Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Frequently Asked Questions (FAQs) about Cloud App Security

    • Updated:
    • 25 Jun 2021
    • Product/Version:
    • Cloud App Security
    • Platform:

This article answers the most common inquiries on Cloud App Security that is not listed in FAQ on the Online Help Center .

  1. Deprovision the original Office365 tenant on CAS admin UI. Refer to Deprovisioning Office 365 Services from the Online Help.
  2. Provision the new Office365 tenant on CAS admin UI. Refer to Provisioning Office 365 Services from the Online Help.

In case any error occurs, please contact Trend Micro Technical Support.

After the new license is added on the CLP portal, CAS gets an update notification and then automatically synchronize the new seats/expiration information. The result can be confirmed by logging in to the CAS Admin Console, then go to Administration > License.
Yes, the policy configuration data and log data will be kept 30 days after the grace period (60 days after the license expired). During this period, once the license is renewed and services are re-provisioned, configurations and logs will be automatically restored.
10 days after grace period expiration, CAS will deprovision all service accounts, but data will be kept.

When provisioning Authorized Account, the global admin is just used during token provision and the user name/password is used within Microsoft page for permission grant.

Global Admin role is no longer necessary after completing provisioning. CAS will just use the token to connect with M365 rather than the global admin credential. The token will be refreshed automatically and periodically before it is expired. The account shown in Service Account page is purely to keep a record on the account used for the token provision.

For more information about Microsoft token-based provisioning, refer to:

CAS starts scanning when an email message arrives at a protected mailbox, a file is uploaded or updated to a cloud storage application, or a Salesforce object is updated.

However, because CAS adopts an API-based architecture rather than a proxy-based architecture to provide advanced protection. Scanning delay could happen if Office365 somehow can not notify CAS immediately on the upload/update events, or if there is a temporary network problem between Office365 and CAS.

The reasons under Top Affected Users:
  • Most at risk for Emergent threats (threats emerging recently)
  • Most at risk for Advanced Spam threats (threats detected by Trend Micro TMASE engine)
  • Most at risk for Phishing threats (Phishing URL detected by Trend Micro WRS and URL dynamic scanning)
No. Currently CAS does not forward SMEX detection logs to Vision One.

Enable Email Account Inventory. Once the Email Account Inventory is enabled, the policy "Default Exchange Online Policy ATP (For Trend Micro XDR Only)" will also be enabled.

The policy can't be changed from CAS WebUI.

For Apex Central on-premise, refer to Trend Micro Apex Central Integration.

For Apex Central as a Service, CAS can integrate it only for EDR feature, so CAS doesn't transmit log to it.

Provision a Service Account for Gmail from CAS portal. Refer to Provisioning a Service Account for Gmail. Connect CAS to Trend Micro Vision One. Follow the procedure in this article: Connecting Trend Micro Products.
Country of PuchaseData Center Location
USACAS: West US, California
XDR Platform/Activity Data: East US, N. Virginia
Europe (EU)CAS: West Europe, Netherlands
XDR Platform/Activity Data: West Europe, Netherlands
JapanCAS: Japan East, Tokyo
XDR Platform/Activity Data: Japan East, Tokyo
SingaporeCAS: Southeast Asia, Singapore
XDR Platform/Activity Data: Southeast Asia, Singapore
Australia & New Zealand (ANZ)CAS: Australia Central, Canberra
XDR Platform/Activity Data: East US, N. Virginia (*Australia Central - future site)
Europe-United Kingdom (EU-UK)CAS: UK South, London
XDR Platform/Activity Data: West Europe, Netherlands
CanadaCAS: Canada Central, Toronto
XDR Platform/Activity Data: East US, N. Virginia
IndiaCAS: Central India, Pune XDR Platform/Activity Data: Asia Pacific, Mumbai

Get the latest information from this article: Cloud App Security Data Collection Notice.

For Sandboxing location, refer to Data Center Geography.

Yes. CAS downloads emails and files to memory to scan, but will NOT store them.

For more information, check the Cloud App Security Data Collection Notice.

You can visit the Cloud App Security Data Collection Notice.

This article outlines the Cloud App Security features that collect data, the data transmitted, and their location on the product console where you can disable the feature.

Yes. CAS supports multiple email addresses under the notification setting. Please separate the email addresses using semi-colon ";".

Yes. CAS DLP can protect Microsoft Teams.

To protect Microsoft Teams:

  1. Log in to CAS admin console.
  2. Go to Data Loss Prevention, and click the drop-drop button beside Add.

    MS Teams

    Click the image to enlarge.


CAS performs IP reputation on the IPs recorded in the mail headers. CAS will analyze IP reputation for advanced spam detection if advanced spam detection is enabled.

Unlike email gateway solution like Trend Micro Email Security, CAS can't block SMTP connection because it is not working in transport layer. For the same reason, CAS doesn't perform DNS Authentication (SPF/DKIM/DMARC). But customers can enable these features in Office365 Exchange Online Protection (EOP). When they are enabled, CAS can analyze related authentication result headers to trap Spam and other unsolicited emails.

