Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best Practice Guide list for Exchange Online Service for Trend Micro Cloud App Security (TMCAS)

    • Updated:
    • 28 Sep 2021
    • Product/Version:
    • Platform:

The article contains all recommended Best Practice product configuration (Exchange Online Service) for Cloud App Security.


To configure the General Settings:

  1. Select General.
  2. Enable Real-Time Scanning.

    Click the image to enlarge.

Real-Time and On-Demand Scanning

Cloud App Security searches for security risks and undesirable data by scanning messages and their attached files in email services, files stored in other cloud applications, object records such as documents and feed posts in Salesforce, and messages in private Teams chats.

Cloud App Security performs real-time scans and on-demand (manual) scans. When detecting malicious or undesirable content, Cloud App Security automatically takes action against the email message, file, Salesforce object record, or Teams chat message according to scanning rules. Configure policies to scan specific targets and then take certain action or send a notification based on the security risk.

Cloud App Security scans the following in real time:

  • For email services, scanning occurs when an email message arrives at a protected mailbox.
  • For cloud storage applications, scanning occurs when a user uploads, creates, synchronizes, or modifies a file.
  • For Salesforce, scanning occurs when a user updates an object record.
  • For Teams Chat, scanning occurs when a user sends a private chat message.

To configure Spam Protection:

  1. Select Enable Advanced Spam Protection.
  2. Enable Allow Trend Micro to collect suspicious email information to improve its detection capabilities.

    Allow sample collection

    Click the image to enlarge.

  3. Configure the Rules settings, and set the following
    • Apply To: All Messages
    • Detection Level: Medium

    Detection Level

    Click the image to enlarge.

Cloud App Security leverages Content Scanning to provide advanced spam protection, as a complement to the email protection service on your email gateway side, to further protect your email service users from graymail, scam, BEC, ransomware, advanced phishing, and other high-profile attacks. It uses the following components to implement heuristic policies when detecting unwanted content, or blocking, or automatically allowing an email message:

  • Trend Micro Antispam Engine
  • Trend Micro spam pattern files

The Antispam engine uses spam signatures and heuristic rules to filter email messages. It scans email messages and assigns a spam score to each one based on how closely it matches the rules and patterns from the pattern file. It then compares the score to the user-defined spam detection level, and sends the result to Cloud App Security. When the spam score exceeds the detection level, Cloud App Security takes action against the email message based on the category that the message falls into.

To configure Malware Scanning:

  1. Click Malware Scanning.
  2. Configure the Rules settings, and set the following:
    • Apply To: All Messages
    • Malware Scanning: Scan all files
  3. Enable the following options:
    • Predictive Machine Learning
    • Scan message body
    • Intellitrap

Malware Scanning

Click the image to enlarge.

About Predictive Machine Learning

Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital DNA fingerprinting, API mapping, and other file features. Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks.

After detecting an unknown or low-prevalence file, Cloud App Security scans the file using the Advanced Threat Scan Engine to extract file features and sends the report to the Predictive Machine Learning engine. Through use of malware modeling, Predictive Machine Learning compares the sample to the malware model, assigns a probability score, and determines the probable malware type that the file contains.

To configure Web Reputation:

  1. Click Web Reputation.
  2. Configure the Rules settings, and set the following:
    • Apply To: All Messages
    • Security Level: Medium
  3. Enable the following options:
    • Message Attachments
    • Dynamic URL Scanning
    • Retro Scan & Auto Remediate

Web Reputation

Click the image to enlarge.

Web Reputation Risk Levels

Trend Micro Web Reputation technology tracks the credibility of web domains by assigning a reputation score based on factors including website's age, historical location changes and indications of suspicious activities discovered through malware behavior analysis, such as phishing attacks that are designed to trick users into providing personal information.

The following table explains the Web Reputation risk levels. View the table to understand why a URL is classified as dangerous, highly suspicious, or suspicious.

Risk LevelDesription
DangerousThe URL is verified to be fraudulent
Highly SuspiciousThe URL is suspected to be fraudulent or possible sources of threats.
SuspiciousThe URL is associated with spam or possibly compromised.
UntestedThe URL has not been tested by Trend Micro yet. While Trend Micro actively tests web pages for safety, users may encounter untested pages when visiting new or less popular websites. Blocking access to untested pages can improve safety but can also prevent access to safe pages.
SafeThe URL contains no malicious software and shows no signs of phishing.

Configuring Virtual Analyzer:

  1. Click Virtual Analyzer.
  2. Configure the Rules settings, and set Apply To: All Messages.

    Virtual Analyzer

    Click the image to enlarge.

Virtual Analyzer is a cloud sandbox designed for analyzing suspicious files. Sandbox images allow observation of file behavior in an environment that simulates endpoints on your network without any risk of compromising the network.

Cloud App Security sends suspicious files to Virtual Analyzer when a file exhibits suspicious characteristics and signature-based scanning technologies cannot find a known threat. Virtual Analyzer performs static analysis and behavior simulation in various runtime environments to identify potentially malicious characteristics. A suspicious object is a known malicious or potentially malicious IP address, domain, URL, or SHA-1 value found in submitted samples.

To configure Writing Style Analysis:

  1. Under Advance Spam Protection, configure Writing Style Analysis for BEC.
  2. Tick Enable writing style analysis.

    Writing Style 1

    Click the image to enlarge.

  3. Go to Administration > Global Settings > High Profile Users/High Profile Domains.
  4. Click Add, to specify individual users or select users from groups as high profile users (either choose "User Manually" or "User from Organization").

    Writing Style 2

    Click the image to enlarge.

    Writing Style 3

    Click the image to enlarge.

    • Business Email Compromise (BEC) attacks usually target high profile users such as company executives, Cloud App Security allows you to add high profile users/high profile domains who are likely to be impersonated for detection and classification.
    • Up to a maximum of 1000 High Profile Users, and a maximum of 100 High Profile Domains can be added.

About Writing Style DNA

Cloud App Security integrates with Trend Micro's Writing Style DNA as an additional layer of protection for your organization's users against BEC threats.

By leveraging Writing Style Analysis that comes with Writing Style DNA, Cloud App Security scans the written email messages of a desired individual to learn their particular writing style, and then trains a writing style model on the email system for authorship identification. This writing style model is a set of properties or features explored with automated methods that uniquely identify the way an individual composes email messages. Cloud App Security then uses the model to compare with the incoming email messages claimed to be sent from the individual in protected mailboxes to identify the authorship.

This requires Cloud App Security to train and analyze the specific writing style model of each high profile user. As users' writing style models may change over time, it is also necessary to keep updating them to fine-tune email filtering.

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.