Typically, a Secure Mailbox (SM) or Secure Email Gateway (SEG) that receives emails for an organization scans emails and performs threat detection/handling for the emails (e.g., allowing or dropping emails) based on various handling policies configured for the organization. Currently, an SM/SEG completely scans all email each time an email traverses the SM/SEG (e.g., for an initial email and any subsequent replies/responses for a conversation/email thread), which can result in high usage of compute resources for an organization, potentially increasing the cost of email services, as well as increasing the latency of email delivery. In order to address such issues, techniques presented herein provide for the ability to prevent repeat scanning of email content that has already been scanned for a given conversation thread, which can be identified using a message identifier (M-ID), and to correlate results of previous scans of the conversation thread with a current scan of the thread (having a same message ID) in order to perform threat detection for emails.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.