F I R E E Y E T E C H N I C A L D O C U M E N T A T I O N

EMAIL SECURITY - CLOUD EDITION

USER GUIDE
RELEASE 2022.1

EMAIL SECURITY - CLOUD EDITION / 2022

FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United
States and other countries. All other trademarks are the property of their respective
owners.
FireEye assumes no responsibility for any inaccuracies in this document. FireEye
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice.
Please pardon our appearance as we transition from FireEye to Trellix.

Copyright © 2022 FireEye Security Holdings US. LLC. All rights reserved.
Email Security - Cloud Edition User Guide
Cloud Release 2022.1
Revision 1

FireEye Contact Information:

Website: www.fireeye.com
Technical Support: https://csportal.fireeye.com
Phone (US):
1.408.321.6300
1.877.FIREEYE
Contents

Contents

PART I: Overview 4
Introduction 5
Accessing the End User Interface 7

PART II: Features 8

Email Quarantine 9
Quarantine Filtering and Searching 9
Filtering 10
Searching 10
Releasing or Deleting Quarantined Email 10
Quarantine Message Details 11
Selecting Your Display Language 12
Quarantine Notifications 12
The Allowed and Blocked Senders List 15
Configuring Your Allowed and Blocked Senders List 16

Technical Support 17
Documentation 17

© 2022 FireEye 3
 Contents

PART I: Overview
l Introduction on page 5
l Accessing the End User Interface on page 7

4 © 2022 FireEye
 Introduction

Introduction
The Email Security - Cloud Edition User Guide describes how to access the end user Web
interface and configure your Safe and Blocked Senders list through an On-Demand
Quarantine access key. The presumed user of this document is an end user without
administrative permissions in an Email Security - Cloud Edition organization. Information
for Email Security administrators, or individuals with Cloud IAM administrator roles for
Email Security - Cloud Edition, can be found in the Email Security - Cloud Edition
Administration Guide.

© 2022 FireEye 5
Email Security – Cloud Edition User Guide

6 © 2022 FireEye
 Accessing the End User Interface

Accessing the End User Interface

The end user Web interface includes two tabs:

l Email Quarantine on page 9

l The Allowed and Blocked Senders List on page 15

Administrators manage how much data you can access in your On-Demand Quarantine
report and whether you have the Allowed and Blocked Senders feature enabled. You are
sent an access link to the Web UI when an administrator adds you as a user in an Email
Security organization.
To access the end user Web UI:
Click on the link in the On-Demand Quarantine Access email sent to you from your Email
Security - Cloud Edition organization.

If you do not have your On-Demand Quarantine Access email, contact your Email Security
- Cloud Edition administrator. An admin can resend your access link or generate a new
access link for you.

© 2022 FireEye 7
Email Security – Cloud Edition User Guide PART II: Features

PART II: Features

l Email Quarantine on page 9
l The Allowed and Blocked Senders List on page 15

8 © 2022 FireEye
 Email Quarantine

Email Quarantine
The quarantine contains all inbound and outbound email that is classified as either spam
or malware by the system. You can search for quarantined emails based on various filters.
Messages are automatically deleted after the 14 days in quarantine.

NOTE: See Accessing the End User Interface on page 7 for information on how to
access the Quarantine page.

The Quarantine page displays information about each quarantined email:

l Date and Time the email was received

l From
l Recipients
l Subject
l Email server (originating)
l Reason it was flagged as malicious (Policy Action - PA, Spam - S, Virus - V, and
Advanced Threats - AT)
A green icon in a category indicates that the email was not considered malicious for
that specific category. A red icon indicates that it was malicious. A gray icon
indicates that the email analysis was not performed.
l Age (the amount of time the email has been in the quarantine)

Quarantine Filtering and Searching

You can search for quarantined messages based on their sender, status, or last update. You
can also filter email messages based on when and why they were quarantined.

© 2022 FireEye 9
Email Security – Cloud Edition User Guide

Filtering
The quarantine page can be filtered to display emails that were quarantined during a
specific period or for a specific reason.
To filter for emails quarantined during a specific period:

l Select a period from the Date menu. You can display quarantined emails from the
last day, week, or from a custom range.

To filter for emails quarantined for a specific reason:

l Click Reason and select a reason (Policy Action, Spam, Virus, Advanced Threat)
from the drop-down menu.

The view automatically updates based on your selection. To reset the filters, click clear.

Searching
You can search for quarantined messages based on their sender, quarantine status, or the
date they were last updated.
To search for quarantined emails:

1. Enter your query in the search bar.

2. After you enter at least three characters, select From (SMTP), From (Header),
Subject, Email Server or Recipients (outbound only) from the drop-down menu.

The view automatically updates based on your selection.

Releasing or Deleting Quarantined Email

The quarantine can be used to either release or delete emails. You can release or delete
multiple emails by selecting the boxes next to each specific email. To select all emails on
the page, select the box to the left of the Date & Time column. Only emails received within
the last 14 days can be released or deleted.

NOTE: This option is only available to domains configured in Cloud AV/AS

mode and inline mode.

To release multiple emails from the quarantine:

1. Select the boxes next to the emails you want to release.

2. Click the release email icon.

10 © 2022 FireEye
 Email Quarantine

3. (Optional) Select Report as not Spam.

a. Select Headers only.
b. Select Add From header address to Allowed Sender Address list.
Headers only reports the message as not spam, but will only send the
headers of the message to third parties. Adding the from header address to
the allowed sender address will bypass spam check for the address in the
future. If nothing is checked, the email is released with no other action taken.
4. Click Yes, release email.

