Views:

Cloud Email and Collaboration Protection

Cloud Email and Collaboration Protection includes the following modules which, when enabled, will cause the corresponding data to be transmitted to Trend Micro. Each of these modules can be disabled as shown below.

Exchange Online Protection Enhancement with Microsoft 365 Activity Data

Data will be automatically deleted one month after the grace period of your license expires.

Data collected	Internet message ID Record type Operation Workload Threats and detection technology Verdict Original delivery location Latest delivery location Policy Policy action Phishing confidence level Detection method Direction Connector Subject Sender IP Attachment data Delivery action Recipients Creation time Message time Message date P1 sender P2 sender Extended properties Submission type Submission state Submission channel Submission content type Rescan result
Console Settings	Enable: Dashboard banner > Grant permission Disable: Administration > Service Account > Remove Microsoft 365 related accounts

Correlated Intelligence

Cloud Email and Collaboration Protection collects suspicious emails for backend services, which will gather the emails' metadata (with Personal Identifiable Information removed) for further analysis.

The suspicious emails stored in Cloud Email and Collaboration Protection will be automatically deleted after one hour.

Data collected	Suspicious emails
Console Settings	Enable: Advanced Threat Protection>Exchange Online policies > Enable Correlated Intelligence Disable: Advanced Threat Protection > Exchange Online policies > Disable Correlated Intelligence

Gmail (Inline Mode) - Service Account Provisioning

Cloud Email and Collaboration Protection provisions a service account to obtain an access token to get user/group/domain information and add/update a group used for holding the Cloud Email and Collaboration Protection policy targets.

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user and group information in Google Workspace Gmail mailbox information Root Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Gmail (Inline Mode) De-provision: Administration > Service Account > Remove

Gmail (Inline Mode) - Quarantine

Cloud Email and Collaboration Protection will quarantine email messages in its storage after inbound/outbound messages trigger quarantine actions.

These quarantined items will be kept for 30 days in Cloud Email and Collaboration Protection before they get automatically deleted.

After data is deleted, the administrator cannot restore or download the messages through Cloud Email and Collaboration Protection.

Data collected	Quarantine email messages Email senders Email recipients Email subjects Email sent time Internet Message IDs Attachment names User principal names Suspicious URLs
Console Settings	Enable: Advance Threat Protection/Data Loss Prevention > Gmail (Inline Mode) policies > For each filter, select action "Quarantine" De-provision: Advance Threat Protection/Data Loss Prevention > Gmail (Inline Mode) policies > For each filter, deselect action "Quarantine"

Reports

Data will be automatically deleted one month after the grace period of your license expires.

Data collected	Company Name Company logo Notification recipient's email address
Console Settings	Reports: Report Format Notification

Quarantined email preview

Cloud Email and Collaboration Protection will store the previewed part of the quarantine email message body in its storage after the messages trigger quarantine actions.

The previewed part will be kept for 90 days in Cloud Email and Collaboration Protection before they get automatically deleted.

After data is deleted, the administrator cannot preview the quarantined messages through Cloud Email and Collaboration Protection.

Data collected	Previewed part of quarantined email body
Console settings	Enable: Quarantine > Enable Email Preview > select “Enable Email Preview” Disable: Quarantine > Enable Email Preview > deselect “Enable Email Preview”

Cloud Email and Collaboration Protection Add-in - Manage Quarantine

Cloud Email and Collaboration Protection collects the listed information to enable end users to manage quarantined emails and add trusted senders.

Data will be automatically deleted one month after the grace period of your license expires.

Data collected	Email address User OID Email sender
Console settings	Enable: Administration > Add-in for Outlook > Quarantine Management Permissions > Status (ON) Administration > Add-in for Outlook > Quarantine Management Permissions > Select “Trust Sender” Disable: Administration > Add-in for Outlook > Quarantine Management Permissions > Status (OFF) Administration > Add-in for Outlook > Quarantine Management Permissions > Deselect “Trust Sender”

Cloud Email and Collaboration Protection Add-in - Report Email

Cloud Email and Collaboration Protection collects the listed information to enable end users to report emails.

Data will be automatically deleted one month after the grace period of your license expires.
Collected emails will be automatically deleted after 180 days.

Data collected	Email address User OID Email
Console settings	Enable: Administration > Add-in for Outlook > Email Reporting > Status (ON) Disable: Administration > Add-in for Outlook > Email Reporting > Status (OFF)

Virtual Analyzer for files

Virtual Analyzer is a cloud sandbox designed for analyzing suspicious files. Sandbox images allow observation of file behavior in an environment that simulates endpoints on your network without any risk of compromising the network.

Disabling Virtual Analyzer prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email and Collaboration Protection to detect advanced malware in files.

Data collected	Suspicious executable files Suspicious scripts Suspicious documents with macro Other suspicious files from Trend Micro virus scan engine
Console location	ATP policy > Virtual Analyzer
Console settings	Enable Virtual Analyzer Files

Exchange Online (Inline Mode) Service Account Provisioning

Cloud Email and Collaboration Protection provisions a service account to obtain an access token to get inbound/outbound email messages through Exchange Online connectors and transport rules, and scan the messages before they arrive at the inboxes of protected users or are sent out by protected users.

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user and group information in Microsoft Azure Active Directory Exchange Online mailbox information MX records Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Exchange Online (Inline Mode) De-provision: Administration > Service Account > Remove

Exchange Online (Inline Mode) Quarantine

Cloud Email and Collaboration Protection will quarantine email messages in its storage after inbound/outbound messages trigger quarantine actions.

These quarantined items will be kept for 30 days in Cloud Email and Collaboration Protection before they get automatically deleted.

After data is deleted, the administrator cannot restore or download the messages through Cloud Email and Collaboration Protection.

Data collected	Quarantined inbound/outbound email messages Email senders Email recipients Email subjects Email sent time Internet Message IDs Attachment names User principal names Suspicious URLs
Console Settings	Enable: Advanced Threat Protection/Data Loss Prevention > Exchange Online (Inline Mode) Policies > For each filter, select action "Quarantine" Disable: Advanced Threat Protection/Data Loss Prevention > Exchange Online (Inline Mode) Policies > For each filter, deselect action "Quarantine"

Teams Chat Service Account Provisioning

Cloud Email and Collaboration Protection provisions a service account to integrate with the Microsoft Teams Chat service and obtains an access token to scan contents and files sent in private chats with other users.

