Updates and improvements to the Tessian Cloud Email Security platform.
Defend
Protect
Respond
Coach
Defend
Protect
Respond
Coach
To defend against malicious URLs in phishing emails, a beta release of Dynamic URL Analysis is now available to customers of Email Threat Defense. The capability is available on an opt-in basis, and will:
Tessian Email Threat Defense customers now have access to a beta release of new capabilities to identify compromised employee email accounts, with:
A new ‘outbound only’ mode for the COM add-in is now available for customers who exclusively use Tessian’s Email Exfiltration Protection and/or Email Misdelivery Protection solutions. The update removes inbound Email Threat Defense capabilities like email synchronization, scribe calls, and Phishing banners to accelerate response times and increase reliability. Admins can now also choose whether or not to include the user’s original email on compliance alerts, which historically were included by default.
With the release of version 2.6, support will be provided for versions 2.4 and 2.6, with support deprecated for version 2.2. View the release notes here.
The interface for Security Events has been updated to make it easier to investigate data loss incidents within Tessian’s Protect modules. All incident details can now be viewed with:
These user experience changes are automatically applied within the Tessian portal, so no action is required.
Leveraging the latest in LLMs within Tessian’s AI ensemble, customers will now see more granular classifications of an attacker’s intent within phishing emails to speed up email investigations. Phishing emails are now automatically classified with content tags including:
By combining these topics with other signals, Email Threat Defense can now classify a wide range of common phishing attacks more reliably and more accurately. No action is required to benefit from these updates.
Tessian customers can now leverage the latest in Microsoft’s user experience improvements. Adaptive Cards provide a faster, more intuitive experience for quarantined emails. Interactive buttons and refreshable content mean that users will receive a single email with the alert, and the ability to release or delete within that email.
Register interest in the beta here, and we’ll reach out to set up and test Adaptive Cards for users in your organization ahead of general availability.
Customers can now automatically retrieve audit logs via API to programmatically update alerting and dashboards within SIEM and SOAR platforms. The new endpoint provides the same information available through the existing Audit Trail page, now available for consumption via API.
Tessian and Palo Alto Cortex XSOAR customers can now improve detection and speed up email investigations by leveraging the solutions together. From the XSOAR Marketplace customers can install Tessian, enabling:
Tessian and Palo Alto Networks customers can access the integration from the XSOAR Marketplace.
Threat actors are increasingly using images to bypass text focused email security defenses. This release builds on existing capabilities to detect malicious images within emails, to automatically detect the use of malicious images in PDF attachments. Future releases will include detection of malicious images in DOCX attachments, as well as other file types.
We’re excited to announce the inclusion of large language models (LLM) in Tessian, to:
LLMs are exclusively used within our own environment, and no data is shared with third parties. For information about how Tessian secures your data, review the Data Security Overview in the Tessian HelpCenter.
We’ve introduced a new feature that enables configuration for attaching flagged emails, or not, to compliance alerts sent from Tessian. To enable this feature, Tessian Defend and Respond Customers should reach out to Tessian’s customer support team.
Organizations can now perform email threat management tasks from within their SOAR, XDR and ticketing platforms using the Tessian Remediation API. New endpoints added in this release include:
This release adds to a robust set of API endpoints for accessing security events and monitoring users, groups and risk within the organization’s platform of choice.
This Investigation and Response (I&R) capability makes email investigations simple, with an intuitive search experience for security analysts no matter their level of expertise. Using advanced query search requires zero previous knowledge of query languages, like KQL, to complete investigations – and can reduces email investigation times by up to 90%,
Within I&R, analysts can combine keywords and phrases used in email bodies, with search operators like AND, OR, NOT to find unknown threats. For example, security analysts may search for keywords and phrases like “QR” or “Password Reset”, while including other characteristics like the number of email attachments and their extension types, sender domains or even IP address ranges.
For customers who’ve consented to storing full body emails with Tessian, searching for keywords in the full body of emails is now enabled by default. Analysts can search for keywords like “Sign In”, “Dropbox”, or “QR” to narrow search results and discover related attack campaigns.
Without the need to toggle between tools like e-Discovery within Microsoft, or compliance solutions like Global Relay to search at the keyword level, security teams can free up capacity by completing email investigations in a fraction of the time.
Incidents happen. When security analysts investigate an incident, and have to wait for search results, time is wasted, money is lost and risk is added. Waiting for email search results to return is painful. Through dozens of searches a day and potentially hundreds per month, the seconds – and in some cases – minutes really add up – resulting in time spent waiting instead of actively threat hunting in email.
