- Deprovision the original Office365 tenant on CAS admin UI. Refer to Deprovisioning Office 365 Services from the Online Help.
- Provision the new Office365 tenant on CAS admin UI. Refer to Provisioning Office 365 Services from the Online Help.
In case any error occurs, please contact Trend Micro Technical Support.
When provisioning Authorized Account, the global admin is just used during token provision and the user name/password is used within Microsoft page for permission grant.
Global Admin role is no longer necessary after completing provisioning. CAS will just use the token to connect with M365 rather than the global admin credential. The token will be refreshed automatically and periodically before it is expired. The account shown in Service Account page is purely to keep a record on the account used for the token provision.
For more information about Microsoft token-based provisioning, refer to:
CAS starts scanning when an email message arrives at a protected mailbox, a file is uploaded or updated to a cloud storage application, or a Salesforce object is updated.
However, because CAS adopts an API-based architecture rather than a proxy-based architecture to provide advanced protection. Scanning delay could happen if Office365 somehow can not notify CAS immediately on the upload/update events, or if there is a temporary network problem between Office365 and CAS.
- Most at risk for Emergent threats (threats emerging recently)
- Most at risk for Advanced Spam threats (threats detected by Trend Micro TMASE engine)
- Most at risk for Phishing threats (Phishing URL detected by Trend Micro WRS and URL dynamic scanning)
Enable Email Account Inventory. Once the Email Account Inventory is enabled, the policy "Default Exchange Online Policy ATP (For Trend Micro XDR Only)" will also be enabled.
The policy can't be changed from CAS WebUI.
For Apex Central on-premise, refer to Trend Micro Apex Central Integration.
For Apex Central as a Service, CAS can integrate it only for EDR feature, so CAS doesn't transmit log to it.
| Country of Puchase | Data Center Location |
|---|---|
| USA | CAS: West US, California XDR Platform/Activity Data: East US, N. Virginia |
| Europe (EU) | CAS: West Europe, Netherlands XDR Platform/Activity Data: West Europe, Netherlands |
| Japan | CAS: Japan East, Tokyo XDR Platform/Activity Data: Japan East, Tokyo |
| Singapore | CAS: Southeast Asia, Singapore XDR Platform/Activity Data: Southeast Asia, Singapore |
| Australia & New Zealand (ANZ) | CAS: Australia Central, Canberra XDR Platform/Activity Data: East US, N. Virginia (*Australia Central - future site) |
| Europe-United Kingdom (EU-UK) | CAS: UK South, London XDR Platform/Activity Data: West Europe, Netherlands |
| Canada | CAS: Canada Central, Toronto XDR Platform/Activity Data: East US, N. Virginia |
| India | CAS: Central India, Pune XDR Platform/Activity Data: Asia Pacific, Mumbai |
Get the latest information from this article: Cloud App Security Data Collection Notice.
For Sandboxing location, refer to Data Center Geography.
Yes. CAS downloads emails and files to memory to scan, but will NOT store them.
For more information, check the Cloud App Security Data Collection Notice.
You can visit the Cloud App Security Data Collection Notice.
This article outlines the Cloud App Security features that collect data, the data transmitted, and their location on the product console where you can disable the feature.
Yes. CAS DLP can protect Microsoft Teams.
To protect Microsoft Teams:
- Log in to CAS admin console.
- Go to Data Loss Prevention, and click the drop-drop button beside Add.
Click the image to enlarge.
CAS performs IP reputation on the IPs recorded in the mail headers. CAS will analyze IP reputation for advanced spam detection if advanced spam detection is enabled.
Unlike email gateway solution like Trend Micro Email Security, CAS can't block SMTP connection because it is not working in transport layer. For the same reason, CAS doesn't perform DNS Authentication (SPF/DKIM/DMARC). But customers can enable these features in Office365 Exchange Online Protection (EOP). When they are enabled, CAS can analyze related authentication result headers to trap Spam and other unsolicited emails.
Refer to this Online Help page to understand how CAS works.
Yes. You can find it by querying log with Type set to Virtual Analyzer. The trigger is when there is a risk in sandbox detected and not via engine/pattern/Machine Learning.
Click the image to enlarge.
Below is an example of how the report would look like:
Click the image to enlarge.
Please enable Retro Scan & Auto Remediate option in Web Reputation, as shown below:
Click the image to enlarge.
The feature collects email metadata through the Threat Investigation API, and retroactively scans the past 3 day's URLs using newer web reputation patterns every 2 hours. Based on the latest scan result, CAS automatically takes remedial action on the affected email messages. Please refer to Web Reputation Services for more information.For safe sites, the cache TTL is 24 hours.
For malicious sites, the cache TTL is 35 minutes.
The results of re-written URLs and shorten URLs are not cached.
CAS implements this features NOT just based on display name consistency, but goes through the following process:
- First, CAS checks if a mail has an external sender address but has a display name the same as a name in the company. For example: "CEO display name"<attacker@attackers.domain>.
- If the above rule is matched, CAS sends the mail to TMASE engine to check other mail attributes like headers and bodies for other suspicious indicators.
