This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nishanthan
Participant
‎2025-09-23 04:04 AM
Jump to solution

A phishing email bypassed the Check Point security controls

We are experiencing an issue with Harmony Email security and would like your assistance.

  • On 8th September, a phishing email was successfully blocked by Harmony Email.

  • On 19th September, a similar phishing email from a different sender was delivered to the customer’s mailbox.

  • The phishing email on 19th September was not blocked by Harmony Email and we were unable to find any related logs for this event.

  • Email tracing shows that the message hit the Microsoft external email header policy, but it did not trigger any Check Point policy enforcement.

  • Despite this, the email still reached the customer mailbox.

Concerns / Questions:

  1. Why did Harmony Email fail to block the phishing email on 19th September?

  2. Why are there no Harmony Email logs for this email?

  3. Why was the message processed only under Microsoft’s external header policy and not evaluated by Check Point’s security controls?

3 Solutions

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-09-23 04:35 AM
Jump to solution

Do you have a SR# wuth CP TAC open already to get these questions answered?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

the_rock
MVP Platinum
MVP Platinum
‎2025-09-23 05:46 AM
Jump to solution

For something like this, I would definitely open TAC case. In the meantime, are there any relevant logs you can send us?

Andy

Best,
Andy

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2025-09-23 07:07 AM
Jump to solution

Specific instances of false positives/false negatives should be addressed via TAC.

View solution in original post

0 Kudos
6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-09-23 04:35 AM
Jump to solution

Do you have a SR# wuth CP TAC open already to get these questions answered?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Nishanthan
Participant
‎2025-09-30 09:42 PM
In response to G_W_Albrecht
Jump to solution

We raised a service request, and their response was that “this user is not a protected user.” That part is correct, since the object in question is not an individual user but a Microsoft group. However, inside this group there are multiple protected users. The concern is why the email was still delivered to those protected users and not blocked. Additionally, we need to understand why the message was not automatically deleted from the inboxes of those protected users.

the_rock
MVP Platinum
MVP Platinum
‎2025-09-30 10:04 PM
In response to Nishanthan
Jump to solution

Definitely should have been deleted, agree.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-02 07:06 PM
In response to Nishanthan
Jump to solution

Hey mate,

Any news about this? What did TAC say?

Best,

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-23 05:46 AM
Jump to solution

For something like this, I would definitely open TAC case. In the meantime, are there any relevant logs you can send us?

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-09-23 07:07 AM
Jump to solution

Specific instances of false positives/false negatives should be addressed via TAC.

0 Kudos
Upcoming Events

    CheckMates Events