Technical Overview of:

IRONSCALES Solution
Executive Summary

Table of Contents

Contents
Table of Contents ................................................................................................................................... 1
Executive Summary ............................................................................................................................... 1
Understanding your needs................................................................................................................ 2
Business Objectives ........................................................................................................................... 2
Workflow / Data Flow overview ............................................................................................................ 3
Mail Flow ............................................................................................................................................... 4
Data Flow ............................................................................................................................................... 5
Communication Table ............................................................................................................................ 6
APPENDIX A ........................................................................................................................................... 8
Components....................................................................................................................................... 8
Understanding your needs
Due to the large volume of Phishing attacks organizations are currently experiencing, you are
seeking to take advantage of an enterprise class solution to help you deliver IT and time back
to the business. Protecting the information that spans your entire organization.
Your current solution may not be giving you the support you need, nor achieving the business
objectives you seek.

Business Objectives
• Reduce time spent manually addressing email phishing attacks
• Protect the enterprise from current and future attacks
• Find a solution that works and a company that you can trust
Workflow / Data Flow overview
IRONSCALES offers a sophisticated SaaS-based anti-phishing solution that is tightly integrated
with Microsoft Office 365, G Suite and Microsoft Exchange. At a high level, the solution
comprises:
• Mailbox-level anomaly detection, which scans incoming emails and displays alerts
via an in-mail banner if determined to be suspicious (Spoofing & Impersonation,
Domain look-alikes)
• Automated and AI-powered incident response, which scans for known threats via
a database of known malicious content and Multi-AV/sandbox integrations, and
automatically removes any known malicious emails, or emails that are verified as
phishing attacks by the organization’s security team
• IRONSCALES also provides a button for users to report suspicious emails to the
organization’s security team. This button is an OWA-compliant add-in that is
installed in the O365 Admin Portal and is automatically distributed out by O365 to
all OWA-compliant email clients, such as Outlook, web browsers and mobile
clients. There is no need to manually install any software on any end-station.
• Our decentralized, real-time threat detection community, which scans for - and
flags to users - known threats via a crowd-sourced global repository
• Our AI-powered Virtual Security Analyst Themis, that continually learns from tens
of millions of emails that run through our platform daily to give your security teams
advice about where and how to address different threats and attacks. Many
customers rely on Themis for the majority of their incident response decisions and
allow her to make autonomous decisions. This automatic remediation of
malicious emails is what we call zero-click incident response
Upon emails arriving in an Office 365 (O365) mailbox, a notification is sent via an SSL-
encrypted Microsoft API connection from O365 to the IRONSCALES API server which is in
Amazon Web Services (AWS) US West (Oregon) Region.
The IRONSCALES server then scans and inspects the following data, which is transferred from
O365; the email body and headers, and any embedded URLs (the attachments themselves
are not sent).
The email headers are stored and indexed in IRONSCALES AWS datastore, however, the email
body is NOT saved or stored; it is inspected and discarded (unless it is flagged as suspicious
by an end user).
Where a user reports an email (because they suspect it to be a phishing email) it is stored,
complete with any links and attachments, for review by your security team and sandbox
analysis.
Mail Flow
Data Flow
a. Upon any incoming email
i. API application server located in AWS US West Region (Oregon) performs
inspection of emails
ii. Email body and headers (and embedded URLs) are transferred to AWS via
SSL encrypted API and are inspected in Ironscales’ application server
iii. Email headers are stored and indexed in AWS in Ironscales datastore
iv. Email body is not saved

b. Upon reporting of Email

i. OWA plugin (installed in Office 365 Exchange Admin Panel and pushed by
Office 365 to OWA compliant email clients) sends reported mail via SSL
encrypted session to API application server located in AWS US West Region
(Oregon)
ii. Email body and headers are inspected in AWS in IRONSCALES application
server
iii. Email attachments are fetched from Office 365 and are transferred by SSL
encrypted API connection to IRONSCALES application server located in
AWS US West Region (Oregon) (if they exist)
iv. Attachments and links are sent to external scanners (CheckPoint SandBlast,
VirusTotal API, Google SafeBrowsing, Google WebRisk, and BitDefender).
This can be optionally disabled via configuration
 Communication Table

How is the data

What port(s) does
protected both in
the component use What data is collected? Where does it send the data?
transit and at
to communicate?
rest?