- CAS then takes action based on the final result.
No. CAS utilizes Microsoft API to retrieve email from users' mailbox, so it works not in transport level but in mailbox level.
For more information, refer to Understanding how Cloud App Security works.
No. The limit on the number is the result of a balance choice between scan performance & scan capability.
On the other hand, the Display Name Spoofing Detection applies to all users.
Click the image to enlarge.
The Blocked Lists for Exchange Online specify the blocked senders, URLs, and SHA-1 hash values for your organization through the Threat Remediation API. Email messages that match any item in the lists will be automatically quarantined by Cloud App Security.
For more information, refer to Viewing Blocked Lists for Exchange Online.
Click the image to enlarge.
Writing Style is a subset of the overall BEC detection. An incoming email message that hits the writing style analysis criteria is subject to Action setting under Writing Style, regardless of the setting for BEC in Action. For more details, refer to Advanced Spam Protection.
With token provision, the required account for provision needs to be a global admin. But once provisioned, CAS will use token to communicate with M365, so CAS capability will not be impacted even if the global admin account used for provisioning were deleted or its password were changed.
The required permission for CAS are listed as below:
| Office365 Provisions | Required Permissions |
|---|---|
| Exchange |
|
| OneDrive |
|
| SharePoint |
|
| Teams |
|
If the policy was copied from an existing Monitor Only policy, e.g. "Default Exchange Online Policy ATP (Monitor Only)", it will also be Monitor Only, so the actions are also not changeable.
To verify it, please try to create a new one by copying Default Exchange Policy ATP policy.
It is a limitation of Microsoft API. Office365 will not send a notification for an outgoing mail to CAS until the mail was sent and put into Sent folder. Therefore, when CAS retrieve the mail for scan, it has been already sent out and there is no chance for CAS to intercept it.
Refer to the following links for more information regarding the Microsoft Notification Subscription feature:
Adding disclaimer to all mails would consume too many API calls and trigger the API usage limit very quickly. So even we add the feature to CAS, it won't work properly due to the API usage limit.
In addition, for outgoing mails, the mails are delivered before CAS can scan them, so there is no way for CAS to add disclaimer to outgoing mails.
Click the image to enlarge.
The items shown under Scan Source are dynamic and comes from the existing detection logs. If there is no detection on certain application, say SharePoint, it will not show under Scan Source. This is the same on other sections like Security Filter. It will show up once CAS get detections on the application.
The one-time click URLs in the Mimecast notification mails were accessed/"clicked" by CAS WRS T0 or Computer Vision feature.
To resolve the issue, please find the pattern of the URL and then add the URL with wildcard to approved URL list.
Click the image to enlarge.
When "Apply to" option is set to "Incoming messages" in Malware Scanning rules, the "Apply to" option in Virtual Analyzer rules will be greyed out.
Virtual Analyzer analysis is dependent on Malware scanning results, so the Virtual Analyzer policy is also dependent on Malware Scanning policy.
When running a manual scan, CAS hooks every email from the target mailboxes via API then scans it. The large volume of scanning will result in massive API calls so it could easily trigger throttling at Microsoft side. Another reason is to balance the resource & cost in the cloud. The huge volume of full scanning, obviously, could eat up the reserved resources of CPU, Memory as well as network bandwidth.
Read more about Microsoft Graph throttling guidance.
On the other hand, the 31-day limit doesn't mean you can only scan the past 31 days mails, but you scan specify any 31 days period. So you may scan more than 31 days mails by doing manual scan multiple times.
Confirm if you have granted Cloud App Security permissions to receive notifications from Microsoft, upon any change to the files on your SharePoint online, OneDrive and Microsoft Teams.
Refer to page 17-18 of the Best Practice Guide.
The reason why Spam Detection by Category does not show the ransomware detection could be that the email (the ransomware) was detected by Malware Scanning instead of Advanced Spam Protection. And if you would like to verify if Advanced Spam Protection can detect the ransomware, you may need to disable Malware Scanning while enabling Advanced Spam Protection. If the email gets detected by Malware Scanning, it won’t be scanned by Advanced Spam Protection.
Here is the scan flow in CAS for reference: File Blocking -> Malware Scanning -> Web Reputation -> Anti-Spam -> BEC/Writing Style DNA -> DLP -> Sandbox.
The action will be taken based on the following priority:
Delete > Quarantine > Move to Junk Email folder > Replace > Tag subject > Pass
For example, when a mail is detected as both Phishing and Other spam (Phishing-Other spam), the final action will be Quarantine. This follows the priority shown above, because the default action for Phishing is quarantine, while the default action for Other spam is Move to Junk Email folder.
After a policy is created or modified, policy match needs to be re-calculated. The time of the re-calculation depends on the policy target setting. For example, if the policy target contains many groups, the re-calculation time could take several minutes.
Usually the time should be within minutes. Therefore, we suggest to do the test and verification 10 minutes after the policy is created or modified.
Mail flow will NOT be impacted even when CAS is under maintenance.
When CAS is under maintenance, some internal requests may encounter errors, but they will be reprocessed when maintenance is done.