How to Configure Anti-Phishing Policies in Harmony Email

Check Point Harmony Email & Collaboration provides advanced anti-phishing protection that analyzes multiple components of emails including attachments, links, sender reputation, and content patterns. This guide covers configuring anti-phishing policies to protect your organization from phishing, business email compromise (BEC), and spam attacks.

Prerequisites

Before configuring anti-phishing policies, ensure you have:

• Harmony Email & Collaboration connected to Microsoft 365 or Google Workspace
• Administrator access to the Check Point Infinity Portal
• Protection mode enabled (Detect or Prevent)
• Learning mode completed (initial calibration period finished)

Understanding Anti-Phishing Detection

The Anti-Phishing engine analyzes multiple email components:

Component	Analysis Method
Sender Reputation	ThreatCloud database lookup, domain age, sending patterns
Email Headers	SPF, DKIM, DMARC validation, header anomalies
Content Analysis	Natural language processing, urgency indicators
URL Analysis	Link reputation, redirect chains, typosquatting
Attachment Analysis	QR codes, embedded URLs, suspicious file types
OCR Scanning	Text extraction from images for hidden content

Detection Categories

Category	Description	Risk Level
Phishing	High-confidence phishing attempt	Critical
Suspected Phishing	Lower-confidence indicators present	Medium
Spam	Unsolicited bulk email	Low
BEC/Executive Spoofing	Impersonation of executives	Critical

Step 1: Access Anti-Phishing Configuration

1. Sign in to https://portal.checkpoint.com
2. Navigate to Harmony > Email & Collaboration
3. Go to Security Settings in the left menu
4. Click Security Engines
5. Locate Anti-Phishing and click Configure

Step 2: Configure Phishing Confidence Threshold

The confidence threshold determines when emails are classified as Phishing versus Suspected Phishing.

Understanding Confidence Levels

Threshold Setting	Sensitivity	False Positives	Detection Rate
Lowest	Most sensitive	Higher	Maximum detection
Low	High sensitivity	Moderate-high	Very high detection
Medium	Balanced	Moderate	High detection
High (Default)	Conservative	Low	Good detection
Highest	Most conservative	Minimal	Standard detection

Set the Threshold

1. In the Anti-Phishing configuration, locate Phishing confidence level
2. Select your preferred threshold:
   • High (Default): Recommended for most organizations
   • Medium: For organizations receiving many phishing attempts
   • Low: For high-security environments requiring maximum detection
3. Click Save

Tip: Start with the High (default) threshold, monitor detections for 2-4 weeks, then adjust based on your organization's needs and false positive rate.

Step 3: Configure Detection Actions

Set up actions for different detection categories.

Navigate to Policy Settings

1. Go to Policy in the left menu
2. Click the existing threat protection policy rule or create a new one
3. Select Office 365 Mail or Gmail under Choose SaaS
4. Select Phishing under Choose Security
5. Click Next

Configure Phishing Actions

Set actions for high-confidence phishing detections:

Action	Description	Recommendation
Quarantine	Remove email, hold for review	Recommended
Delete	Permanently remove email	High-security environments
Move to Junk	Deliver to spam folder	Not recommended for phishing
Alert Only	Deliver with warning banner	Testing only

1. Under When Phishing is detected, select Quarantine
2. Enable Notify administrator if desired
3. Click Next

Configure Suspected Phishing Actions

Set actions for lower-confidence detections:

1. Under When Suspected Phishing is detected, choose:

   • Quarantine: Conservative approach
   • Warn with Banner: Deliver with warning message
   • Move to Junk: Let users review in spam folder

2. Recommended: Select Warn with Banner to alert users while delivering

3. Click Save

Step 4: Configure Spam Detection

Spam detection works alongside anti-phishing.

Spam Action Settings

1. In the policy configuration, locate Spam settings
2. Configure spam actions:
   • Move to Junk: Standard recommendation
   • Quarantine: For strict environments
   • Delete: Not recommended (may lose legitimate bulk mail)
3. Click Save

Bulk Email Handling

1. Go to Security Settings > Security Engines > Anti-Phishing
2. Locate Bulk Email settings
3. Configure:
   • Treat as Spam: Marketing emails go to junk
   • Allow Delivery: Marketing emails delivered normally
4. Click Save

Step 5: Configure Executive Spoofing Protection

Protect against Business Email Compromise (BEC) attacks.

Enable Executive Protection

1. In Anti-Phishing configuration, scroll to Executive Spoofing
2. Enable Protect executives from spoofing
3. Configure protection settings:

Add Executive List

1. Click Manage Executive List

2. Add executives by:

   • Email address: Specific addresses to protect
   • Title keywords: CEO, CFO, President, Director
   • Import from directory: Sync from Microsoft Entra ID or Google Workspace

3. Click Save

Configure BEC Actions

1. Under When executive spoofing is detected:

   • Quarantine: Recommended for external impersonation
   • Block: Prevent delivery entirely
   • Warn with Banner: Alert recipients of potential impersonation

2. Enable External sender warning for emails claiming to be from executives

3. Click Save

Step 6: Configure Microsoft/Google Integration

Manage how Harmony Email interacts with native email security.

Handle Conflicting Classifications

Configure behavior when Microsoft/Google and Check Point disagree:

1. In Anti-Phishing configuration, locate Emails flagged as Spam by Microsoft / Google but Clean by Check Point
2. Choose handling option:

Option	Behavior	Use Case
Treat as Clean	Deliver to inbox	Trust Check Point classification
Treat as Spam	Deliver to Junk folder	Honor Microsoft/Google verdict

3. Click Save

Allow-List Integration

Configure how allow-lists interact between platforms:

1. Scroll to Allow-List Settings
2. Configure options:
   • Apply Microsoft Allow-List to Check Point: Check Point honors Microsoft's allow-list
   • Override Microsoft sending to Junk: Check Point can rescue emails from Microsoft's Junk folder
3. Click Save

Step 7: Configure Anti-Phishing Exceptions

Create allow-lists and block-lists for specific senders.