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user, and group information in Windows Azure Active Directory Global Administrator email address used to do the provisioning Customer registered app ID Customer registered app secret
Console Settings	Provision: Administration > Service Account > Add > Teams Chat De-provision: Administration > Service Account > Remove

Internal User Risk Analytics

Cloud Email and Collaboration Protection provisions a service account to obtain an access token to get risk detection data from Microsoft Identity Protection. The data is aggregated by Cloud Email and Collaboration Protection to show in the Internal User Risk Analytics widgets.

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud Email and Collaboration Protection doesn’t collect risk detections.

All collected risk detections will be deleted after 60 days.

Data collected	Risk detection data: user’s display name, user’s principal name, risk event type, risk level, risk category, risk detected date and time Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Microsoft Information Protection De-provision: Administration > Service Account > Remove

Retro Scan & Auto Remediate in Web Reputation

Time-of-Click Protection in Web Reputation

Retro Scan & Auto Remediate in Advanced Spam Protection

Threat Investigation API

Cloud Email and Collaboration Protection collects metadata of email messages for the Threat Investigation API to sweep for required email information, for Retro Scan & Auto Remediate to detect unidentified risks or restore false positive emails, and for Time-of-Click Protection to obtain information about emails containing the clicked URLs.

Email metadata will not be collected if the authentication token is deleted from the Cloud Email and Collaboration Protection management console and Retro scan & Time-of-Click is disabled from enabled policies.

All collected metadata will be deleted after 90 days.

Data collected	Email senders Email recipients Email subjects Email headers: In-Reply-To, Return Path, Authentication-Results Unique email IDs Email received time URLs in emails Mailboxes Attachments name IP addresses of upstream MTAs
Console Settings	Enable: ATP policy > Web Reputation > Rules > Retro Scan & Auto Remediate > Select “Rescan historical URLs when patterns update and take remedial actions”, or; ATP policy > Web Reputation > Time-of-Click Protection > Select “Enable Time-of-Click Protection”, or; ATP policy > Advanced Spam Protection > Rules > Retro Scan & Auto Remediate > Select “Rescan historical email messages and take remediation actions”, or; Administration > Automation and Integration APIs > Add > For External Application or For Trend Micro Service / Product > Select Email message for the API type Threat Investigation Disable: ATP policy > Web Reputation > Rules > Retro Scan & Auto Remediate > Deselect “Rescan historical URLs when patterns update and take remedial actions”, and; ATP policy > Web Reputation > Time-of-Click Protection > Deselect “Enable Time-of-Click Protection”, and; ATP policy > Advanced Spam Protection > Rules > Retro Scan & Auto Remediate > Deselect “Rescan historical email messages and take remediation actions”, and; Administration > Automation and Integration APIs >Select tokens whose API type is “Threat Investigation” > Delete

Microsoft Information Protection Service Account Provisioning

Cloud App Security provisions a service account to integrate with the Microsoft Information Protection service and obtains an access token to support the “add sensitivity label” and “remove sensitivity label” actions for detected documents in SharePoint/OneDrive/Teams.

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud App Security does not support the sensitivity label related actions

Data collected	SharePoint admin site URL Sensitivity labels Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Microsoft Information Protection De-provision: Administration > Service Account > Remove

Email and Collaboration Sensor App in Trend Vision One

Cloud Email and Collaboration Protection collects metadata of email messages, user profiles, mailboxes, and account activities for Trend Vision One to discover anomalies for Email and Collaboration Sensor customers.

All collected metadata will be deleted after 180 days.

Data collected	Email received timestamps Email attachment file names Email attachment hash values URLs in email messages Mailbox accounts Email stored folder names Microsoft 365 mail internal IDs Message UIDs Email attachment true file types Email HTML body tags Email headers Group mail info If the admin grants permissions to collect user profiles, mailboxes, and account activities, the following data will also be collected: Users profiles which include: display name, given name, surname, employee ID, company name, department name, job title, email address, business phone number, mobile phone number, fax number, office location, on-premises information, usage location, user principal name, Microsoft 365 service property, mailbox rule, last password change, user ID, IM address, Shared Object, manager account, other mail addresses, account enabled, nickname, high privileged account, calendar User devices which include: on-premises sync enablement, OS information, OS version, device physical ID, device profile type, approximate last sign-in date and time, compliance expiration date and time, deletion date and time, device ID, device metadata, device version, device name, on-premises last sync date and time User roles which include: administrator role ID, administrator role description, administrator role display name Sign-in activities which include: client IP, directory audits, country, app name, longitude, latitude, User Agent, sign in IP address
Console Settings	Enable: In Trend Vision One console, set email sensor targets for Exchange Online or Gmail in the Email and Collaboration Security app. Disable: In Trend Vision One console, click the “Clear Inventory” button in the Email and Collaboration Security app.

SharePoint Online / OneDrive for Business Service Account Provisioning with Access Token

Cloud Email and Collaboration Protection provisions a service account to integrate with the Microsoft SharePoint Online and OneDrive for Business services respectively, and obtains an access token to access and protect users’ files stored in SharePoint Online /OneDrive for Business from threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user, and group information in Windows Azure Active Directory SharePoint Online site collection information OneDrive for Business user and user site information Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > SharePoint Online or OneDrive for Business De-provision: Administration > Service Account > Remove

Microsoft Teams Service Account Provisioning

Cloud Email and Collaboration Protection provisions a service account to integrate with the Microsoft Teams service and obtains an access token to protect users’ files stored in teams from threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	SharePoint Teams information Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Microsoft Teams De-provision: Administration > Service Account > Remove

Exchange Online Service Account Provisioning with Access Token

Cloud Email and Collaboration Protection provisions a service account to integrate with the Exchange Online service and obtains an access token to protect users’ email messages from threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user, and group information in Windows Azure Active Directory Exchange Online mailbox information Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Exchange Online De-provision: Administration > Service Account > Remove

Gmail Service Account Provisioning

Cloud Email and Collaboration Protection provisions a service account to integrate with the Gmail service and obtains an access token to protect users’ email messages from threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain information Mailbox information Group information Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Gmail De-provision: Administration > Service Account > Remove

Writing style analysis for BEC

Cloud Email and Collaboration Protection collects email messages sent by high profile users to train their writing style models if writing style analysis is enabled. All email content is irreversibly hashed.

Email messages will not be collected for continuous model training if writing style analysis is disabled.

Data will be automatically deleted one month after the grace period of your license expires.