On report by user:

• Email Body
IRONSCALES OWA
• Email Headers
Addin (Uploaded to https://api.ironscales.com
• Links
and distributed from TCP/443 located in AWS US West
Office 365 Admin • Actual Attachments
Region (Oregon)
Portal) • Mitigation and
IronSights banner
added

On inspection:

• Email Body (not

saved)

API Application • Email Headers

Server • Links https://api.ironscales.com
Database is
(located in AWS US TCP/443 • MD5 hash of located in AWS US West encrypted at rest.
West Region attachments Region (Oregon)
All data protected
(Oregon) • Mitigation and BEC
by SSL protocol
banners added
during transit.
When flagged as suspicious:

• Actual Attachments

Virus Total API

Third Party Check Point SandBlast
MD5 hash of attachment and/or
Attachment and URL TCP/443 BitDefender, Google
URL (taken from inspection)
Scanning SafeBrowsing, Google
WebRisk

This is a Database
located in AWS US
Decentralized, real-
West Region
time threat N/A N/A
(Oregon). No
detection
outside
communication.
Why IRONSCALES?

The world’s first and only anti phishing technology to combine human intelligence with
machine learning and Artificial Intelligence to prevent, detect and respond automatically to
today’s sophisticated email phishing attacks. Using a multi-layered and automated approach,
we expedite the time from phishing attack to remediation from weeks to seconds, with
minimal security team involvement.

IRONSCALES is the only email phishing solution seamless enough to reduce the workload
burden on SOC teams by automatically analysing and remediating incoming threats and
quarantining or deleting suspected phishing emails in real-time.

In addition, IRONSCALES understands your users’ awareness of phishing threats and provides
adaptive on-going awareness training to increase their knowledge and understanding to help
them better protect the organisation.
APPENDIX A
Components

Advanced Malware/URL Protection:

IRONSCALES Advanced Malware/URL Protection is a cloud-based email protection module
that helps protect your organization against zero-day malware and phishing websites by
providing real time protection against all inbound emails, using various multi AV and Sandbox
engines, including the IRONSCALES Visual Scanner which, using computer vision, is designed
to detect phishing, or spoofed websites. These sites are designed to obtain a person’s login
credentials to a legitimate website.

Mailbox-level Anomaly Detection:

IRONSCALES Mailbox-level anomaly detection prevents email spoofing and impersonation
attacks in real-time, by combining the power of smart fingerprinting with trusted
relationships in the context of normal user behavior and communication habits.
Using machine learning algorithms, IronSights continuously studies every employee's inbox
to detect anomalies based on a first of its kind sender fingerprint technology, which can
identify the authenticity of a sender based on both email data and metadata extracted from
previously trusted communications.

AI-powered Incident Response:

IRONSCALES provides the first and only fully automated email phishing incident detection and
response solution.

Our platform streamlines phishing incidents by conducting email phishing incident analysis,
threat intelligence gathering/forensics, orchestration and responds automatically (zero click
response) or at the click of a button (one click response).
This process eliminates the need for an army of highly trained SOC or security analysts to
manually deal with the continuous growth of daily reported email threat incidents, reducing
the time from detection to remediation from days or weeks to just seconds.
Decentralized Real-Time Threat Detection
This component offers real-time human verified actionable collaboration, integrated with
automated incident response, as a means to better prepare and respond to new attacks
before they target other employees’ or other companies’ inboxes.
By decentralizing and distributing threat intelligence automatically in a peer-to-peer manner,
companies around the world can implement proactive phishing protection to defend against
unknown threats that have already been verified by other security professionals within the
IRONSCALES community.

Themis:
Themis is an AI-driven virtual security analyst that helps security teams determine a verdict
on suspicious email incidents in real-time, and also automate the appropriate response. Built
on top of our decentralized threat intelligence engine and security community, Themis
continually learns from tens of millions of emails that run through our platform daily to give
your security teams advice about where and how to address different threats and attacks.
Themis examines any incident’s threat level and potential impact and provides her confidence
level for her recommendations. Many customers rely on Themis for the majority of their
incident response decisions and even allow her to make autonomous decisions. This
automatic remediation of malicious emails is what we call zero-click incident
response. Themis never sleeps, never gets sick, and never takes time off. She’s also
constantly learning in order to continually improve.

Gamified, Personalized Simulation and Training:

A customised micro-learning method helps employees to think and act as a virtual SOC
response team member, becoming proactive against malware attacks. Our gamified,
interactive micro-learning method is customised to each employee based on an initial
assessment of users phishing recognition and classification skills.