Configuration

  • 2 minute(s) read
Prev Next

Configuring Users and Actions

The Configuration page in the Account Takeover Protection section contains a list of incidents that Trustifi can monitor and real time to detect suspicious activity in your users’ accounts that may indicate account takeover.

Corresponding with each incident type, there are 2 configurable sections:

  1. Which users should be monitored for this incident type

  2. Which actions should be taken if this type of suspicious activity is detected

Configure Users

To configure which users the incident type should be monitored for, simply click on the menu next to the “Apply for” text.

In the pop-up window, you may choose between 2 general options:

  1. All users”: The incident type will be monitored for all users in your Trustifi plan, including any new users who will join in the future.

  2. Specific users”:   The incident type will be monitored only for the specific users you have selected. You can use the select all/deselect all options as well as the search field in the top right.

Configure Actions

The actions menu allows to configure which actions Trustifi should automatically take whenever this type of incident is discovered. The actions include:

  • Notify Reviewer”: An automated notification will be sent to the reviewers who are listed in the Account Takeover Protection Reviewers page.

  • Notify User”: The user for which the incident was detect will receive an automated notification.

  • Block User”: The user’s Trustifi account will be blocked. While the user’s Trustifi account is blocked they will not be able to send emails via Trustifi or access the Trustifi web portal until they are unblocked.

  • Block for 24 Hours”: The user’s Trustifi account will temporarily be blocked for 24 hours, after which they will automatically be unblocked.

  • Risky for 24 Hours”: The user’s Trustifi account will temporarily be marked as “Risky” for 24 hours. While a user is marked as “Risky”, their sent emails will be subject to more thorough scanning to make sure they are not sending any spam or phishing content.

Incident Types

  • Suspicious Device Change: A user was found to be sending or opening their Trustifi emails from a previously unrecognized device/browser.

  • Suspicious Location Change: A user was found to be sending or opening their Trustifi emails from an unfamiliar or previously unknown geographical location (country).

  • Sensitive Data Sent to New Domain: A highly sensitive email (sensitivity score of 5) has been sent by a user to a domain which which there has been no previously known communication.

  • Sensitive Data Sent to Free Email Domain: A highly sensitive email (sensitivity score of 5) has been sent by a user to a free email domain (e.g. gmail.com, yahoo.com).

  • Unusual Amount of Emails Sent: A user was found to have sent an unusually high amount of emails for the time period.

  • Suspicious Mailbox Rules: Trustifi has detected a new and suspicious mailbox rule in a user’s account. Rules are considered suspicious if they forward or redirect traffic to external free email domains.

  • Mailbox Email Breach: A user’s email account password has been detect in a data breach via the darknet.

  • Increased Recipient Complaint Rate:  Detects when a user's emails are frequently reported as spam or phishing by recipients. If a user has 5 incidents in 5 days, they will be automatically blocked.
    Note: This configuration is automatically enabled for all users.

  • Increased Recipient Hard Bounce Rate:  Detects when a user's emails repeatedly fail due to hard bounces. If a user has 5 incidents in 5 days, they will be automatically blocked.
    Note: This configuration is automatically enabled for all users.