Lightning Search, currently in beta within our Investigation and Response product, takes waiting out of the equation. We’re already seeing sub 1 second response times when searching across millions of emails.
We’re allowing more customers to test this functionality, so if you’re tired of waiting, reach out to your customer success representative for early access.
Building on image based attack detection using perceptual hashing released in August – Tessian now analyzes image content, exposing hidden malicious intent beyond text-based scans. Our updated heuristics effectively identify common fraudulent tactics used in image-based phishing attacks, providing comprehensive protection. Users will receive defanged emails with warnings or administrators will be alerted based on tailored tenant settings, enhancing security effortlessly.
Within the Tessian portal, security admins can now see exactly what the end user sees alongside threats flagged on the email. This helps admins complete investigations faster without having to switch between portals to view images included within the email.
No more waiting ~30 seconds for the SEG to return results. Tessian searches millions of emails and returns results in less than 1 second. Security teams are now empowered with the fastest email Incident Response capabilities on the market, to reduce their organization’s risk and we make their teams more efficient
With our latest API enhancements, you can now effortlessly pull critical information, including quarantine status, admin label and deletion counts for inbound emails, and the outcomes of investigations for outbound email events. This means real-time access to email security event data within SIEM and SOAR platforms.
The inclusion of email event quarantine status precedes an upcoming enhancement to delete emails from inboxes directly from SIEM and SOAR platforms via the API. Soon, you’ll be able to release emails from quarantine, add emails to a denylist, and categorize them as safe, spam, or malicious through the APl. Full lifecycle email threat remediation via API will save your security admins time, and keep them within their platform of choice.
See our API Documentation for more information, and reach out to your customer success representative for early access to Remediation API features.
We’re excited to unveil our updated platform navigation at Tessian. This enhancement is designed to provide you with a more intuitive and efficient user experience and aligns seamlessly with our core product pillars: Defend, Protect, Respond, and Coach. It also coincides with our product names changing to be easier to understand:
This upgrade is designed to elevate your security posture by providing more accurate risk scores for users and departments. Scores are made more accurate through higher emphasis on when Custom Protection policies are triggered on inbound emails. Through improved accuracy, the updated Risk Hub equips your organization with better knowledge to make informed security decisions.
Incidents happen. When security analysts investigate an incident, and have to wait for search results, time is wasted, money is lost and risk is added. Waiting for email search results to return is painful. Through dozens of searches a day and potentially hundreds per month, the seconds – and in some cases – minutes really add up – resulting in time spent waiting instead of actively threat hunting in email.
Lightning Search, currently in beta within our Investigation and Response product, takes waiting out of the equation. We’re already seeing sub 1 second response times when searching across millions of emails.
We’re allowing more customers to test this functionality, so if you’re tired of waiting, reach out to your customer success representative for early access.
In response to an increase in image based phishing attacks, we’ve introduced detection algorithms to stop them before they reach end user inboxes. As you can see in the example below, attackers are placing text content and malicious payloads within an inline image file to avoid detection by email security tools.
Although the email appears to be text based, all content is actually contained within the attached jpg file, evading detection by our text focused features. We’ve implemented an image similarity denylist to store fingerprints for images that we’ve seen used in phishing attacks. For new inbound emails to our customers that contain a large inline image, Defender will compare the image to our denylist, and flag the email if a high degree of similarity is found.
The volume of spam received by organizations is perpetually on the rise, an increasing distraction for security teams. Identifying malicious emails among spam can be difficult, but we’re making it easier.
When Defender customers mark an email as spam, Tessian will now automatically categorize similar emails in the future as spam and filter them out of the default security events view. This update will serve to reduce false positives, and make it easier for admins to focus on the threats that matter.
The new overview page communicates the value of Tessian across both the Threat Prevention and Data Loss Prevention modules. Admins can quickly understand their security position, before diving into the events or insights pages to see additional data. The page now can also be filtered by time ranges, so admins can quickly get the data they need.
The new Data Loss Prevention insights page consolidates the previous 3 insights pages (data loss prevention, data exfiltration, custom policies) into one, easy to understand page. It also features our new design system, so our dashboards now have one consistent design language that works in dark mode.
To reduce end user friction when enabling quarantining for malicious emails, admins can now configure Tessian to enable Quarantine logic, with other Defender flagged emails to be silently tracked. This enables more configurability for admins to tailor Defender to their users without disrupting workflows with user warnings.
