What is TPIR Mail Analysis?

The TPIR Mail Analysis feature allows users to examine specific emails and take necessary actions based on the findings. It provides comprehensive information about each email, including AI-assisted analysis and various parameters. Users can access the TPIR Mail Analysis section by selecting any email listed in the Reported, Trashed, Recovered, or Deleted sections.

At the top of the page, details about the sender and reporter of the email, along with the report's date and time, and the subject are displayed. On the right side, one, two, or three circles indicate different actions: moving the email to the recovered section, trashing it for others in the organization, or sending it to the deleted mails section for permanent deletion if necessary.

Below this section, there's a row of tabs labeled Body, Analytics, Header, Link, Attachment, Who Else, and DNSBL. These tabs allow for a deeper dive into the email analysis, assisting the TPIR Dashboard administrator in determining the email's safety. Each tab is explained in detail below.

Body: The Body section of the TPIR Mail Analysis contains the content of the reported email, including any live links contained within. This feature assists SOC members in making informed decisions by providing visual cues such as spelling errors, grammatical mistakes, or discrepancies in logos and themes. By comparing the reported email's appearance to that of a typical legitimate email, SOC members can better assess its authenticity and potential threats.

The Analytics section encompasses several factors crucial for administrators to discern the legitimacy of incoming emails, determining whether they are spam, malicious, or authentic. These factors, found under the Analysis tab, include Domain Authentication Risk, IP Reputation, Spam Score, Sender Domain Deceptive Risk, To Email, and CC Email.

1. Domain Authentication Risk allows administrators to assess the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) compliance of the sender's email address.
2. IP Reputation evaluates the reputation of the sender's IP address by querying various databases across the internet (eg: DNSBL).
3. Spam Score assesses the spam rating of both the domain and Sender ID associated with the email. (eg: SpamAssassin)
4. Sender Domain Deceptive Risk measures the risk level associated with the sending domain, identifying potential deception. (eg: Google API)
5. To Email identifies the recipients of the reported email, providing insight into who else received the email.
6. CC Email detects any additional recipients included in the email's carbon copy (CC) field.

Header: Within the TPIR Mail Analysis, the Header segment furnishes a comprehensive breakdown of the email's header. It provides essential data crucial for assessing the email's authenticity.

Link: In the Link section, all links contained within the email body, whether visible or hidden, are identified and subjected to various scans. This section is presented in a well-organized tabular format, displaying each link found in the email along with its deceptive classification. Additionally, users have the option to scan the links using the VirusTotal API (if enabled), with the corresponding scan results also provided.

Attachment Section: This segment enables users to view all attached files within an email. The data is presented in a tabular format, detailing the attachment name, file type, and the status of the scan (pending, queued, or completed).

Who Else: This feature identifies all recipients of the reported email.

DNSBL: The Domain Name System blocklist (DNSBL), also known as DNS-based blackhole list (DNSBL) or real-time blackhole list (RBL), is a service utilized by mail servers to check if the sender's IP address is blacklisted for email spam through a DNS query. This section provides a concise overview of scans conducted across various databases to determine if the sender's IP is blocked. It also displays the count of databases where the sender's IP is listed as blacklisted.

• Related Articles

• TPIR Plugin Setup Guide (o365)

  To integrate TPIR for multiple users on Microsoft 365 follow the below steps : Step 1. Login into your Microsoft 365 admin center and go to Settings (left-hand panel). Step 2. Now go to Integrated Apps under Settings. OR Go to Search Bar and type ...

• IAM User in TPIR

  Navigate to https://tpir.threatcop.com/ Select IAM User Click "ADD EMPLOYEE" on the top right corner. Please enter your details and click on "Update" to save your changes. To assign policies to the IAM user, click on the "Add" option. To grant ...

• Section Overview: Settings

  Accessing the settings of the TPIR Dashboard is simple. Users need to log in to their TPIR dashboard at https://tpir.threatcop.com/ and locate the settings icon in the top right corner of the dashboard. This icon provides access to various ...

• How To Report An Email In Outlook

  If you are using Outlook on the Web Browser Step 1- Login to your Outlook account and click on the mail you want to report. Step 2- Click on the three dots in the upper right corner of the mail. Step 3- Click on TAB. A banner will show up, where you ...

• Section Overview: IAM User

  When users navigate to https://tpir.threatcop.com/, they will find the "IAM User" section in the sidebar of the TPIR dashboard. IAM users are secure accounts designed for accessing resources and permissions. Administrators can grant specific ...