SMS and Email phishing

IBM® MaaS360® Endpoint Threat Management protects your employees from phishing attacks by identifying and flagging SMS and email messages that contain malicious URLs.

Threat actors send phishing links that appear to come from a trusted source. When targeted recipients click those links, hackers steal sensitive data such as corporate credentials or install malware on devices. MaaS360 uses Threat Intelligence integrations such as IBM X-Force® Exchange to compare these links against an exhaustive list of malicious URLs. SMS and email messages that contain phishing links are flagged when a match is found.

IBM MaaS360 monitors SMS and email messages for malicious URLs. If a malicious URL is detected, MaaS360 notifies users about the potential threat and flags the message to prevent users from accessing suspicious URLs. The user risk is calculated based on the number of malicious URLs that are identified on the device.

Supported devices
  • Android
  • iOS
Supported integrations

Requirements

IBM MaaS360 activates SMS protection and email security on devices to monitor SMS and email messages for phishing URLs.
  • For SMS protection, no additional device configuration is needed.
  • For email security, the scope is limited to the MaaS360 Mail app only. Make sure that MaaS360 Mail is enabled through MaaS360 services and the MaaS360 Mail app is configured through Persona policies.

Deploying endpoint security policies

Policy configuration

Configure and push EPS policies to detect phishing URLs on managed devices.

Follow these steps to configure Phishing settings.
  1. From the IBM MaaS360 Portal home page, go to Security > Policies.
  2. Open an EPS policy and then click Phishing.
  3. Click Edit and then select Enable Phishing Protection.
  4. Configure the following settings.
    Setting Description
    Auto forward mails to monitor them The suspicious emails are forwarded to the administrator with preserved header information. For more information, see https://www.ibm.com/support/pages/report-suspicious-emails-administrators-android.
    Flag SMS with malicious URLs If this setting is enabled, MaaS360 flags the malicious SMS and sends an alert to users.
    Mark emails with malicious URLs If this setting is enabled, the MaaS360 Mail app flags emails that contain phishing URLs.

Policy assignments

Assign endpoint security policies to a device, user, device group, or user group from the corresponding workflows. For more information about policy assignments, see Configuring endpoint security policies.

Configuring risk rules

When malicious URLs are detected, MaaS360 creates a risk incident and then validates that risk incident against your risk rule to calculate the severity and risk score for devices and users. By default, the risk rules for malicious SMS and malicious email messages are enabled in the MaaS360 Portal. You can use the Risk Rule Configurator to disable the risk rule, modify the threshold, or adjust the severity.
Note: This risk rule applies to iOS and Android devices only.
Follow these steps to configure risk rules.
  1. From the IBM MaaS360 Portal home page, go to Security > Security Management > Risk Rule Configurator.
  2. Configure the following settings.
    Risk rules
    • Malicious email received: This rule checks if emails with malicious URLs are found in the MaaS360 Mail app.
    • Malicious SMS received: This rule checks if messages with malicious URLs are found in the native SMS app.

    Condition: Define the severity of the risk based on the number of security incidents reported to the MaaS360 Portal. For example, if the number of malicious emails received is greater than 5, the severity is High.

    Default conditions
    If the numbers of malicious emails/SMS are ... Severity is ...
    Less than or equal to 2 Low
    More than or equal to 3 and less than or equal to 5 Medium
    More than 5 High

Prerequisites and known limitations

Requirements - Android

The MaaS360 app requires permission to read your SMS messages to analyze them and detect potential threats.

Follow these steps to enable SMS Permission for the MaaS360 app.
  1. From the IBM MaaS360 Portal home page, go to Security > Security Status
  2. A message appears to indicate that additional configuration steps are required to improve your device and data security. Tap Continue to proceed.
  3. Grant SMS Permission: You are prompted to enable SMS permissions again. Tap Allow to activate SMS protection.

Requirements - iOS

Users must enable SMS filtering and allow MaaS360 to read messages received from unknown sources.

Follow these steps to enable SMS filtering on iOS devices.
  1. Go to device Settings > Messages.
  2. Tap Unknown & Spam.
  3. Enable Filter Unknown Senders and then select MaaS360 under SMS Filtering.
Known limitations - iOS
Note:
  • Apple allows third-party apps to read messages from unknown senders only. Due to this limitation, MaaS360 cannot scan messages from known senders for malicious URLs.
  • Apple's iMessage service uses secure end-to-end encryption. As a result, MaaS360 cannot scan iMessages for suspicious URLs.

What happens when malicious URLs are detected on the device?

MaaS360 supports the following detection and response capabilities for phishing.
Note: The behavior is the same across iOS and Android platforms.
  • The SMS and email messages that contain malicious URLs are flagged.
  • A security alert is generated for the device user in real-time.
  • A security alert is displayed when users open the suspicious URL.
  • A list of malicious SMS and email messages is displayed in the Security app.
  • Users can view the overall list of risk items in the app, and then delete all malicious SMS and email messages at once.
  • The security incident is reported to the IBM MaaS360 Portal. MaaS360 uses this data to gather intelligence on security incidents and to analyze user risk scores and user risk behavior patterns.

Tracking phishing incidents on the Security Dashboard

Devices report all phishing incidents to the IBM MaaS360 Portal in real-time. If those phishing incidents meet the Risk Rule criteria set by the administrators, MaaS360 generates a risk incident in the dashboard.

Follow these steps to track security violations and incidents on the Security Dashboard.
  1. Go to Security > Security Dashboard.
  2. In the Top risk incidents widget, click the Affected devices numbered link.

    The affected devices with details are displayed.

  3. Click the username. The User Summary page displays all risk incidents against the affected device.
  4. Click Malicious email received/Malicious SMS to view more details about that risk incident.

For more information about other common widgets on the Security Dashboard, see Tracking security events on the Security Dashboard.