Centralized email security operations

Views:

Monitor email and collaboration threats and investigate suspicious emails detected by Cloud Email and Collaboration Protection and Cloud Email Gateway Protection from a single screen.

Email and Collaboration Security → Configuration and Operations provides a centralized view of email and collaboration threat detection and user risk data from both Cloud Email and Collaboration Protection and Cloud Email Gateway Protection.

Note

Email Security leverages generative AI to summarize threats and highlight suspicious indicators based on detection data. All AI-generated analyses should be reviewed by a security analyst to ensure accuracy.

Overview

The Overview page displays aggregated threat data across your email and collaboration environment. Use it to quickly identify attack patterns, high-risk users, and threat trends. Data on this page reflects the last 7 days.

Overall attack analysis

TrendAI Companion analyzes email threat data and surfaces the most significant attack patterns detected in your environment. Each entry includes an Explain Insights button that provides an AI-generated summary of the attack, including threat overviews, key concerns, and recommended actions.

Note

The Overall attack analysis widget is available to selected customers in the early stage and may not be visible in all environments.

Top users with account takeover risks

Displays the users with the most account takeover risks detected by Cloud Email and Collaboration Protection. The table shows each user's name, total email count, threat type breakdown, and the date the threat was last detected.

Top users with targeted attack risks

Displays the users most frequently targeted by directed attacks detected by Cloud Email and Collaboration Protection. The table shows each user's name, total email count, threat type breakdown, and the date the most recent threat was received.

Scanning breakdown: Shows a visual breakdown of email scanning results separately for each protection solution.
- Cloud Email Gateway Protection: Displays the total number of emails scanned, with a breakdown into Blocked, Delivered, Deleted, Quarantined, and Other categories.
- Cloud Email and Collaboration Protection: Displays the total number of emails and files scanned across inbound, outbound, and internal email, with a breakdown into Delivered, Quarantined, and Deleted categories.
Overall threat detection: Summarizes the total number of emails scanned, quarantined emails, and the total count of each threat type detected over the selected time period, displayed separately for each protection solution. Click View quarantined issues to go to the Email Security Operations screen filtered to show quarantined items for that solution. The following threat types are tracked: BEC, Phishing, Ransomware, Malicious files, Malicious URLs, Spam, and Anomalies.
Threats detection count: A bar chart showing the combined daily count of threats detected by Cloud Email and Collaboration Protection and Cloud Email Gateway Protection over the selected time period. Hover over a bar to see a breakdown by threat type for that day.

Email security operations

The Email Security Operations page provides a consolidated list of quarantined emails and files detected across both Cloud Email and Collaboration Protection and Cloud Email Gateway Protection. Use the Email and Collaboration tabs to switch between email and collaboration content. Use the filter controls at the top of the screen to narrow results by threat type, status, source, and detection date. You can also use the search field to run custom queries.

Each row in the list displays the following information.

Column	Description
Status	The current status of the email, such as Quarantined.
Threat type	The type of threat detected, such as BEC, Phishing, Malicious File, or Malicious URL.
Subject	The email subject line. Click to open the email detail page.
Header From	The sender address shown in the email header.
Last detected	The date and time the email was last detected.
Affected mailbox	The email address of the recipient whose mailbox received the email.
Sender	The sender's envelope From address.
Source	The protection solution that detected the email: Cloud Email and Collaboration Protection or Cloud Email Gateway Protection.
Message ID	A globally unique identifier assigned to the email message.

Email detail

Click an email subject to open the email detail page. The page shows the email subject, status tags, and an Action menu for remediation. The Summary and analysis section shows the number of affected Cloud Email and Collaboration Protection users and an AI-generated analysis of the threat.

The detail page includes two tabs.

Email Content: Provides the following information about the email.

Email profile: Shows the following email metadata.

Field	Description
Date	The date and time the email was sent.
Subject	The email subject line.
Sender	The sender's email address.
Header From	The sender address as shown in the email header.
Recipient(s)	The email address(es) of the recipient(s). Click the action icon on a recipient row to copy the address, view the user's detailed profile, or add the sender to the blocked or approved list.
Sender IP	The IP address of the sending mail server.
Message ID	The unique identifier assigned to the email message.
Message size	The total size of the email message.

Click View Original Header to see the full raw email header.

Click the action icon on a Sender row to access the following options, which is available for CEGP and CECP(inline mode)

Option	Description
Copy to clipboard	Copies the sender’s email address to the clipboard.
Add to Suspicious Object list	Adds the sender's address to the Suspicious Object list.
Add to approved list	Adds the sender's address to the approved list.

Email body: Renders the email content. Toggle between HTML and Plain text views. Use the Load external resources within this message toggle to control whether external images and resources are loaded.
Email analysis: Available for Agentic AI detections only. Displays a radar chart and a table showing the confidence score for each social engineering indicator identified in the email: Impersonation, Urgency, Deceptive Action, Credential, Financial Lure, Solicitation, and Social Engineering.
Files: Lists any attachments detected in the email, with the file name, analysis result, SHA-1, SHA-256, file type, and a link to the sandbox analysis report. Click the action icon on a file row to view the detailed profile or add the file to the Suspicious Object list.
URLs: Lists any URLs detected in the email, with the URL, analysis result, and a link to the sandbox analysis report. Click the action icon on a URL row to view the detailed profile, add the URL to the Suspicious Object list, or add it to the approved list.

Impact: Shows all quarantined emails that share the same message ID, along with details about each affected user. Click a user's name to open their detailed profile page.

The following columns are available for both Cloud Email and Collaboration Protection and Cloud Email Gateway Protection.

Column	Description
Affected mailbox	The email address of the affected user.
Header From	The sender address shown in the email header.
Message ID	The unique identifier assigned to the email message.

The following additional columns are available for Cloud Email and Collaboration Protection only.

Column	Description
User name	The user's display name.
Asset risk	A risk score reflecting the user's overall security posture.
High profile user	Indicates whether the user has been designated as high profile.
User type	The user's role, such as Member.
Department	The user's department.
Work location	The user's work location.
Job level	The user's seniority level, such as Staff or Manager.

Scanning history

A panel on the right side of the email detail page shows a chronological timeline of scanning events for the email, including when the email was received and processed by each protection solution and when it was quarantined.

Actions

Click Action on the email detail page to perform the following operations on quarantined emails.

Action	Description
Download the original email	Downloads the email in its original format.
Download password-protected email	Downloads the email in a password-protected archive.
Release the email	Releases the email from quarantine and delivers it to the affected user's mailbox.
Release all emails	Releases all emails in the same quarantine batch from quarantine.
Delete the email	Permanently deletes the email for the affected user.
Delete all emails	Permanently deletes all emails in the same quarantine batch for all affected users.

User detailed profile

Click a user's name in the Impact tab, or click View detailed profile in the recipient action menu, to open the user's detailed profile. The profile displays basic information (asset risk, high profile status, user type, work location, department, and job level) on the left, and communication history with the affected user for the last 7 days on the right.