Configuring Risk Levels

Description

Risk Levels provide some control over the behavior Shield takes on a message that matches a specific risk. The Risk Levels can be applied to an Organization, individual user, or to a specific sender of a user within Shield Control.

Risk levels for Shared mailboxes are treated differently. See Shared Mailboxes in Shield for more information.

Risk Levels

  • High - A high-risk places the email in Jail regardless of whether the sender is a trusted contact.
  • Moderate - A moderate-risk places the email in the Junk Email folder even if the sender is a trusted contact. An email in the Junk Email folder will retain its original contents but will be subject to its native protections.
  • Low - A low-risk email will only include insights in X-ray and go to the Review folder if the sender is an unknown contact.

Risk Categories

Default Risk Levels.png

Choose the appropriate risk level for the category to alter Shield's default behavior.

  • Unauthorized: SPF failure of the envelope sender address or a DMARC quarantine or reject policy.
  • Forged: DKIM signature failure.
  • Bulk: The email's source and/or contents are from a mass mailing.
  • Possible dangerous file: The email may contain a macro, encrypted file, or potentially unwanted application (PUA). 
  • Possible dangerous extension: File extensions that typically indicate a virus payload is included.
  • Bad reputation: The sender or sending IP may be on one or more bad reputation databases.
  • Obvious spam: Messages with many obvious signs indicate they are spam.
  • Spam: The email contains content that is consistent with unwanted email behaviors.
  • Possible spam: Messages that look like they could possibly be spam but might not be. 
  • Possible impersonation: The email appears to be coming from someone you know but not from a source consistent with their known identity.
  • Unwanted: Shield has learned that messages like these are unwanted by users.
  • Possible unwanted: Shield believes messages like these are unwanted but might be wanted.
  • Untrusted region: Any region not yet trusted in Manage Trusted Regions will show a risk level. This is only customizable at the Organization level by Shield Admins.

Organizations onboarded to Shield on or before April 15, 2025, will have different default values to preserve Shield’s current behavior. Untrusted regions will be set to no risk, so the new feature will not impact mail flow decisions. The US and Canada will be added as trusted regions, but no dangerous regions will be pre-populated.

 

Dangerous Results

Screenshot 2024-11-22 at 14.36.38.png

  • Virus: Emails that contain signs attributed to confirmed viruses.
  • Impersonation: Messages with signs from a sender other than the sender visible to the recipient.
  • Dangerous extension: The email may contain a macro, encrypted file, or potentially unwanted application (PUA). 

    NOTE: Virus or malware detection is always considered a high risk.

  • Dangerous file: The email contains a macro, encrypted file, or potentially unwanted application (PUA).
  • Phishing: Messages that have signs that they are fraudulent attempts to gain sensitive information from the recipient.
  • Possible phishing: Messages that look like they could possibly be phishing but might not be.

Dangerous Results risk levels are only changeable at the user level by Administrators and Superusers, not by end users of any level.

 

Updated

Was this article helpful?

0 out of 0 found this helpful