Search help content

ESET Cloud Office Security – Table of Contents

Email rules

Breadcrumbs

ESET Online Help > ESET Cloud Office Security > Navigate the ESET Cloud Office Security > Policies > Email rules

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

This feature enables you to specify conditions and assign filtered email actions. You can define your custom sender verification and anti-spoofing rules with conditions that include authentication methods such as SPF, DKIM, DMARC, and ARC. While making a policy > Rules > click Edit next to Email rules to create a new rule or modify an existing one.

1.To create a new rule, click Create to open a wizard.

2.Choose pre-defined Template or click Skip and create New rule.

3.Type a Name for the rule (something you will recognize), and the name will be shown on the list of rules. If you want to prepare the rule and plan to use them later, you can click the toggle next to Active to inactive the rule.

4.Follow the wizard to specify Conditions and Actions. Click Add new condition, select the condition Source from the drop-down menu and configure appropriate values.

5.Define your conditions first and then specify the corresponding actions. You can add multiple conditions and actions to a single rule. If you do so, all conditions must be met to apply the rule. All conditions are connected using the logical operator AND. Even if most conditions are met and one is not, the condition evaluation result is not met, and the rule's action cannot be taken.

Template

Select the pre-defined Template from the drop-down menu.

Template	Description
Add external sender banner	Adds a banner to emails originating outside your organization so users can quickly identify external messages.
Add internal sender banner	Marks emails from internal senders with a banner confirming the message is from within your organization to reduce confusion and build trust. Misconfigured SPF or relay issues may prevent the banner from appearing or cause incorrect flagging.
Display "From" and "Sender" values in the banner	Shows both "From" and "Sender" headers in the banner for transparency, helping users detect spoofing attempts where attackers hide the real sender. Some legitimate mailing systems (for example, newsletters) use different "Sender" values, which could cause confusion.
Alert on common homoglyph character in the "From" header.	Alerts users when the "From" address contains Cyrillic or Greek characters that mimic Latin letters, which is a common impersonation tactic. This helps prevent homoglyph attacks. Legitimate international emails may also trigger this warning.
Alert on common homoglyph character in the "Sender" header.	Alerts users when the "Sender" address contains Cyrillic or Greek characters that mimic Latin letters, which is a common impersonation tactic. This helps prevent homoglyph attacks. Legitimate international emails may also trigger this warning.
Suspicious keyword filter	Flags emails containing common phishing or scam phrases such as "Verify your identity immediately" or "You have won", which are strongly associated with fraud attempts. Marketing emails or legitimate alerts may occasionally use similar language, so caution is advised. It is recommended to create a list of suspicious keywords tailored to your organization's needs.
Promotional emails filter	Identifies promotional emails by detecting unsubscribe links and non-business domains, helping users prioritize important messages. Some transactional emails (e.g., invoices) include unsubscribe links and may be flagged incorrectly.
Flag high-risk TLD domains	Warns users about emails from domains with high abuse rates (for example, .tk, .ml, .xyz). These TLDs are frequently used for spam and phishing. Some legitimate services use these domains, so verification is important.
Reply-To header mismatch	Alerts users when the Reply-To address differs from the sender, a common phishing tactic to redirect responses. Some mailing systems use different Reply-To addresses for support or ticketing, which may cause false positives.
Move unauthenticated emails to Junk (SPF fail)	Flags emails that fail or partially fail SPF checks, indicating possible spoofing. SPF validates sender authenticity. Misconfigured SPF records or forwarding services may cause false positives.
Move unauthenticated emails to Junk (SPF soft fail)	Flags emails that fail or partially fail SPF checks, indicating possible spoofing. SPF validates sender authenticity. Misconfigured SPF records or forwarding services may cause false positives.
Alert on urgent emails without SPF	Warns users when a high-priority email lacks SPF validation. Attackers often mark phishing emails as urgent to pressure recipients. Some legitimate systems may not set SPF correctly, so verification is recommended before proceeding.
Alert on failed ARC and DMARC checks	Flags emails failing DMARC and ARC checks, which validate sender identity and message integrity. This prevents spoofing and tampering. Forwarded emails or mailing lists may fail these checks, causing false positives.
Flag PHP mailer emails	Warns users about emails sent via PHP mailer, which is often exploited by spammers in low-security setups. While PHP mailer is commonly used in legitimate web applications, recipients should verify authenticity.
ARC fail banner	Alerts users when ARC authentication fails, indicating possible tampering in message forwarding. ARC helps preserve authentication through forwarding chains. Some email forwarding services may cause ARC failures.
Quarantine emails with macro-enabled attachments	Alerts users when an email contains macro-enabled Office files, which can execute malicious code. This is a common malware delivery method. Some legitimate workflows may use macro-enabled files, so administrators should verify before blocking.
Quarantine emails with executable attachments	Blocks emails containing executable files to prevent malware infections. Executables are a high-risk file type. Rare legitimate use cases (e.g., software distribution) may be impacted.
Quarantine emails with password-protected attachments	Blocks emails containing password-protected files that could hide malicious content. Attackers often use encryption to bypass scanning. Legitimate secure file transfers may also be blocked.
Quarantine emails with double-extension attachments	Blocks emails containing attachments with double extensions (for example, invoice.pdf.exe), which is a common malware tactic used to disguise executables. Rare legitimate naming conventions may also trigger this rule.
Prevent internal domain spoofing (SPF fail) Prevent internal domain spoofing (DKIM fail) Prevent internal domain spoofing (DMARC fail) Prevent internal domain spoofing (Sender header)	Quarantines emails that appear to come from your domain but fail authentication checks, helping prevent internal spoofing attacks. Misconfigured DNS records or relay systems may cause false positives.
Block urgent emails with DKIM fail	Blocks emails marked as "urgent" that fail DKIM authentication, as attackers often use urgency to pressure recipients and bypass security checks. This rule helps prevent social engineering attempts. However, some legitimate urgent emails may fail DKIM due to forwarding or misconfigured mail servers.

