Description of the ATP Engines

ATP uses a number of engines to detect and fend off attacks.

Table 1. ATP engines

ATP Engines

Operating principle and advantages

Sandbox Engine

Attachments are executed in a variety of system environments and their behavior is analyzed. If they turn out to be malware, you are notified. It protects against ransomware and blended attacks.

URL Rewriting

URL Rewriting replaces all links in an email with our own links. As soon as the user clicks on one of those links, he is rerouted to the target website through the Web Filter (see Workspace).

URL Scanning

Documents (such as PDF, Microsoft) attached to an email may contain links. However, the links cannot be replaced as this would damage the integrity of the document. The Hornetsecurity URL Scanning engine leaves the document in its original form and only checks the target of such links.


Emails which cannot be immediately and conclusively assigned to a category but look suspicious are retained for a short period by Freezing. An additional scan with updated signatures is performed later. It protects against ransomware, blended attacks, and phishing attacks.

Targeted Fraud Forensics Filter

The Targeted Fraud Forensics Filter detects targeted personalized attacks carried out without malware or links. It uses the following detection mechanisms:

  • Intention Recognition System: It alerts on content patterns that might hint at malicious intent.
  • Fraud Attempt Analysis: It checks the authenticity and integrity of metadata and email contents.
  • Identity Spoofing Recognition: Detection and blocking of forged sender identities.
  • Spy-Out Detection: Protects against attacks trying to obtain sensitive information.
  • Feign Facts Identification: Content analysis of messages based on provision of feigned facts.
  • Targeted Attack Detection: Detection of targeted attacks on individuals.