Refer to this Online Help page to understand how CAS works.

Yes, CAS DLP scans the file properties and attributes. It will help prevent leaking data, especially the PII from the file sharing. If customers don't want such data to be scanned by CAS, they may either exclude such files from DLP scanning or adjust DLP scanning templates to disable triggering such confidential data.

Yes. You can find it by querying log with Type set to Virtual Analyzer. The trigger is when there is a risk in sandbox detected and not via engine/pattern/Machine Learning.

Virtual Analyzer

Click the image to enlarge.

Below is an example of how the report would look like:

VA Reports

Click the image to enlarge.

Please enable Retro Scan & Auto Remediate option in Web Reputation, as shown below:

Enable Retro Scan

Click the image to enlarge.

The feature collects email metadata through the Threat Investigation API, and retroactively scans the past 3 day's URLs using newer web reputation patterns every 2 hours. Based on the latest scan result, CAS automatically takes remedial action on the affected email messages. Please refer to Web Reputation Services for more information.

For safe sites, the cache TTL is 24 hours.

For malicious sites, the cache TTL is 35 minutes.

The results of re-written URLs and shorten URLs are not cached.

CAS implements this features NOT just based on display name consistency, but goes through the following process:

  • First, CAS checks if a mail has an external sender address but has a display name the same as a name in the company. For example: "CEO display name"<attacker@attackers.domain>.
  • If the above rule is matched, CAS sends the mail to TMASE engine to check other mail attributes like headers and bodies for other suspicious indicators.
  • CAS then takes action based on the final result.
Yes. Writing Style Analysis is also supported for Gmail.
Yes. Office365 dynamic groups also have Object ID which can be fetched via Graph API request, therefore CAS can support Office 365 dynamic groups. Dynamic groups can be seen in Azure AD, O365 Admin Center and Exchange Admin Center, CAS can synchronize them properly.

No. CAS utilizes Microsoft API to retrieve email from users' mailbox, so it works not in transport level but in mailbox level.

For more information, refer to Understanding how Cloud App Security works.

No. The limit on the number is the result of a balance choice between scan performance & scan capability.

On the other hand, the Display Name Spoofing Detection applies to all users.

CAS doesn't have “in the cloud” quarantine. For spam mails, CAS by default moves them to Outlook spam folder. So end users can review and handle all spam mails by accessing Outlook spam folder. On the other hand, for malicious mails, CAS implement quarantine action by moving them to a hidden folder in Exchange online. The quarantined malicious mails must be controlled by the CAS admins to prevent malware leak.
No. The limit is put to protect CAS system from being overloaded. But you can select different 31 days’ time range for manual scan, not necessarily the latest 31 days

Security Filter

Click the image to enlarge.

The Blocked Lists for Exchange Online specify the blocked senders, URLs, and SHA-1 hash values for your organization through the Threat Remediation API. Email messages that match any item in the lists will be automatically quarantined by Cloud App Security.

For more information, refer to Viewing Blocked Lists for Exchange Online.

Writing Style

Click the image to enlarge.

Writing Style is a subset of the overall BEC detection. An incoming email message that hits the writing style analysis criteria is subject to Action setting under Writing Style, regardless of the setting for BEC in Action. For more details, refer to Advanced Spam Protection.

CAS Computer Vision supports Amazon, Apple, Box, Dropbox, Facebook, Google, HSBC, Linkedin, Microsoft, OneDrive, Paypal, and Rakuten.

With token provision, the required account for provision needs to be a global admin. But once provisioned, CAS will use token to communicate with M365, so CAS capability will not be impacted even if the global admin account used for provisioning were deleted or its password were changed.

The required permission for CAS are listed as below:

During provisioning, Microsoft authentication page will list the required permissions for you to review. After provision, you can also find the granted permission list from Azure Active Directory admin center > Enterprise applications > Trend Micro Cloud App Security > Permissions.
Office365 ProvisionsRequired Permissions
  • Sign in and read user profile
  • Read directory data
  • Read all groups
  • Read and write mail in all mailboxes
  • Read all hidden memberships
  • Use Exchange Web Services with full access to all mailboxes
  • Have full control of all site collections
  • Read user profiles
  • Sign in and read user profile
  • Read directory data
  • Read all groups
  • Read items in all site collections (preview)
  • Have full control of all site collections
  • Sign in and read user profile
  • Read directory data
  • Read items in all site collections (preview)
  • Sign in and read user profile
  • Create, edit, and delete items and lists in all site collections
  • Read directory data
  • Read all groups
  • Read items in all site collections (preview)
  • Have full control of all site collections
When multiple ATP policies apply to the same user, the policy on the top will take effect. But please also pay attention to the mail direction defined in "Apply to" of the policies. For example, an outgoing mail will not trigger the policies applied to "Incoming Messages", so these policies will be skipped and the lower policy applied to "All Messages" will take effect.