Conditions

Select the condition Source from the drop-down menu. Parameter fields will change depending on selected source. Alternatively, you can specify Regular expression by selecting Match type: RegEx match.

Condition Source

Description

Sender

Applies to messages sent by a specific sender.

Sender's IP address

Applies to messages sent from a specific IP address. When adding a new address as a condition, both IPv4 and IPv6 are accepted.

Sender domain

Applies to messages from a sender with a specific domain in their email addresses.

From / From Name

"From:" value contained in message headers. This display name is visible to the recipient, but no checks are done to ensure that the sending system is authorized to send on behalf of that address. It is commonly used by attackers when spoofing the sender. This condition is used to compare the domain(s) contained in the "From:" email header field and Envelope sender against the domain lists.

Subject

Applies to messages that contain or do not contain a specific string (or a regular expression) in the subject.

Body

Message body is searched for a specified phrase. You can use the Strip HTML tags feature to remove HTML tags, attributes and values, and preserve text only. The body text will then be searched.

Attachment name

Applies to messages containing attachments with a specific name. This includes files contained within an archive.

Evaluate for top-level attachment only—When enabled, files inside an archive will not be evaluated.

Use full path for objects inside attachment—When enabled, the object's full path will be evaluated, not just the filename.

Attachment extension

Applies to messages with an attachment that does not meet a specified size, is within a specified size range, or exceeds a specified size.

Attachment type

Applies to messages with a specific file type attached. File types are categorized into groups for easy selection. You can select multiple file types or whole categories. ESET Cloud Office Security detects the actual file type regardless of the file extension. The same applies to an archive's content.

Evaluate for top-level attachment only—When enabled, files inside an archive will not be evaluated.

The Attachment type rule condition has a known limitation where ESET Cloud Office Security detection engine cannot detect extra small text files under 10 bytes in length in ASCII/ANSI encoding.

Received time

Applies to messages received before or after a specific date or during a specific date range.

SPF result
SPF result - From header
SPF result HELO

Applies to messages with the SPF (Sender Policy Framework) evaluation result:

Passed—the IP address is authorized to send from the domain (SPF qualifier "+").

Failed—SPF record does not contain the sending server or IP address (SPF qualifier "-").

Soft fail—the IP address may or may not be authorized to send from the domain (SPF qualifier "~").

Neutral—means the domain owner stated in the SPF record that they do not want to assert that the IP address is authorized to send from the domain (SPF qualifier "?").

Unknown—SPF result of None means that the domain published no records or that no checkable sender domain could be determined from the given identity.

You can read RFC 4408 for more details about SPF.

DMARC result

Applies to messages that Passed or Failed verification by SPF, DKIM or both, alternatively if Unknown.

DKIM

Applies to messages that Passed or Failed DKIM verification, alternatively if Unknown.

ARC

Applies to messages that Passed or Failed verification by ARC, alternatively if Unknown.

Headers

Email message header field names and values are used as condition. Comparison type:

Header names—matching header names, the condition is met when the specified header name exists.

Header values—matching header names and header values, the match type is used only for the header values according to the selected Match type. To meet the condition, specified header names must be an exact match (the Match type does not affect header name values).

Malware scan result

Choose from the drop-down menu what messages the rule will apply to. Option: Not scanned, Clean, Infected, Disabled.

Phishing scan result

Choose from the drop-down menu what messages the rule will apply to. Option: Not scanned, Clean, Phishing, Disabled.

Spam scan result

Choose from the drop-down menu what messages the rule will apply to. Option: Not scanned, Clean, Spam, Disabled.

Scan result

Choose from the drop-down menu what messages the rule will apply to. Option: Disabled, Malware, Phishing, Spam, Analyzing, Error, Clean, Not scanned.

Actions

You can add actions for messages and/or attachments that match rule conditions.

Action name	Description
Quarantine message	The message will not be delivered to the recipient and will be moved to the mail quarantine.
Delete message	Deletes an infected message.
Delete attachments	Deletes a message attachment. The message will be delivered to the recipient without the attachment.
Skip scan	Message will not be scanned by the Malware, Phishing and Spam protection.
Notify owner	Define Subject and Message text that will be sent to the email recipient/owner to get them notified. All parameters for message text must be enclosed in curly braces, for example {ParameterName}.
Notify admins	Type Admin emails, define Subject and Message text that will be sent to administrators as a notification. All parameters for message text must be enclosed in curly braces, for example {ParameterName}.
Add subject prefix	Adds a prefix to a subject.
Evaluate next rules	Allows the evaluation of next rules, enabling the user to define multiple sets of conditions and multiple actions to take given the conditions.
Move to Junk	Message will be put into the Junk/Spam folder of the user's mailbox.
Add body banner	A banner will be added to an email message and displayed to the recipient. You can customize the appearance of the banner when it is included in the message.

˄˅