This month, we’re releasing Abuse Mailbox Response to automate end user reported email workflows. With this release, you can significantly reduce time spent with automated classification, triage and remediation. Among thousands of end-user reported emails, Abuse Mailbox Response uses machine learning to identify the 90% of emails that aren’t malicious, so admins can focus on the ones that matter.
To further protect customers from data exfiltration events over email, Tessian now supports detection of MIP Labels in multiple deployment methods. Customers can use the Outlook COM Add-In as well as the gateway to detect when sensitive data tagged with an MIP label is included in an email.
Tessian’s relentless commitment to innovation empowers us to outpace evolving threats. Elevate your security posture with our refined algorithms, designed to outsmart the most sophisticated phishing attempts – in this release we’re adding protection for:
Introducing the new Threat Prevention Insights Page, a powerhouse of valuable information about the email threats which includes:
A clear and concise Phishing Breakdown. Dive into various threat types identified, including Account Take Over and Brand Impersonation attacks. This insight offers a comprehensive understanding of the threats that Tessian is combatting on your behalf.
Get an estimate of the time your team has saved thanks to Tessian’s intervention. Soon, customization options will allow you to fine-tune this calculation, making the statistics even more pertinent to your business.
Uncover what managed to bypass your security stack. Traditional email providers relegate spam and malicious emails to Junk and spam folders once they’re detected. Our filter excludes such threats, revealing the number of threats Tessian discovered in users’ inboxes.
Delve into an array of new insights. Identify top targets of phishing attacks within your organization, recognize domains frequently impersonated in attacks, and pinpoint malicious domains sending threats to your employees.
We’re excited to announce a significant leap in our threat detection capabilities – a heuristics engine that leverages the full body of an email for threat detection. The initial heuristics in use are logic-based combinations of email metadata, content, and attachments that uncover malicious intent. An example of a new rule that leverages the engine is one that detects obfuscation techniques within HTML attachments. This capability targets attackers attempting to conceal malicious content by encoding it into an unreadable format.
Search results now show whether Defender originally flagged the email as potentially malicious via a new ‘Tessian Classification’ column. As a result, it’s far quicker for analysts to assess which events may require their attention.
Analysts can now see which file hashes and URLs (both within the body and attachments) were contained for all emails searchable within I&R and Email Search. Whenever an admin deletes an email via Email search or I&R, we now show the email deletion status within the table and event viewer. Customers now have assurance that a threat has been fully remediated. Not every email is deleted successfully and customers can understand more about why that might be the case in the Email Search and Investigate & Respond articles.
By ingesting Tessian data, Sumo Logic customers will be able to monitor and mitigate email based security threats as well as the people behind them. They can now swiftly analyze incidents in real time, ensuring rapid prioritization and resolution of threats arising from employee behaviors.
Introducing the Tessian Splunk app—a seamless solution to effortlessly integrate Tessian API data into your Splunk workflows. With simple setup and no complex scripting required, you can easily access valuable insights. Our default dashboard showcases intuitive ways to visualize Tessian data, enhancing your analysis. Currently, the app fetches data from key endpoints: Events, Groups, User Monitoring, and Risk. Tailor your dashboards by combining Tessian insights with data from other security tools. Locate the app on the Splunkbase marketplace by searching “Tessian,” or find it through the provided direct link. Elevate your integration experience with the included Splunk tile on your integration pages. Simplify data utilization with Tessian and Splunk synergy.
We’re excited to share a meaningful enhancement in Threat Prevention > Security Events filtering. Previously, a minor yet impactful issue persisted: even when an email was marked as spam, it cluttered the list of events for admins using default filters. We understand the importance of focusing on relevant events.
We’ve addressed this concern by updating the “Considered as spam” filter. Now, it encompasses events labeled as spam by both the system and admins. This refinement ensures that your view remains streamlined, eliminating unnecessary noise and enabling swift identification of pertinent events.
Our configuration settings have evolved to provide the utmost flexibility, catering to diverse customer preferences regarding quarantine and warnings. Our latest enhancement empowers customers by allowing a default Admin Quarantine (block) when a certain threat confidence level is exceeded.
Introducing a game-changing enhancement to our platform: Investigation and Response. Streamline your email threat management with powerful search capabilities, drastically reducing response times and enhancing risk reduction.
I&R revolutionizes how you locate emails swiftly. Quick identification and resolution of threats significantly mitigate risks. Our array of new search fields empowers you to execute highly specific searches across sender, recipient, and email attributes. For instance, you can identify emails with more than 2 attachments and “Pay” in the subject line.