CAUTION: The released email may contain LIVE malware. Proceed with
caution.

To delete emails from the quarantine:

1. Select the boxes next to the emails you want to delete.

2. Click the delete email icon then confirm that you want to delete the emails.

Quarantine Message Details

To view the details of a malicious email, click on a quarantined email in the Quarantine
page.

The drop-down section displays header information such as the date and time the email
was received, as well as the email To and CC fields. It also specifies the attachment file
names or URLs. If your administrator has enabled the preview feature, you can preview
the HTML, text, attachments, and headers of the email.

NOTE: You can also preview quarantined emails through the link in quarantine
notification emails, if your administrator has enabled the feature.

© 2022 FireEye 11
Email Security – Cloud Edition User Guide

Selecting Your Display Language

You can choose your Email Security - Cloud Edition display language from the Email
Quarantine page.
To select your display language:

1. Click the language selector at the top right corner of the Email Quarantine page.
2. Select English or Japanese from the drop-down menu. The page will reload.

Quarantine Notifications
Quarantine notification emails alert you when a message has been quarantined, if your
administrator has enabled the feature. The content displayed in the notification is
configured by your administrator. Dependent on what your administrator has enabled, you
can release messages from the quarantine, preview quarantined messages, and access your
complete message quarantine and the allowed and blocked senders list through the
provided links.

12 © 2022 FireEye
 Email Quarantine

When you release a message, you can select Report as not spam. If your administrator has
enabled the feature, you then have two more options:

l To send only the headers of the message with the report, select Headers only.
l To add the sender to a safe list and bypass spam checks, select Add From header
address to Allowed Sender Address list.

To release a message from quarantine:

1. Open the quarantine notification email.

2. In the action column, click Release.

NOTE: If your administrator has enabled the feature, you can select
Release and Allow Sender for inbound emails. "Add from header address
to Allowed Sender Address list" will be checked on the next screen.

3. (Optional) On the Email Digest page, select Report as not spam.

a. Select Headers only.
b. Select Add from header address to Allowed Sender Address list.
If nothing is checked, the email is released with no other action taken.
4. Click Confirm Release.

© 2022 FireEye 13
Email Security – Cloud Edition User Guide

14 © 2022 FireEye
 The Allowed and Blocked Senders List

The Allowed and Blocked Senders List

The Allowed and Blocked Senders list lets you create lists of allowed and blocked email
addresses and domains. The Allowed and Blocked Senders feature is only applicable to
domains with anti-spam and anti-virus scanning enabled. Incoming messages are
evaluated against user allowlists and denylists after AS/AV scans are completed. If the
Header from field of that message matches against a domain in your blocked senders list,
the message is blocked and quarantined. Blocked messages are quarantined with the Policy
Action - Fail verdict. If the Header from field of a message matches a domain in your
allowed senders list, the message is delivered. MTAs ignore the antispam verdict of
allowed messages, but antivirus and advanced threat scan verdicts still apply to the
message.
If a custom or connect rule created by an administrator matches the same email as your
allowed senders list, the admin-defined rules supersede your allowed senders list.
If one or more email recipients have listed the sender domain on the allowed list or
blocked list, message splitting occurs. For example, if User 1 lists a domain on their
allowed senders list and User 2 lists the same domain on their blocked senders list, the
message is split into different messages with unique message IDs. Each message is
scanned differently based on each recipient's allowed and blocked senders lists. The
original message appears in Email Trace with the status "Split", followed by the split
versions of the original message with their respective message IDs and verdicts. Email
Trace is only visible to Email Security - Cloud Edition administrators.

NOTE: See Accessing the End User Interface on page 7 for information on how to
access the Allowed and Blocked Senders page.

© 2022 FireEye 15
Email Security – Cloud Edition User Guide

Senders you allow and block appear in the same list in the Allowed and Blocked Senders
page. You can search for an email address or filter for it based on whether it is a blocked or
allowed address.
To search for a sender:

1. In the search bar, enter at least the first three characters in a sender address or
domain. Special characters are not allowed.
2. Press Enter.

To filter for a list of allowed or blocked senders only:

1. Click Show All next to the search bar.

2. Select Allowed or Blocked from the drop-down menu. The list updates itself.

Configuring Your Allowed and Blocked Senders List

To create your own allowed and blocked senders lists, an Email Security - Cloud Edition
administrator must enable the feature.
To add an email address or domain to your allowed senders list:

1. In the end user Web interface, click Allowed and Blocked Senders from the top
navigation.
2. Click Add Entries.
3. In the Add Entries pop-up window, enter valid sender domains or email addresses
one line at a time.
4. Click Allow.
The Allowed and Blocked Senders page updates to include the domains or
addresses you added to your allowed senders list.

To add an email address or domain to your blocked senders list:

1. In the end user Web interface, click Allowed and Blocked Senders from the top
navigation.
2. Click Add Entries.
3. In the Add Entries pop-up window, enter valid sender domains or email addresses
one line at a time.
4. Click Block.
The Allowed and Blocked Senders page updates to include the domains or
addresses you added to your blocked senders list.

16 © 2022 FireEye
Technical Support
For technical support, contact FireEye through the Support portal:
https://csportal.fireeye.com

Documentation
Documentation for all FireEye products is available on the FireEye Documentation Portal
(login required):
https://docs.fireeye.com/

© 2022 FireEye 17
 FireEye, Inc. | 601 McCarthy Blvd. | Milpitas, CA | 1.408.321.6300 | 1.877.FIREEYE | www.fireeye.com

© 2022 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands,
products, or service names are or may be trademarks or service marks of their respective owners.