Data collected	Email senders Email subjects Email content
Console Settings	ATP Policy > Advanced Spam Protection > Writing Style Analysis for BEC Administration > Global Settings > High Profile Users

O365 (Exchange Online, SharePoint Online, OneDrive for Business) Service Account Provisioning

Cloud Email and Collaboration Protection provisions service accounts to integrate with Microsoft Office 365 services, and accesses Office 365 data with the service accounts to protect users’ email messages and files from network threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user, and group information in Windows Azure Active Directory Exchange Online mailbox information SharePoint Online site collection information OneDrive for Business user and user site information
Console Settings	Provision: Administration > Service Account > Add > Office 365 De-provision: Administration > Service Account > Remove

Cloud storage service (Box, Dropbox, Google Drive) Service Account Provisioning

Cloud Email and Collaboration Protection provisions service accounts to integrate with cloud storage services and obtains access tokens to protect users’ files from network threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Box user and group information Dropbox user and group information Google Drive user and organization unit information Administrator email address used to do the provisioning
Console settings	Provision: Administration > Service Account > Add > Box/Dropbox/Google Drive De-provision: Administration > Service Account > Remove

Logs

Logs cannot be disabled unless you choose to NOT use Cloud Email and Collaboration Protection.

After data is deleted, administrators cannot retrieve history data of user events and policy violations from Cloud Email and Collaboration Protection.

Data collected	Email senders Email recipients Email locations Email subjects Attachment names Email sent time Internet Message IDs File modifiers File locations File names Chat locations
Console settings	Cloud App Security automatically deletes logs older than 180 days.

Quarantine

Quarantine logs cannot be disabled unless you do not set Action to Quarantine in any Advanced Threat Protection or Data Loss Prevention policy or you do not enable Virtual Analyzer in any Advanced Threat Protection policy.

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, administrators cannot retrieve history data of user events and policy violations from Cloud Email and Collaboration Protection.

Data collected	Email senders Email recipients Email locations Email subjects Attachment names File modifiers File locations File names
Console settings	For Quarantine logs, Cloud App Security provides an option for administrators to choose to automatically delete them older than 30, 60, or 90 days.

Predictive Machine Learning

Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital DNA fingerprinting, API mapping, and other file features.

Disabling Predictive Machine Learning prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email and Collaboration Protection to detect new, previously unidentified, or unknown threats.

Predictive Machine Learning
Data collected	Metadata of suspicious executable files and scripts in cloud storage services Metadata of suspicious executable files and scripts in email attachments
Console location	ATP policy > Malware Scanning > Rules
Console settings	Enable Predictive Machine Learning

Malware Scanning Feedback

Malware Scanning Feedback enables you to participate, share and leverage Trend Micro’s global database of threat related intelligence to rapidly identify and defend against potential threats within your unique network environment.

Disabling malware scanning feedback prevents the mentioned data from being sent to Trend Micro, but affects the enhancement of Cloud Email and Collaboration Protection to rapidly identify and address new threats.

Malware Scanning Feedback
Data collected	Suspicious executable files and scripts in cloud storage services Suspicious executable files and scripts in email attachments
Console location	ATP policy > Malware Scanning > Rules > Predictive Machine Learning
Console settings	Allow Trend Micro to collect suspicious files to improve its detection capabilities

Advanced Spam Protection

Cloud Email and Collaboration Protection uses Trend Micro Antispam Engine to provide advanced spam protection, as a complement to the email protection service on your email gateway side, to further protect Exchange Online users from BEC, ransomware, advanced phishing, and other high-profile attacks.

Disabling Advanced Spam Protection prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email and Collaboration Protection to detect BEC, phishing, ransomware, and other spam.

Advanced Spam Protection
Data collected	IP addresses of upstream MTAs
Console location	ATP policy > Advanced Spam Protection
Console settings	Enable Advanced Spam Protection

Advanced Spam Protection Feedback

Advanced Spam Protection feedback enables you to participate, share and leverage Trend Micro’s global database of threat related intelligence to rapidly identify and defend against potential threats within your unique network environment.

Disabling Advanced Spam Protection feedback prevents the mentioned data from being sent to Trend Micro, but affects the enhancement of Cloud Email and Collaboration Protection to rapidly identify and address new spam.

Advanced Spam Protection Feedback
Data collected	Email addresses Email subjects URLs in email body
Console location	ATP policy > Advanced Spam Protection
Console settings	Allow Trend Micro to collect suspicious email information to improve its detection capabilities

Web Reputation

Cloud Email and Collaboration Protection leverages Trend Micro Web Reputation Services to scan URLs contained in files, email bodies and attachments to detect malicious URLs based on their reputation scores.

Disabling Web Reputation prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email and Collaboration Protection to detect malicious URLs.

Data collected	URLs in email body URLs in email attachments URLs in files
Console location	ATP policy > Web Reputation
Console settings	Enable Web Reputation

Data center location for CAS & XDR Data Lake

Country of Purchase	Data Center Location
USA	West US, California
EU (Europe)	West Europe, Netherlands
Japan	Japan East, Tokyo
Singapore	Southeast Asia, Singapore
Australia and New Zealand	Australia Central, Canberra
UK (United Kingdom)	UK South, London
Canada	Canada Central, Toronto
India	Central India, Pune
Middle East (UAE)	Dubai / UAE North

Cloud Email Gateway Protection

Cloud Email Gateway Protection includes the following modules which may cause the corresponding personal data to be transmitted to Trend Micro. Detailed information and instruction are provided below for opt-out of the personal data collection by disabling specific modules. Modules that cannot be disabled are indicated below.

Domains

Upon registration of a domain in Cloud Email Gateway Protection for protection, the administrator must specify the domain name and the incoming mail server IP address or FQDN responsible for the domain.

If a domain is deleted or the licensed account is deprovisioned, Cloud Email Gateway Protection purges its information and does not provide protection for the domain any more.

Data collected	Domain names IP addresses and/or FQDNs of incoming mail servers IP addresses and/or FQDNs of outgoing mail servers
Console location	Domains

Predictive Machine Learning

Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital fingerprinting, API mapping, and other file features.

Disabling Predictive Machine Learning prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect new, previously unidentified, or unknown threats.

Data collected	Metadata of suspicious executable files and scripts in email attachments
Console location	Inbound Protection > Virus Scan> Virus Policy> Policy Name > Scanning Criteria Enable Predictive Machine Learning

Predictive Machine Learning Feedback

Predictive Machine Learning feedback enables you to participate, share and leverage Trend Micro’s global database of threat related intelligence to rapidly identify and defend against potential threats within your unique network environment.

