Our ATP Service, powered by Hornet Security, consists of 3 different mechanisms complementing each other:

  1. ATP-Filter (Sandbox engine, Freezing, URL scanning)
  2. ATP URL Rewriting
  3. Targeted Fraud Forensic Filter

Further details on the functions of each module is available at http://support.everycloudtech.com/solution/articles/4000112555-advanced-threat-protection-features

Important: The ATP Service offers a 30 days trial period. This time frame should also be used for possible adjustments. Please contact our sales department for additional information regarding the trial period.

The services will be enabled in the following order:

  • ATP-Filter (Sandbox engine, Freezing, URL scanning)
  • ATP URL Re-writer
  • Targeted Fraud Forensic Filter

We recommend 7-days between enabling each mechanism, as each mechanism needs to be assessed for any possible increase in False Positives. After enabling the ATP-Filter you will find additional filter reasons from within the Workspace.

Setup ATP-Filter

You can enable the ATP-Filter at any time through the Control Panel. To do so, you will only have to enable the service under “Management > E-Mail > ATP” and add one or multiple email address(es) that are supposed to receive the Real Time Alerts, which the service sends out in case of an identified attack. Please be aware that enabling the service from the Control Panel will only enable the ATP-Filter and not the complete service. The additional mechanisms need to be enabled through the customer support.

Setup ATP Targeted Fraud Forensic Filter

The service is responsible for identifying and preventing spear phishing attacks that target mainly departments or single persons in the company having the authority to release any possible bank transfers. 

The Target Fraud Forensic Filter as well as the URL Rewriting will need to be enabled through our customer support. Enabling the ATP filter through the Control Panel will not be sufficient.

The mechanism is only intended to cover a few decision-makers within the company. There will be no global check on the domain. Customer support will need a list of email addresses to be checked in to enable the service for you.

  • Basic SPF Checking is a prerequisite for the Targeted Fraud Forensic Filter.  Please see our article on SPF Checking for instructions on how to create an SPF record and how to enable SPF Checking Type 1 (basic) or Type 2 (advanced).


The filter will use a multitude of different heuristics and mechanism to identify such emails:

  • Intention Recognition System: Checks the email for any content patterns (e.g. requests for bank transferral, requesting sensitive information, etc.)
  • Fraud Attempt Analysis: Checks the integrity and authenticity of meta data and mail content
  • Identity Spoofing Recognition: Identifies and blocks faked senders
  • Spy-Out Detection: Checks if any sensitive information is requested (e.g. passwords)
  • Feign Facts Identification: Checks the email for any attempts to gain information by feign facts
  • Targeted Attack Detection: Detects aimed attacks towards a specific person

ATP URL Rewriting
The URL Rewriting is responsible for testing URL's in incoming emails for any harmful content. To do so, the mechanism will rewrite any identifiable URLs in incoming emails in such a manner, that any URL opened from the email will be rerouted through our ATP filter, which acts as a web proxy and scans the content of the website before forwarding the user to the webpage.

Due to rewriting the URL, the recipient will notice some different behaviour:

  • The URL from within the email will change

The mechanism will rewrite the URL in such a manner that the ATP filter will act as a web proxy. The structure of the URL will be:

atpscan.global.hornetsecurity.com + a generic ending

  • When opening the website through the URL in the email, the recipient will see the Hornetsecurity ATP banner.

If you want to convert the cryptic URL back to its original state, you can use the URL Decoder.

In the following circumstances, the URL Rewriting won’t be able to work as expected:

  • Signed/encrypted emails: Rewriting the URL would harm the email integrity
  • Using the URL Decoder: If the URL is not opened using the generic ATP URL, the ATP service will not be able to act as a web proxy

Setup ATP URL Rewriting

To setup URL rewriting, EveryCloud Support will require a list of Internal URL's from the customer that are to be added to the allow list, e.g. Intranet server URL. The URL Rewriting Filter will need to be enabled through customer support . Enabling the ATP filter through the Control Panel will not be sufficient.