Access Exception Settings

1. Navigate to Security Settings > Exceptions
2. Click Anti-Phishing
3. Select exception type from dropdown: Allow-List or Block-List

Create Allow-List Entry

Allow emails from specific senders to bypass phishing checks:

1. Click Add Exception
2. Configure the exception:
   • Name: Descriptive name (e.g., "Trusted Partner - Acme Corp")
   • Match Type: Choose criteria

Match Type	Example	Use Case
Sender Email	[email protected]	Specific sender
Sender Domain	acme.com	All emails from domain
Sender IP	203.0.113.50	Specific mail server
Subject Contains	"Monthly Report"	Specific email patterns

3. Click Save

Warning: Allow-list entries bypass security checks entirely. Document all exceptions and review quarterly.

Create Block-List Entry

Permanently block emails from specific senders:

1. Click Add Exception with type set to Block-List

2. Configure blocking criteria:

   • Sender Email: Block specific addresses
   • Sender Domain: Block entire domain
   • Subject Pattern: Block emails matching subject line

3. Select Block Action:

   • Phishing: Treat as confirmed phishing
   • Suspected Phishing: Treat as suspected phishing
   • Spam: Treat as spam

4. Click Save

Step 8: Configure User Warning Banners

Smart Banners alert users about potentially suspicious emails.

Enable Warning Banners

1. Go to Security Settings > User Interaction
2. Click Smart Banners
3. Enable banner types:

Banner Type	Trigger	Recommended
External Sender	Email from outside organization	Yes
First-time Sender	Sender never emailed this user	Yes
Suspected Phishing	Low-confidence phishing detection	Yes
Spoofing Attempt	Sender name doesn't match domain	Yes

Customize Banner Appearance

1. Scroll to Banner Customization
2. Configure:
   • Banner color: Default yellow for warnings
   • Banner text: Custom warning message
   • Report button: Enable "Report as Phishing" link
3. Click Save

Step 9: Configure Phishing Reports from Users

Allow users to report suspected phishing emails.

Enable User Reporting

1. Go to Security Settings > User Interaction
2. Click Phishing Reports
3. Enable Allow users to report phishing
4. Configure report options:
   • Report button in banner: Add report link to warning banners
   • Outlook add-in: Install Check Point reporting add-in
   • Gmail add-on: Install Google Workspace add-on

Handle Reported Emails

1. Configure what happens when users report emails:
   • Auto-quarantine: Move reported email to quarantine
   • Notify admin: Send alert to administrators
   • User feedback: Send confirmation to reporter
2. Click Save

Phishing Simulation Integration

If using phishing awareness training:

1. In Phishing Reports settings, locate Phishing simulation emails
2. Enable Notify user checkbox
3. Users who report simulation emails receive feedback
4. Click Save

Step 10: Configure Administrator Alerts

Set up notifications for phishing detections.

Enable Phishing Alerts

1. Go to Security Settings > Alerts
2. Configure notification triggers:
   • Phishing detected: Alert for confirmed phishing
   • BEC attempt: Alert for executive spoofing
   • High-volume attack: Alert for phishing campaigns
3. Enter administrator email addresses
4. Select alert frequency:
   • Immediate: Critical events
   • Hourly digest: Regular summary
   • Daily digest: Once-daily overview
5. Click Save

Troubleshooting Common Issues

Too Many False Positives

Symptoms: Legitimate emails flagged as phishing.

Solutions:

1. Increase the phishing confidence threshold to High or Highest
2. Add legitimate senders to the Allow-List
3. Review flagged emails to understand detection patterns
4. Contact Check Point support for pattern tuning

Missing Phishing Detections

Symptoms: Phishing emails reaching users' inboxes.

Solutions:

1. Lower the phishing confidence threshold to Medium or Low
2. Verify protection mode is set to Prevent (not Monitor)
3. Check that the user is in a protected group
4. Review sender information to add to Block-List

Smart Banners Not Displaying

Symptoms: Warning banners don't appear in emails.

Solutions:

1. Verify Smart Banners are enabled in User Interaction settings
2. Check that the email client supports HTML banners
3. Confirm the email type triggers the configured banner
4. Test with a first-time external sender

Executive Spoofing Not Detecting Attacks

Symptoms: BEC attempts not being caught.

Solutions:

1. Verify executives are added to the protection list
2. Check that executive spoofing protection is enabled
3. Add executive title keywords (CEO, CFO, etc.)
4. Review detection logs for missed attempts

Best Practices

1. Start conservative: Begin with High threshold, adjust based on results
2. Enable Smart Banners: Visual warnings help users identify risks
3. Protect executives: Always enable BEC/spoofing protection
4. Document exceptions: Track all allow-list entries with justification
5. Review weekly: Check detection events and false positive reports
6. Train users: Use detection data to identify training needs
7. Test changes: Verify policy changes in Monitor mode before Prevent

Next Steps

After configuring anti-phishing policies:

1. Configure URL protection: Enable click-time protection for malicious links
2. Set up threat emulation: Configure attachment sandboxing
3. Enable DLP: Protect sensitive data in outbound emails
4. Review security reports: Monitor phishing trends and targeted users

Additional Resources

• Anti-Phishing Documentation
• Anti-Phishing Exceptions
• Phishing Protection Policy

---

Need help configuring anti-phishing protection? Inventive HQ specializes in email security solutions for businesses of all sizes. Contact us for expert guidance.