Disabling Predictive Machine Learning feedback prevents the mentioned data from being sent to Trend Micro, but affects the enhancement of Cloud Email Gateway Protection to rapidly identify and address new threats.

Data collected	Suspicious executable files and scripts in email attachments
Console location	Inbound Protection > Virus Scan > Virus Policy > Policy Name > Scanning Criteria Allow Trend Micro to collect suspicious files to improve its detection capabilities

Virtual Analyzer

Virtual Analyzer is a cloud sandbox designed for analyzing suspicious applications, files, URLs and scripts. Sandbox images allow observation of applications, files, URLs and scripts in an environment that simulates endpoints on your network without any risk of compromising the network.

Disabling Virtual Analyzer prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect advanced malware in files and URLs.

Data collected	Suspicious applications and executable files Suspicious scripts Suspicious documents with macro Other suspicious files from Trend Micro virus scan engine Suspicious URLs in the email body, subject or attachment
Console location	Inbound Protection > Virus Scan> Virus Policy > Policy Name > Scanning Criteria Submit suspicious files to Virtual Analyzer Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Submit URLs to Virtual Analyzer

Spam Filtering

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to provide advanced spam protection and protect users from spam.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect spam.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Spam

Business Email Compromise (BEC)

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from BEC attacks.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect BEC attacks.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Business Email Compromise (BEC)

Phishing

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from advanced phishing.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect phishing and other suspicious content.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Phishing and other suspicious content

Graymail

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from graymail.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect graymail.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Graymail

Social engineering attack

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from social engineering attacks.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect social engineering attacks.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Social engineering attack

Unusual signal

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from mails with unusual signals.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect unusual signals.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Unusual signal

High Profile Users

Cloud Email Gateway Protection allows administrators to add high profile users that may be frequently forged or spoofed, either by manually adding single users or by synchronizing groups from directories.

If a high profile user is deleted, Cloud Email Gateway Protection does not check incoming email messages from this user for BEC attacks any more.

Data collected	First names Middle names Last names Group names Email addresses
Console location	Inbound Protection > Spam Filtering > Business Email Compromise (BEC) Source: Custom Source: Synchronize users from directory server

Web Reputation

Cloud Email Gateway Protection leverages Trend Micro Web Reputation Services to scan URLs contained in email subject, body and attachments to detect malicious URLs based on their reputation scores.

Disabling Web Reputation prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect malicious URLs.

Data collected	URLs in email body URLs in email subjects URLs in attachments
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Web Reputation

Time-of-Click Protection

Cloud Email Gateway Protection leverages Trend Micro’s Time-of-Click Protection service to provide the ability to rewrite URLs in the email message body during scanning, and analyze the URLs at the time when the message recipient clicks on these URLs.

Disabling Time-of-Click Protection prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect malicious URLs.

Data collected	URLs in the email body
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria > Web Reputation> Enable Time-of-Click Protection

Correlated Intelligence Policy

Cloud Email Gateway Protection detects security risks and identify anomalies by correlating signals across different sources. Designed to empower you with enhanced detection capabilities against sophisticated attacks, Correlated Intelligence correlates suspicious signals from various sources to detect phishing security risks and anomalies.

Cloud Email Gateway Protection collects suspicious emails for backend services, which will gather the emails' metadata (with Personal Identifiable Information removed) for further analysis.

The suspicious emails stored in Cloud Email Gateway Protection will be automatically deleted after one hour.

Disabling Correlated Intelligence Policy prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect phishing, security risks and anomalies.

Data collected	Email headers Attachment SHA-1 hashes Attachment SHA-256 hashes Attachment size Attachment MIME types URLs in email body URLs in email subjects URLs in attachments Suspicious emails
Console location	Inbound Protection > Correlated Intelligence > Correlated Intelligence Policy > Policy Name > Scanning Criteria Specify security risk settings Specify anomaly settings

IP Reputation

Cloud Email Gateway Protection leverages Trend Micro Email Reputation Services to verify IP addresses of incoming email messages using one of the world's largest, most trusted reputation database, along with a dynamic reputation database to identify new spam and phishing sources, stopping even zombies and botnets as they first emerge.

Disabling IP Reputation prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect and block spam from known and emerging spam sources.

Data collected	Source IP addresses of incoming email messages
Console location	Inbound Protection > Connection Filtering > IP Reputation > Settings

Directory Synchronization

Cloud Email Gateway Protection provides a synchronization tool that enables you to synchronize email aliases, groups and email accounts from Open LDAP, Microsoft Active Directory, Microsoft AD Global Catalog, Microsoft Office 365/Azure Active Directory and IBM Domino servers to the Cloud Email Gateway Protection server.

The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	Display names Email addresses Group email addresses Group and member relationships Email aliases LDAP information (host name, port, base DN/tenant domain, Use SSL)
Console location	Administration > Directory Management > Directory Synchronize

Directory Import

Directory Import allows administrators to import a list of valid recipients’ email addresses and display names from a CSV file.

The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	Display names Email addresses
Console location	Administration > Directory Management > Directory Import

Logs

Cloud Email Gateway Protection stores logs of all processed email messages for the administrator to use and query. URL click tracking logs are kept for 30 days, Policy event logs and mail tracking logs are kept for 90 days.
Audit logs are kept for 12 months, but the administrator can query audit logs of up to 30 days. The number of days kept is not configurable.
After scheduled log deletion, all log data will be purged and cannot be retrieved.

Data collected	Sender email addresses Recipient email addresses Email subjects Sender IP addresses Recipient IP addresses Attachment names and hash Message IDs
Console location	Logs

Syslog

Cloud Email Gateway Protection allows you to forward syslog messages to an external syslog server in a structured format, which allows third-party application integration.

The mentioned data will be purged after the syslog server profiles are deleted or the administrator account is deprovisioned.

Data collected	Syslog server addresses, ports, protocols Certificates for TLS authentication
Console location	Logs > Syslog Settings > Syslog Server Profiles

Quarantine

Email messages quarantined for any reason are kept by Cloud Email Gateway Protection for a maximum of 30 days. During this period, the administrator may be able release them or inspect them if further analysis is required. After that period, the data will be purged permanently.

Data collected	Email messages quarantined
Console location	Quarantine > Query

Email Continuity

Cloud Email Gateway Protection provides protection against email loss if your email server goes down. If your server becomes unavailable due to a crash or network connectivity problem, Cloud Email Gateway Protection automatically transfers inbound traffic to a backup server until your server is back online.

