[Area 1] Small refinements to text (#5727)

* changed from 3 to three * removed dot from file type * removed dot from filetype * monospaced x-headers * corrected file types * changed rom M/L to ML

[Area 1] Small refinements to text (#5727)
8398ce77 · marciocloudflare · GitHub · 8f717c88 · 8398ce77 · 8398ce77
Unverified Commit 8398ce77 authored 2 years ago by marciocloudflare Committed by GitHub 2 years ago
--- a/content/email-security/email-configuration/phish-submissions.md
+++ b/content/email-security/email-configuration/phish-submissions.md
@@ -10,9 +10,9 @@ As part of your email configuration, your administrators and email recipients ca

 ## What happens after phish submission

-After you or your users submit a phish sample, we add that sample directly into our machine learning (M/L) queue.
+After you or your users submit a phish sample, we add that sample directly into our machine learning (ML) queue.

-Some samples will be directly converted to `Malicious` upon going through machine learning and the rest will be further processed by our M/L module.
+Some samples will be directly converted to `Malicious` upon going through machine learning and the rest will be further processed by our ML module.

 ## Setup


--- a/content/email-security/reference/dispositions-and-attributes.md
+++ b/content/email-security/reference/dispositions-and-attributes.md
@@ -8,7 +8,7 @@ weight: 2

 Area 1 uses a variety of factors to determine whether a given email message, domain, URL, or packet is part of a phishing campaign. These small pattern assessments are dynamic in nature and — in many cases — no single pattern will determine the final verdict.

-Based on these patterns, Area 1 may add X-Headers to each email message that passes through our system.
+Based on these patterns, Area 1 may add `X-Headers` to each email message that passes through our system.

 ## Dispositions


--- a/content/email-security/reference/how-we-detect-phish.md
+++ b/content/email-security/reference/how-we-detect-phish.md
@@ -21,18 +21,18 @@ For example, a particular sender IP in a Comcast range might have a mix of good

