitor

Click Real-time monitor in the banner. The Real-time Monitor screen will display information about the server.

The detection of Writing Style Verification is listed under Advanced spam incidents.

Query from Logs

1. Click Logs > Query. The Log Query screen displays.

2. Select the date range.

3. Select the type: Advanced Spam Prevention > Business Email Compromise.

4. Specify the number of items to display per page.

5. Select the Query targets for the query.

Local server

Remote server(s)

a. Select the Server group from the drop-down.

b. Click the server name in the Available Server(s) list, and click Add >> to include the server(s) to the Selected Server(s) list.

6. Click Display Logs.

Email messages detected by Writing Style verification are categorized as Writing Style.

Generate Report

Administrators can generate Advanced Spam Prevention report under One-time Reports or Scheduled Reports to view these 2 items:

Top Recipients of Messages with Suspicious Writing Style

Top Display Names of Messages with Suspicious Writing Style

1. When generating a report, select all items under Advanced Spam Prevention report under the Content section.

2. View the report.

Top Recipients of Messages with Suspicious Writing Style

This shows the recipients that frequently receive probable BEC attacks through email detected by writing style analysis during the selected time period.

Top Display Names of Messages with Suspicious Writing Style

This shows the High Profile User that were frequently targeted by BEC attacks through email and detected by writing style analysis during selected time period.

This chapter describes the common troubleshooting skillset related to Writing Style feature.

If a true BEC email message is not detected by Writing Style Verification, it is recommended to check the following:

1. Both Advanced Spam Prevention and Writing Style Verification must be enabled.

2. Check whether the High Profile User’s training mode is ready for Writing Style Verification.

3. Confirm that the High Profile User’s email address has the same/similar display name with the display name of the email sender.

4. Check the address of the sender’s misdetected email which should not be in the exception list.

5. Check the email sender which should not be an internal email address.

If the all items are checked, collect email sample and contact Trend Micro Technical Support for further help.

If a normal email message is detected by Writing Style Verification, it is recommended to check the following:

1. If the email message is sent from a High Profile User’s personal email account, or a trusted notification generation system, or a trusted external email sender with the same display name of the High Profile User, then you can add the mail sender’s email address to the Approved senders list under the Writing Style Verification Settings page.

2. For concerns about the samples, please collect them and contact Trend Micro Technical Support for further help.

This chapter includes commonly asked questions regarding the configuration of ScanMail and the steps involved in addressing the situations.

An Administrator needs to take note of the following:

The High Profile User mailbox(es) have 500 to 800 mails in the Sent Items folder of the mailbox.

The ScanMail server must be able to communicate with Writing Style Cloud service.

The Writing Style Verification will work after the particular writing style module is generated at the Writing Style Cloud service.

For writing style training, Trend Micro recommends to perform training on just one Exchange server. ScanMail can locate where the mailbox is and get sent items (emails) to do training under the same forest.

Persons with very important positions like CxO, or a corporate user from the executive team should be added to the High Profile User list of writing style feature. Once fake emails with same display name as these users have been received, the company is very likely to suffer losses.

A notification of writing style feature can be sent to the supposed sender (that is, a High Profile User who has the same display name to the email sender), recipients, and security/IT group. You can access the ScanMail console, and navigate to Advanced Spam Prevention/Writing Style Verification Settings page to configure notification for Writing Style.

By default, all of the three types of notifications are enabled:

For supposed sender, there is a notification email. You can enable "Attach original email message from sender" if the High Profile Users want to read the suspected fake emails, and enable "Include feedback links in the confirmation message" to add a feedback link to the end of the notification email. You can also replace the default display name and email address of notification sender by search user from Active Direction, or modify them on this page directly.

For recipients, the notification is a disclaimer on the top of the suspected fake email. You can modify the Disclaimer content on this page as preferred.

For security/IT group, there is a notification email. You need to configure the security/IT group email address(es) to the Notify security/IT group list by adding the address(es) directly or import from a txt page. You also can enable "Attach original email message from sender" if the security/IT group wants to read the suspected fake emails. This setting is enabled by default.

ScanMail offers the following options to bypass writing style verification for a particular High Profile User.

Option 1:

Uncheck Enable Writing Style Verification under Writing Style Verification Settings section via ScanMail web console.

Using this option will disable writing style verification for all High Profile User accounts.

Option 2:

Under Advanced Spam Prevention Settings, remove the High Profile User account from the list.

Removing this High Profile User account from the list will also let this account bypass Business Email Compromise check.

E.g. The CEO William uses these 2 names William and Bill in email.

Since 12.5 SP1, ScanMail supports the feature that a single High Profile User uses different names.

Administrators can add the existing High Profile User with a different name to the High Profile User list in the configuration page.

A maximum of 500 High Profile Users are supported.

If the ScanMail server accesses the Internet through a firewall or proxy server, the following URL must be added to the firewall or proxy server to all the connection:

https://*.ers.trendmicro.com

Currently, Writing Style DAN supports email messages written in English. More languages will be supported soon.

Writing Style Verification scans Internet email messages only. It bypasses internal emails sent from HPU(s).