Disabling this feature will prevent end users from using the continuity mailbox provided on the End User Console to manage their email messages when the email server goes down.
The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	Email data and metadata (including subjects and sender addresses)
Console location	Administration > Email Continuity

Single Sign-On

If SSO is enabled and required settings are completed in End User Management, Cloud Email Gateway Protection allows end users to access the administrator console with their existing identity provider credentials.

Data collected	Logon URLs Logoff URLs Claim type Certificate file downloaded from the identity provider
Console location	Administration > End User Management > Logon Methods Single Sign-On:

Address Group

Cloud Email Gateway Protection allows administrator to configure email addresses in an address group.

And the groups can be configured in policy’s Recipients and Senders.

The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	Email addresses
Console location	Administration > Policy Objects > Address Group

Logon Access Control

Cloud Email Gateway Protection allows administrators to configure the clients that are allowed to access the End User Console and resources within Cloud Email Gateway Protection by specifying a list of approved IP addresses. Administrators can also optionally specify the email addresses to receive alerts on blocked or logged access.

The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	IP addresses Email addresses
Console location	Administration > Logon Access Control

Email Reporting Add-in for Outlook

The Email Reporting Add-in for Outlook provides an easy way for your users to report false positives and false negatives to Cloud Email Gateway Protection, which uses the reported data to improve threat detection for your Exchange email service.

Reporting an email also sends a copy of the email to Trend Micro. However, this action does not move or delete the email.

Data collected	Email messages reported
Console location	Administration > Email Reporting Add-in for Outlook

Email Recovery

Cloud Email Gateway Protection provides Email Recovery to retain emails that were deleted due to policy rule matches. This allows for restoration of emails that were mistakenly deleted before they are permanently purged and become unrecoverable.

When enabled, Cloud Email Gateway Protection retains deleted emails for 14 days and manages the recovery process.

Data collected	Email messages deleted after enabling email recovery
Console location	Administration > Email Recovery

Managed XDR

Cloud Email Gateway Protection collects metadata of emails for the accounts with Email Sensor enabled. This allows the intelligent investigation API to discover security risks for Trend Vision One XDR and Managed XDR customers.

All collected metadata logs will be removed after 180 days.

Data collected	Email metadata collected by Email Sensor, including: SMTP email addresses Email received timestamps Email attachment file names Email attachment hash values True file types of email attachments Email attachment sizes Email headers Email body hash values Sender IP addresses URLs in email messages
Console location	Email and Collaboration Sensor > Other Email Services

Keywords: data collected, data transmitted, Trend Vision One™ - Email and Collaboration Security, trend vision, microsoft 365, cloud email, trend vision onetm, collaboration protection, cloud email and collaboration, security

Trend Vision One™ - Email and Collaboration Security Data Collection Notice

Product / Version includes:

Trend Vision OneAll

Last updated: 2024/11/12

Solution ID: KA-0018264

Category:

Summary

This article outlines Trend Vision One - Email and Collaboration Security features that collect data, the data transmitted, and their location on the product console where you can disable the features.

Cloud Email and Collaboration Protection

Exchange Online Protection Enhancement with Microsoft 365 Activity Data
Correlated Intelligence
Gmail (Inline Mode) - Service Account Provisioning
Gmail (Inline Mode) - Quarantine
Reports
Quarantined email preview
Cloud Email and Collaboration Protection Add-in - Manage Quarantine
Cloud Email and Collaboration Protection Add-in - Report Email
Virtual Analyzer for files
Exchange Online (Inline Mode) Service Account Provisioning
Exchange Online (Inline Mode) Quarantine
Teams Chat Service Account Provisioning
Internal User Risk Analytics
Retro Scan & Auto Remediate in Web Reputation
Time-of-Click Protection in Web Reputation
Retro Scan & Auto Remediate in Advanced Spam Protection
Threat Investigation API
Microsoft Information Protection Service Account Provisioning
Email and Collaboration Sensor App in Trend Vision One
SharePoint Online / OneDrive for Business Service Account Provisioning with Access Token
Microsoft Teams Service Account Provisioning
Exchange Online Service Account Provisioning with Access Token
Gmail Service Account Provisioning
Writing style analysis for BEC
O365 (Exchange Online, SharePoint Online, OneDrive for Business) Service Account Provisioning
Cloud storage service (Box, Dropbox, Google Drive) Service Account Provisioning
Logs
Quarantine
Predictive Machine Learning
Malware Scanning Feedback
Advanced Spam Protection
Advanced Spam Protection Feedback
Web Reputation
Data center location for CAS & XDR Data Lake

Cloud Email Gateway Protection

Domains
Predictive Machine Learning
Predictive Machine Learning Feedback
Virtual Analyzer
Spam Filtering
Business Email Compromise (BEC)
Phishing
Graymail
Social engineering attack
Unusual signal
High Profile Users
Web Reputation
Time-of-Click Protection
Correlated Intelligence Policy
IP Reputation
Directory Synchronization
Directory Import
Logs
Syslog
Quarantine
Email Continuity
Single Sign-On
Address Group
Logon Access Control
Email Reporting Add-in for Outlook
Email Recovery
Managed XDR

Cloud Email and Collaboration Protection

Exchange Online Protection Enhancement with Microsoft 365 Activity Data

Data will be automatically deleted one month after the grace period of your license expires.

Data collected	Internet message ID Record type Operation Workload Threats and detection technology Verdict Original delivery location Latest delivery location Policy Policy action Phishing confidence level Detection method Direction Connector Subject Sender IP Attachment data Delivery action Recipients Creation time Message time Message date P1 sender P2 sender Extended properties Submission type Submission state Submission channel Submission content type Rescan result
Console Settings	Enable: Dashboard banner > Grant permission Disable: Administration > Service Account > Remove Microsoft 365 related accounts

Correlated Intelligence

Cloud Email and Collaboration Protection collects suspicious emails for backend services, which will gather the emails' metadata (with Personal Identifiable Information removed) for further analysis.

The suspicious emails stored in Cloud Email and Collaboration Protection will be automatically deleted after one hour.

Data collected	Suspicious emails
Console Settings	Enable: Advanced Threat Protection>Exchange Online policies > Enable Correlated Intelligence Disable: Advanced Threat Protection > Exchange Online policies > Disable Correlated Intelligence

Gmail (Inline Mode) - Service Account Provisioning

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user and group information in Google Workspace Gmail mailbox information Root Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Gmail (Inline Mode) De-provision: Administration > Service Account > Remove

Gmail (Inline Mode) - Quarantine

Cloud Email and Collaboration Protection will quarantine email messages in its storage after inbound/outbound messages trigger quarantine actions.

