Partner Risk Assessment (Compromised Partners)

Organizations take measures to secure their users, collaboration applications, and emails. However, partners are one of the greatest threats to an organization. These are other companies that the organization maintains a business relationship with.

If one of the partners gets compromised, it is difficult for the email security solutions and the end users to detect these malicious and impersonated emails.

With Partner Risk Assessment in Avanan, you can proactively detect compromised partners.

Using the Partner Risk Assessment dashboard, you can view these:

  • All your organization's business partners
  • Risk indicators of partners that are possibly compromised.

To view the Partner Risk Assessment, go to Analytics > Partner Risk.

Identifying a Partner

Avanan automatically identifies partners while inspecting the incoming and outgoing emails for threats and DLP.

To identify an organization as a partner, Avanan uses multiple methods like these:

  • External domain sending invoices to your organization's domain.
  • External domain with a significant volume of emails exchanged with your organization's domain.

Reviewing the Partners

Avanan shows the identified partners (compromised and uncompromised) in a table under the Partner Risk Assessment dashboard.

The Partners table has these columns:

Column Name Description
Risk Score

The severity of the detected Risk Indicator.

  • Critical
  • High
  • Medium
  • Low
  • Lowest
  • None
Partner Domain The partner's domain and its name.
Note - Avanan sometimes does not show the partner name.
Communication Volume

An indicator of how many emails were exchanged with the partner in the last
two weeks.

  • High
  • Medium
  • Low
Internal Contacts

The internal contacts that corresponded with the partner domain.

Note - If there are many contacts, it shows five contacts with the highest communication volume with the partner domain.

Partner Contacts

The contacts from the partner domain that corresponded with your domain.
Note - If there are many contacts, it shows five contacts with the highest communication volume with your domain.

Risk Indicators

A list of reasons a partner is considered potentially compromised.
If Avanan detects a partner as uncompromised, it shows no indicators.
For more information, see Risk Indicators.

Last Risk Date

Last time when a risk indicator was detected.

 

Risk Indicators

Avanan detects different risk indicators and assigns them to partners. Each risk indicator has a risk score attached to it.

The risk indicators have these values:

Severity Risk Indicator Description
Highest Phishing emails sent to your organization Avanan detected high-confidence phishing emails sent to your organization from this domain, and the sender was authenticated (SPF pass).
High Phishing emails sent to other organizations Avanan detected high-confidence phishing emails sent to other Check Point customers from this domain, and the sender was authenticated (SPF pass).
High Partner impersonation emails sent to your organization Avanan detected high-confidence phishing emails sent to your organization from this domain, but the sender was not authenticated (SPF fail).
High Service being used to send phishing emails to your organization Avanan detected high-confidence phishing emails sent to your organization from this domain. This domain is a publicly available service that allows sending emails from it.
Medium Partner impersonation emails sent to other organizations

Avanan detected high-confidence phishing emails sent to other Check Point customers from this domain, but the sender was not authenticated (SPF fail).

Medium Service being used to send phishing emails to other organizations Avanan detected high-confidence phishing emails sent to other Check Point customers from this domain, and this domain is a publicly available service that allows sending emails from it.

 

Stop Considering a Partner as Compromised

When Avanan detects a partner as compromised, it adds the relevant risk indicator to the partner. This risk indicator remains valid only for the next 72 hours.

For example, Avanan detected a partner as compromised and added Phishing emails sent to your organization risk indicator. If no phishing emails from its domain are detected in the next 72 hours, Avanan removes the risk indicator.

When no risk indicators are available, the partner is considered uncompromised.

Removing a Partner from the List

Administrators can override the automatic identification of a partner and remove a partner from the list.

To do that, click the vertical ellipses icon for the partner from the last column of the table and select Not a partner.

Note - If you remove a partner, you cannot add again. To add a removed partner, contact Avanan Support.

Acting on Compromised Partners

Anti-Phishing Higher Sensitivity

By default, when Avanan detects a partner as suspicious, it inspects the emails from their domain with high sensitivity. This way, they are more likely to be found as phishing.

Investigating Emails from Compromised Partners

To view and investigate the emails from the partner domain, click the vertical ellipses icon for the partner from the last column of the table and select Emails from partner.

Mail Explorer opens and, by default, shows the emails from the partner domain in the last seven days.

Impersonation of Partners

By default, the Anti-Phishing security engine treats emails from domains that resemble one of your partner's
domains with more suspicion.

Administrators can select to trigger a specific workflow in these cases. For more information, see Impersonation of your Partners.