After detecting an account as compromised, emails previously sent from this account are scanned and - if needed - removed from users’ mailboxes.
Compromised accounts can cause a lot of damage, and fast. In addition to automatically blocking the account, SOC teams also need to investigate the activity of the account after it was compromised.
To ensure the damage from the compromised account is thoroughly investigated, SOC teams need to consider that the account was compromised before the actual detection. Therefore, they need to go back a number of hours and carefully look into the account’s emails.
Avanan now automates this process. Immediately after detecting an account as compromised, emails sent from this account up to 3 hours before the detection are re-scanned with higher sensitivity parameters and if emails are found to be malicious, they are also automatically quarantined.
This way, the load on the SOC team, as well as the urgency of handling compromised accounts incidents, is reduced.