These quarantined items will be kept for 30 days in Cloud Email and Collaboration Protection before they get automatically deleted.

After data is deleted, the administrator cannot restore or download the messages through Cloud Email and Collaboration Protection.

Data collected	Quarantine email messages Email senders Email recipients Email subjects Email sent time Internet Message IDs Attachment names User principal names Suspicious URLs
Console Settings	Enable: Advance Threat Protection/Data Loss Prevention > Gmail (Inline Mode) policies > For each filter, select action "Quarantine" De-provision: Advance Threat Protection/Data Loss Prevention > Gmail (Inline Mode) policies > For each filter, deselect action "Quarantine"

Reports

Data will be automatically deleted one month after the grace period of your license expires.

Data collected	Company Name Company logo Notification recipient's email address
Console Settings	Reports: Report Format Notification

Quarantined email preview

Cloud Email and Collaboration Protection will store the previewed part of the quarantine email message body in its storage after the messages trigger quarantine actions.

The previewed part will be kept for 90 days in Cloud Email and Collaboration Protection before they get automatically deleted.

After data is deleted, the administrator cannot preview the quarantined messages through Cloud Email and Collaboration Protection.

Data collected	Previewed part of quarantined email body
Console settings	Enable: Quarantine > Enable Email Preview > select “Enable Email Preview” Disable: Quarantine > Enable Email Preview > deselect “Enable Email Preview”

Cloud Email and Collaboration Protection Add-in - Manage Quarantine

Cloud Email and Collaboration Protection collects the listed information to enable end users to manage quarantined emails and add trusted senders.

Data will be automatically deleted one month after the grace period of your license expires.

Data collected	Email address User OID Email sender
Console settings	Enable: Administration > Add-in for Outlook > Quarantine Management Permissions > Status (ON) Administration > Add-in for Outlook > Quarantine Management Permissions > Select “Trust Sender” Disable: Administration > Add-in for Outlook > Quarantine Management Permissions > Status (OFF) Administration > Add-in for Outlook > Quarantine Management Permissions > Deselect “Trust Sender”

Cloud Email and Collaboration Protection Add-in - Report Email

Cloud Email and Collaboration Protection collects the listed information to enable end users to report emails.

Data will be automatically deleted one month after the grace period of your license expires.
Collected emails will be automatically deleted after 180 days.

Data collected	Email address User OID Email
Console settings	Enable: Administration > Add-in for Outlook > Email Reporting > Status (ON) Disable: Administration > Add-in for Outlook > Email Reporting > Status (OFF)

Virtual Analyzer for files

Data collected	Suspicious executable files Suspicious scripts Suspicious documents with macro Other suspicious files from Trend Micro virus scan engine
Console location	ATP policy > Virtual Analyzer
Console settings	Enable Virtual Analyzer Files

Exchange Online (Inline Mode) Service Account Provisioning

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user and group information in Microsoft Azure Active Directory Exchange Online mailbox information MX records Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Exchange Online (Inline Mode) De-provision: Administration > Service Account > Remove

Exchange Online (Inline Mode) Quarantine

Cloud Email and Collaboration Protection will quarantine email messages in its storage after inbound/outbound messages trigger quarantine actions.

These quarantined items will be kept for 30 days in Cloud Email and Collaboration Protection before they get automatically deleted.

After data is deleted, the administrator cannot restore or download the messages through Cloud Email and Collaboration Protection.

Data collected	Quarantined inbound/outbound email messages Email senders Email recipients Email subjects Email sent time Internet Message IDs Attachment names User principal names Suspicious URLs
Console Settings	Enable: Advanced Threat Protection/Data Loss Prevention > Exchange Online (Inline Mode) Policies > For each filter, select action "Quarantine" Disable: Advanced Threat Protection/Data Loss Prevention > Exchange Online (Inline Mode) Policies > For each filter, deselect action "Quarantine"

Teams Chat Service Account Provisioning

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user, and group information in Windows Azure Active Directory Global Administrator email address used to do the provisioning Customer registered app ID Customer registered app secret
Console Settings	Provision: Administration > Service Account > Add > Teams Chat De-provision: Administration > Service Account > Remove

Internal User Risk Analytics

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud Email and Collaboration Protection doesn’t collect risk detections.

All collected risk detections will be deleted after 60 days.

Data collected	Risk detection data: user’s display name, user’s principal name, risk event type, risk level, risk category, risk detected date and time Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Microsoft Information Protection De-provision: Administration > Service Account > Remove

Retro Scan & Auto Remediate in Web Reputation

Time-of-Click Protection in Web Reputation

Retro Scan & Auto Remediate in Advanced Spam Protection

Threat Investigation API

All collected metadata will be deleted after 90 days.

Data collected	Email senders Email recipients Email subjects Email headers: In-Reply-To, Return Path, Authentication-Results Unique email IDs Email received time URLs in emails Mailboxes Attachments name IP addresses of upstream MTAs
Console Settings	Enable: ATP policy > Web Reputation > Rules > Retro Scan & Auto Remediate > Select “Rescan historical URLs when patterns update and take remedial actions”, or; ATP policy > Web Reputation > Time-of-Click Protection > Select “Enable Time-of-Click Protection”, or; ATP policy > Advanced Spam Protection > Rules > Retro Scan & Auto Remediate > Select “Rescan historical email messages and take remediation actions”, or; Administration > Automation and Integration APIs > Add > For External Application or For Trend Micro Service / Product > Select Email message for the API type Threat Investigation Disable: ATP policy > Web Reputation > Rules > Retro Scan & Auto Remediate > Deselect “Rescan historical URLs when patterns update and take remedial actions”, and; ATP policy > Web Reputation > Time-of-Click Protection > Deselect “Enable Time-of-Click Protection”, and; ATP policy > Advanced Spam Protection > Rules > Retro Scan & Auto Remediate > Deselect “Rescan historical email messages and take remediation actions”, and; Administration > Automation and Integration APIs >Select tokens whose API type is “Threat Investigation” > Delete

Microsoft Information Protection Service Account Provisioning

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, Cloud App Security does not support the sensitivity label related actions

Data collected	SharePoint admin site URL Sensitivity labels Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Microsoft Information Protection De-provision: Administration > Service Account > Remove

Email and Collaboration Sensor App in Trend Vision One

All collected metadata will be deleted after 180 days.