 | Attack type | Example | Detections applied |
 | --- | --- | --- |
-| Malicious payload attached to the message | Classic campaign technique, which utilizes a variety of active attachment types (`.EXE`, `.DOC`, `.XLS`, `.PPT`, `.OLE`, `.PDF`, and more) as the malicious payload for ransomware attacks, Trojans, viruses, and malware. | Machine learning (M/L) models on binary bitmaps of the payload as well as higher-level attributes of the payload, with specific focus on signatureless detections for maximum coverage. Additionally, for relevant active payloads, the engine invokes a real-time sandbox to assess behavior and determine maliciousness. |
-| Encrypted malicious payload attached to the message, with password in message body as text | Campaigns that induce the user to apply a password within the message body to the attachment. | Real-time lexical parsing of message body for password extraction and M/L models on binary bitmaps of the payload, signatureless detections for maximum coverage. |
-| Encrypted malicious payload attached to the message, with password in message body as an image | Campaigns that induce the user to apply a password within the message body to the attachment, with the entire body or part of the body being an image. | Real-time OCR parsing of message body for password extraction and M/L models on binary bitmaps of the payload, signatureless detections for maximum coverage. |
-| Malicious payload within an archive attached to the message | Campaigns with payloads within typical archives, such as `.ZIP` files. | ML detection tree on the payload, as well as decomposition of each individual archive into component parts and fragments for compound documents. |
+| Malicious payload attached to the message | Classic campaign technique, which utilizes a variety of active attachment types (EXE, DOC, XLS, PPT, OLE, PDF, and more) as the malicious payload for ransomware attacks, Trojans, viruses, and malware. | Machine learning (ML) models on binary bitmaps of the payload as well as higher-level attributes of the payload, with specific focus on signatureless detections for maximum coverage. Additionally, for relevant active payloads, the engine invokes a real-time sandbox to assess behavior and determine maliciousness. |
+| Encrypted malicious payload attached to the message, with password in message body as text | Campaigns that induce the user to apply a password within the message body to the attachment. | Real-time lexical parsing of message body for password extraction and ML models on binary bitmaps of the payload, signatureless detections for maximum coverage. |
+| Encrypted malicious payload attached to the message, with password in message body as an image | Campaigns that induce the user to apply a password within the message body to the attachment, with the entire body or part of the body being an image. | Real-time OCR parsing of message body for password extraction and ML models on binary bitmaps of the payload, signatureless detections for maximum coverage. |
+| Malicious payload within an archive attached to the message | Campaigns with payloads within typical archives, such as `.zip` files. | ML detection tree on the payload, as well as decomposition of each individual archive into component parts and fragments for compound documents. |
 | Malicious URLs within message body | Typical phish campaigns with a socially engineered call to action URL that will implant malware (for example, Watering Hole attacks, Malvertizing, or scripting attacks). | Continuous Web crawling, followed by real-time link crawling for a select group of suspicious urls, followed by machine learning applied to URL patterns in combination with other pattern rules and topic-based machine learning models for exhaustive coverage of link-based attacks. |
-| Malicious payload linked through a URL in a message | Campaigns where the URL links through to a remote malicious attachment (for example, in a `.DOC` or `.PDF` file) | Remote document and/or attachment extraction followed by M/L detection tree on the payload, instant crawl of links. |
+| Malicious payload linked through a URL in a message | Campaigns where the URL links through to a remote malicious attachment (for example, in a `.doc` or `.pdf` file) | Remote document and/or attachment extraction followed by ML detection tree on the payload, instant crawl of links. |
 | Blind URL campaigns | Entirely new domain with intentional obfuscation, seen for the first time in a campaign. | Link structure analysis, link length analysis, domain age analysis, neural net models on entire URL as well as domain and IP reputation of URL host, including autonomous system name reputation and geolocation based reputation. |
 | Malicious URLs within a benign attachment in the message | Campaigns obfuscating the payload within attachments. | URL extraction within attachments, followed by above mentioned URL detection mechanisms. |
 | Malicious URLs within an archive attached to the message | Campaigns obfuscating the payload within attachments. | Attachments decomposed recursively (both in archive formats and compound document formats) to extract URLs, followed by above mentioned URL detection mechanisms. |
 | Malicious URLs behind URL shortening services | Campaigns leveraging Bitly, Owly, and similar services at multiple levels of redirection to hide the target URL. | URL shorteners crawled in real time at the moment of message delivery to get to the eventual target URL, followed by URL detection methods. Real-time shorterners are intentionally not crawled ahead of time due to the dynamic nature of these services and the variation of target URLs based on time and source. |
 | Instant crawl of URLs within message body | Typical phish campaigns with a socially engineered call to action URL that will implant a malware (for example, Watering Hole attacks, Malvertizing, or scripting attacks). | Heuristics applied to URLs in message bodies that are not already detected from ahead of time crawling and those deemed suspicious according to strict criteria are crawled in real time. |
-| Credential Harvesters | Form-based credential submission attacks, leveraging known brands (Office 365, Paypal, Dropbox, Google, and more). | Continuous Web crawling, computer vision on top brand lures, M/L models, and infrastructure association. |
+| Credential Harvesters | Form-based credential submission attacks, leveraging known brands (Office 365, Paypal, Dropbox, Google, and more). | Continuous Web crawling, computer vision on top brand lures, ML models, and infrastructure association. |
 | Domain Spoof Attacks | Campaigns spoofing sender domains to refer to the recipient domain or some known partner domain. | Header mismatches, email authentication assessments, sender reputation analysis, homographic analysis, and punycode manipulation assessments. |
 | Domain proximity attacks | Campaigns taking advantage of domain similarity to confuse the end user (for example, `sampledoma1n.com` or `sampledomaln.com` compared to `sampledomain.com`). | Header mismatches, email authentication assessments, and sender reputation analysis. |
 | Email Auth violations  | Campaigns taking advantage of incorrect or invalid sender Auth records (SPF/DKIM/DMARC) and bypassing incoming Auth-based controls. | Assessment of sender authentication records against published SPF/DKIM/DMARC records, which is applied in combination with overall message attributes. |

--- a/content/email-security/reporting/detection-search/_index.md
+++ b/content/email-security/reporting/detection-search/_index.md
@@ -50,4 +50,4 @@ billing statement message_id:<Amazon aws Support@email.amazonses.com>

 ## Additional notes

-When searching for phrases, some terms — such as words less than 3 characters and certain escape words like `and`, `the`, `then`, `their` — are not tokenized. Our search will automatically ignore these terms, both in your search query and in the proposed results.
\ No newline at end of file
+When searching for phrases, some terms — such as words less than three characters and certain escape words like `and`, `the`, `then`, `their` — are not tokenized. Our search will automatically ignore these terms, both in your search query and in the proposed results.
\ No newline at end of file
--- a/content/email-security/reporting/detection-search/available-parameters.md
+++ b/content/email-security/reporting/detection-search/available-parameters.md
@@ -31,6 +31,6 @@ You can pull information for a message in [search detections](/email-security/re

 ## Data retention

-For Area 1 Horizon Enterprise customers, detections search would index for amperiod of 12 months and rotate over to a rolling 12-month period.
+For Area 1 Horizon Enterprise customers, detections search would index for a period of 12 months and rotate over to a rolling 12-month period.

-For Area 1 Horizon Advantage customers, detections search would index for 3 months and rotate over to a rolling 3-month period.
\ No newline at end of file
+For Area 1 Horizon Advantage customers, detections search would index for three months and rotate over to a rolling 3-month period.
\ No newline at end of file