Understanding Post-Delivery Email Recheck

Post-Delivery Security extends the security to email messages already in the inbox. Email Recheck expands post-delivery protection, providing another layer of protection in addition to Click-Time Protection.

Post-Delivery Email Recheck is a multi-phase process:

1. The Email Recheck process can be triggered by several sources, including end-users and administrators. For example: emails that were reported by the end-users as suspected phishing, clicks on malicious URLs in emails protected by Click-Time Protection, and email reclassification by the administrators.
2. The email messages are examined by Cloud App Security.
3. A global block action is issued, across all mailboxes protected by Cloud App Security. The block action includes all emails that match the relevant match criteria.
4. All marked emails are processed by the relevant customer policy workflows. The emails are removed from the inbox and placed in quarantine, while security events are generated, and notifications sent to the users and administrators.

The security event appears as Post-delivery recheck as a detection reason in the detailed information for the email message.