Data collected	Email received timestamps Email attachment file names Email attachment hash values URLs in email messages Mailbox accounts Email stored folder names Microsoft 365 mail internal IDs Message UIDs Email attachment true file types Email HTML body tags Email headers Group mail info If the admin grants permissions to collect user profiles, mailboxes, and account activities, the following data will also be collected: Users profiles which include: display name, given name, surname, employee ID, company name, department name, job title, email address, business phone number, mobile phone number, fax number, office location, on-premises information, usage location, user principal name, Microsoft 365 service property, mailbox rule, last password change, user ID, IM address, Shared Object, manager account, other mail addresses, account enabled, nickname, high privileged account, calendar User devices which include: on-premises sync enablement, OS information, OS version, device physical ID, device profile type, approximate last sign-in date and time, compliance expiration date and time, deletion date and time, device ID, device metadata, device version, device name, on-premises last sync date and time User roles which include: administrator role ID, administrator role description, administrator role display name Sign-in activities which include: client IP, directory audits, country, app name, longitude, latitude, User Agent, sign in IP address
Console Settings	Enable: In Trend Vision One console, set email sensor targets for Exchange Online or Gmail in the Email and Collaboration Security app. Disable: In Trend Vision One console, click the “Clear Inventory” button in the Email and Collaboration Security app.

SharePoint Online / OneDrive for Business Service Account Provisioning with Access Token

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user, and group information in Windows Azure Active Directory SharePoint Online site collection information OneDrive for Business user and user site information Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > SharePoint Online or OneDrive for Business De-provision: Administration > Service Account > Remove

Microsoft Teams Service Account Provisioning

Cloud Email and Collaboration Protection provisions a service account to integrate with the Microsoft Teams service and obtains an access token to protect users’ files stored in teams from threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	SharePoint Teams information Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Microsoft Teams De-provision: Administration > Service Account > Remove

Exchange Online Service Account Provisioning with Access Token

Cloud Email and Collaboration Protection provisions a service account to integrate with the Exchange Online service and obtains an access token to protect users’ email messages from threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user, and group information in Windows Azure Active Directory Exchange Online mailbox information Global Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Exchange Online De-provision: Administration > Service Account > Remove

Gmail Service Account Provisioning

Cloud Email and Collaboration Protection provisions a service account to integrate with the Gmail service and obtains an access token to protect users’ email messages from threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain information Mailbox information Group information Administrator email address used to do the provisioning
Console Settings	Provision: Administration > Service Account > Add > Gmail De-provision: Administration > Service Account > Remove

Writing style analysis for BEC

Email messages will not be collected for continuous model training if writing style analysis is disabled.

Data will be automatically deleted one month after the grace period of your license expires.

Data collected	Email senders Email subjects Email content
Console Settings	ATP Policy > Advanced Spam Protection > Writing Style Analysis for BEC Administration > Global Settings > High Profile Users

O365 (Exchange Online, SharePoint Online, OneDrive for Business) Service Account Provisioning

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Domain, user, and group information in Windows Azure Active Directory Exchange Online mailbox information SharePoint Online site collection information OneDrive for Business user and user site information
Console Settings	Provision: Administration > Service Account > Add > Office 365 De-provision: Administration > Service Account > Remove

Cloud storage service (Box, Dropbox, Google Drive) Service Account Provisioning

Cloud Email and Collaboration Protection provisions service accounts to integrate with cloud storage services and obtains access tokens to protect users’ files from network threats.

Data will be automatically deleted one month after the grace period of your license expires. After data is deleted, Cloud Email and Collaboration Protection does not protect your service any more.

Data collected	Box user and group information Dropbox user and group information Google Drive user and organization unit information Administrator email address used to do the provisioning
Console settings	Provision: Administration > Service Account > Add > Box/Dropbox/Google Drive De-provision: Administration > Service Account > Remove

Logs

Logs cannot be disabled unless you choose to NOT use Cloud Email and Collaboration Protection.

After data is deleted, administrators cannot retrieve history data of user events and policy violations from Cloud Email and Collaboration Protection.

Data collected	Email senders Email recipients Email locations Email subjects Attachment names Email sent time Internet Message IDs File modifiers File locations File names Chat locations
Console settings	Cloud App Security automatically deletes logs older than 180 days.

Quarantine

Data will be automatically deleted one month after the grace period of your license expires.

After data is deleted, administrators cannot retrieve history data of user events and policy violations from Cloud Email and Collaboration Protection.

Data collected	Email senders Email recipients Email locations Email subjects Attachment names File modifiers File locations File names
Console settings	For Quarantine logs, Cloud App Security provides an option for administrators to choose to automatically delete them older than 30, 60, or 90 days.

Predictive Machine Learning

Predictive Machine Learning
Data collected	Metadata of suspicious executable files and scripts in cloud storage services Metadata of suspicious executable files and scripts in email attachments
Console location	ATP policy > Malware Scanning > Rules
Console settings	Enable Predictive Machine Learning

Malware Scanning Feedback

Malware Scanning Feedback
Data collected	Suspicious executable files and scripts in cloud storage services Suspicious executable files and scripts in email attachments
Console location	ATP policy > Malware Scanning > Rules > Predictive Machine Learning
Console settings	Allow Trend Micro to collect suspicious files to improve its detection capabilities

Advanced Spam Protection

Advanced Spam Protection
Data collected	IP addresses of upstream MTAs
Console location	ATP policy > Advanced Spam Protection
Console settings	Enable Advanced Spam Protection

Advanced Spam Protection Feedback

Advanced Spam Protection Feedback
Data collected	Email addresses Email subjects URLs in email body
Console location	ATP policy > Advanced Spam Protection
Console settings	Allow Trend Micro to collect suspicious email information to improve its detection capabilities

Web Reputation

Disabling Web Reputation prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email and Collaboration Protection to detect malicious URLs.

Data collected	URLs in email body URLs in email attachments URLs in files
Console location	ATP policy > Web Reputation
Console settings	Enable Web Reputation

Data center location for CAS & XDR Data Lake

Country of Purchase	Data Center Location
USA	West US, California
EU (Europe)	West Europe, Netherlands
Japan	Japan East, Tokyo
Singapore	Southeast Asia, Singapore
Australia and New Zealand	Australia Central, Canberra
UK (United Kingdom)	UK South, London
Canada	Canada Central, Toronto
India	Central India, Pune
Middle East (UAE)	Dubai / UAE North

Cloud Email Gateway Protection

Domains

If a domain is deleted or the licensed account is deprovisioned, Cloud Email Gateway Protection purges its information and does not provide protection for the domain any more.