Stay ahead of emerging threats with proactive hunting. Combat evolving or zero-day threats by swiftly searching across your email archives and remediating in just two clicks. I&R supports broad and intricate searches, offering comprehensive flexibility.
Bid farewell to juggling multiple tools. I&R consolidates email investigations, saving you time and eliminating analyst frustration. What’s more, remediation is seamless within the platform—no need to switch to your email compliance tool.
I&R isn’t confined to external threats. Gain visibility into internal email traffic, empowering you to address internal incidents promptly. Prevent unauthorized exposure of sensitive data to internal recipients. Elevate your threat management with I&R—where search, investigation, and remediation unite for enhanced efficiency and security.
Our latest release brings a 40% reduction in false positives for lookalike attacks, ensuring you receive only the most relevant alerts. Our improved Behavioural Intelligence Model now captures 5% more threats, bolstering your defense against the latest risks. Plus, our refined executive impersonation identification means 35% more of these attacks are caught.
Notably, our priority model for Defender now detects 300% more ‘very high’ confidence events with exceptional precision, empowering you to confidently utilize email quarantine. Stay secure and save time with our upgraded email security software.
Tessian now generates a file hash for every attachment received and the platform checks this against Tessian’s unified threat intelligence database. The database is populated with updates from our in-house threat intel team alongside external threat intelligence sources. This feature provides an additional layer of protection for your users by preventing known malware threats from making it past the inbox.
Admins can now report and take action on spam emails: Whenever you mark an email as spam through the new “Mark as spam” button, this enables you to filter events marked as spam from the Defender events table. The Tessian research team will use your spam assessment to build detection algorithms able to distinguish between spam and malicious emails. This is now available in the Defender event viewer via the “Mark as spam” admin action.
Public Tessian API Documentation is now available. You can access the Public Tessian API Docs here. It is no longer a requirement to have an active Tessian Portal User to see Tessian’s API Documentation, so admins can share the documentation with colleagues and technical partners as needed.
We’ve redesigned the Defender Events Table to enhance your experience in identifying and addressing crucial events effortlessly. Here’s what you can expect:
The first notable change is the merging of the sender column into “Sender and Recipient(s)”. By simplifying the layout, we aim to ensure that you swiftly extract vital information without feeling overwhelmed.
Our use of labels enhances clarity regarding email status. Whether it’s in quarantine or the user has flagged it as malicious, these labels offer instant insights into the email’s disposition.
Delve deeper into event details effortlessly. Additional event information is now readily accessible by hovering over the “+” buttons. This convenient feature allows you to explore insights without leaving the main view. To further aid your journey, we’ve provided links to Help Centre articles for both label meanings and more information on accessing additional event details.
Customers can now search across all email threats whether they were detected by Tessian or not. You can now search across all emails from within the Tessian portal using our new Investigate and Respond capability and take the following actions:
You can search for an email using its message id (found within the email headers) or upload it as an .eml file in the portal, our help center article has more information.
Tessian Defender now offers protection against malicious URLs hidden in attachments. Customers can extract and inspect the URLs from the attachments, including: csv, doc,docx, htm, html,ppt, pptx,rtf, txt, xls, xlsx.
To further enhance our threat prevention capabilities, Tessian will now analyze and store the full body of emails of all emails for those who opt-in. By extending our behavioral intelligence models to analyze and store the body of emails we can apply more precise, sophisticated and adaptable threat prevention techniques. In this release, we’ve also improved our lookalike impersonation detection, which will result in a reduction in false positives.
The Tessian API is now available to all customers, letting you consume Tessian email data in your downstream systems. Do you want to triage your events in Splunk, Sentinel or another SIEM? Pair your Tessian data with data from other applications used in your daily workflows, such as user device usage, SAML etc. to understand their activity at a glance. The API offers customers the ability to discover endpoints for Security Events, User Monitoring, Groups, Risk Scores and more.
Admins can now mark emails as safe or malicious from directly within the portal to improve the algorithm’s performance within their environment. This will help reduce future false positives and reinforce the efficacy of malicious email detection.
A part of this release includes the ability to take action on user quarantined emails within the portal. If an email is user quarantined, admins can now release the emails to a user’s inbox, or delete the emails from user quarantine just as they currently do for admin quarantined emails. This provides significant time saving with bulk release and delete features as well as added security to quickly remove malicious emails.
The left hand-side navigation bar has been re-structured into the parent categories of Threat Prevention and Data Loss Prevention to reflect how our customers use the product. There is also a new top navigation bar, allowing quick navigation between insights and events pages for different modules.