If the policy was copied from an existing Monitor Only policy, e.g. "Default Exchange Online Policy ATP (Monitor Only)", it will also be Monitor Only, so the actions are also not changeable.

To verify it, please try to create a new one by copying Default Exchange Policy ATP policy.

It is a limitation of Microsoft API. Office365 will not send a notification for an outgoing mail to CAS until the mail was sent and put into Sent folder. Therefore, when CAS retrieve the mail for scan, it has been already sent out and there is no chance for CAS to intercept it.

Refer to the following links for more information regarding the Microsoft Notification Subscription feature:

Adding disclaimer to all mails would consume too many API calls and trigger the API usage limit very quickly. So even we add the feature to CAS, it won't work properly due to the API usage limit.

In addition, for outgoing mails, the mails are delivered before CAS can scan them, so there is no way for CAS to add disclaimer to outgoing mails.

Scan Source

Click the image to enlarge.

The items shown under Scan Source are dynamic and comes from the existing detection logs. If there is no detection on certain application, say SharePoint, it will not show under Scan Source. This is the same on other sections like Security Filter. It will show up once CAS get detections on the application.

The one-time click URLs in the Mimecast notification mails were accessed/"clicked" by CAS WRS T0 or Computer Vision feature.

To resolve the issue, please find the pattern of the URL and then add the URL with wildcard to approved URL list.

Add to Approved List

Click the image to enlarge.

When "Apply to" option is set to "Incoming messages" in Malware Scanning rules, the "Apply to" option in Virtual Analyzer rules will be greyed out.

Virtual Analyzer analysis is dependent on Malware scanning results, so the Virtual Analyzer policy is also dependent on Malware Scanning policy.

When running a manual scan, CAS hooks every email from the target mailboxes via API then scans it. The large volume of scanning will result in massive API calls so it could easily trigger throttling at Microsoft side. Another reason is to balance the resource & cost in the cloud. The huge volume of full scanning, obviously, could eat up the reserved resources of CPU, Memory as well as network bandwidth.

Read more about Microsoft Graph throttling guidance.

On the other hand, the 31-day limit doesn't mean you can only scan the past 31 days mails, but you scan specify any 31 days period. So you may scan more than 31 days mails by doing manual scan multiple times.

Confirm if you have granted Cloud App Security permissions to receive notifications from Microsoft, upon any change to the files on your SharePoint online, OneDrive and Microsoft Teams.

Refer to page 17-18 of the Best Practice Guide.

The reason why Spam Detection by Category does not show the ransomware detection could be that the email (the ransomware) was detected by Malware Scanning instead of Advanced Spam Protection. And if you would like to verify if Advanced Spam Protection can detect the ransomware, you may need to disable Malware Scanning while enabling Advanced Spam Protection. If the email gets detected by Malware Scanning, it won’t be scanned by Advanced Spam Protection.

Here is the scan flow in CAS for reference: File Blocking -> Malware Scanning -> Web Reputation -> Anti-Spam -> BEC/Writing Style DNA -> DLP -> Sandbox.

No. CAS just uses Microsoft Graph API to do actions for detected mails, such as “move mail from inbox to quarantine folder”, but will NOT remove any Microsoft365 or Office365 log.
Yes. CAS is an auto-scalable SaaS solution. CAS is protecting some customers with 1 million+ users today. So 300,000 size would still be supported.
Yes, all mails under the same user will be scanned by CAS because CAS retrieves user information under a tenant, rather than domains.

The action will be taken based on the following priority:
Delete > Quarantine > Move to Junk Email folder > Replace > Tag subject > Pass

For example, when a mail is detected as both Phishing and Other spam (Phishing-Other spam), the final action will be Quarantine. This follows the priority shown above, because the default action for Phishing is quarantine, while the default action for Other spam is Move to Junk Email folder.

After a policy is created or modified, policy match needs to be re-calculated. The time of the re-calculation depends on the policy target setting. For example, if the policy target contains many groups, the re-calculation time could take several minutes.

Usually the time should be within minutes. Therefore, we suggest to do the test and verification 10 minutes after the policy is created or modified.

For the same service (e.g. Exchange), when a user matches multiple policies, only the policy with highest priority will be applied.
For additional FAQs on Cloud App Security features, refer to this KB Article: Frequently Asked Questions (FAQs) and How-Tos about the Features of Cloud App Security (CAS)
On the top-right corner of the CAS portal, in front of the alert icon, there is service health status icon. Hover your mouse on it, the service health status information will show up.

Mail flow will NOT be impacted even when CAS is under maintenance.

When CAS is under maintenance, some internal requests may encounter errors, but they will be reprocessed when maintenance is done.

Configure; Troubleshoot; Deploy; Install; Register
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.