Data collected	Domain names IP addresses and/or FQDNs of incoming mail servers IP addresses and/or FQDNs of outgoing mail servers
Console location	Domains

Predictive Machine Learning

Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital fingerprinting, API mapping, and other file features.

Data collected	Metadata of suspicious executable files and scripts in email attachments
Console location	Inbound Protection > Virus Scan> Virus Policy> Policy Name > Scanning Criteria Enable Predictive Machine Learning

Predictive Machine Learning Feedback

Data collected	Suspicious executable files and scripts in email attachments
Console location	Inbound Protection > Virus Scan > Virus Policy > Policy Name > Scanning Criteria Allow Trend Micro to collect suspicious files to improve its detection capabilities

Virtual Analyzer

Disabling Virtual Analyzer prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect advanced malware in files and URLs.

Data collected	Suspicious applications and executable files Suspicious scripts Suspicious documents with macro Other suspicious files from Trend Micro virus scan engine Suspicious URLs in the email body, subject or attachment
Console location	Inbound Protection > Virus Scan> Virus Policy > Policy Name > Scanning Criteria Submit suspicious files to Virtual Analyzer Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Submit URLs to Virtual Analyzer

Spam Filtering

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to provide advanced spam protection and protect users from spam.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect spam.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Spam

Business Email Compromise (BEC)

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from BEC attacks.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect BEC attacks.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Business Email Compromise (BEC)

Phishing

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from advanced phishing.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect phishing and other suspicious content.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Phishing and other suspicious content

Graymail

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from graymail.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect graymail.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Graymail

Social engineering attack

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from social engineering attacks.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect social engineering attacks.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Social engineering attack

Unusual signal

Cloud Email Gateway Protection uses Trend Micro Antispam Engine to protect users from mails with unusual signals.

Disabling the criteria prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect unusual signals.

Data collected	Mail header From/To Mail header Message-ID Mail header Subject Mail header Reply-To Mail header Return-Path Mail SHA-1 hashes URL and its properties Envelope From/RCPT/HELO Attachment SHA-1 hashes Date in the header Routing information in mail header Received
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Unusual signal

High Profile Users

If a high profile user is deleted, Cloud Email Gateway Protection does not check incoming email messages from this user for BEC attacks any more.

Data collected	First names Middle names Last names Group names Email addresses
Console location	Inbound Protection > Spam Filtering > Business Email Compromise (BEC) Source: Custom Source: Synchronize users from directory server

Web Reputation

Cloud Email Gateway Protection leverages Trend Micro Web Reputation Services to scan URLs contained in email subject, body and attachments to detect malicious URLs based on their reputation scores.

Disabling Web Reputation prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect malicious URLs.

Data collected	URLs in email body URLs in email subjects URLs in attachments
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria Web Reputation

Time-of-Click Protection

Disabling Time-of-Click Protection prevents the mentioned data from being sent to Trend Micro, but severely affects the ability of Cloud Email Gateway Protection to detect malicious URLs.

Data collected	URLs in the email body
Console location	Inbound Protection > Spam Filtering > Spam Policy > Policy Name > Scanning Criteria > Web Reputation> Enable Time-of-Click Protection

Correlated Intelligence Policy

Cloud Email Gateway Protection collects suspicious emails for backend services, which will gather the emails' metadata (with Personal Identifiable Information removed) for further analysis.

The suspicious emails stored in Cloud Email Gateway Protection will be automatically deleted after one hour.

Data collected	Email headers Attachment SHA-1 hashes Attachment SHA-256 hashes Attachment size Attachment MIME types URLs in email body URLs in email subjects URLs in attachments Suspicious emails
Console location	Inbound Protection > Correlated Intelligence > Correlated Intelligence Policy > Policy Name > Scanning Criteria Specify security risk settings Specify anomaly settings

IP Reputation

Data collected	Source IP addresses of incoming email messages
Console location	Inbound Protection > Connection Filtering > IP Reputation > Settings

Directory Synchronization

The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	Display names Email addresses Group email addresses Group and member relationships Email aliases LDAP information (host name, port, base DN/tenant domain, Use SSL)
Console location	Administration > Directory Management > Directory Synchronize

Directory Import

Directory Import allows administrators to import a list of valid recipients’ email addresses and display names from a CSV file.

The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	Display names Email addresses
Console location	Administration > Directory Management > Directory Import

Logs

Data collected	Sender email addresses Recipient email addresses Email subjects Sender IP addresses Recipient IP addresses Attachment names and hash Message IDs
Console location	Logs

Syslog

Cloud Email Gateway Protection allows you to forward syslog messages to an external syslog server in a structured format, which allows third-party application integration.

The mentioned data will be purged after the syslog server profiles are deleted or the administrator account is deprovisioned.

Data collected	Syslog server addresses, ports, protocols Certificates for TLS authentication
Console location	Logs > Syslog Settings > Syslog Server Profiles

Quarantine

Data collected	Email messages quarantined
Console location	Quarantine > Query

Email Continuity

Data collected	Email data and metadata (including subjects and sender addresses)
Console location	Administration > Email Continuity

Single Sign-On

Data collected	Logon URLs Logoff URLs Claim type Certificate file downloaded from the identity provider
Console location	Administration > End User Management > Logon Methods Single Sign-On:

Address Group

Cloud Email Gateway Protection allows administrator to configure email addresses in an address group.

And the groups can be configured in policy’s Recipients and Senders.

The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	Email addresses
Console location	Administration > Policy Objects > Address Group

Logon Access Control

The mentioned data will be purged after the administrator account is deprovisioned.

Data collected	IP addresses Email addresses
Console location	Administration > Logon Access Control

Email Reporting Add-in for Outlook

Reporting an email also sends a copy of the email to Trend Micro. However, this action does not move or delete the email.

Data collected	Email messages reported
Console location	Administration > Email Reporting Add-in for Outlook

Email Recovery

When enabled, Cloud Email Gateway Protection retains deleted emails for 14 days and manages the recovery process.

Data collected	Email messages deleted after enabling email recovery
Console location	Administration > Email Recovery

Managed XDR

All collected metadata logs will be removed after 180 days.

Data collected	Email metadata collected by Email Sensor, including: SMTP email addresses Email received timestamps Email attachment file names Email attachment hash values True file types of email attachments Email attachment sizes Email headers Email body hash values Sender IP addresses URLs in email messages
Console location	Email and Collaboration Sensor > Other Email Services

Was this article helpful?