Corporate Encryption User Guide

ExchangeDefender Encryption is an email, web, and SMS messaging platform designed to make sending secure messages easy and accountable. ExchangeDefender Encryption is a secure, encrypted, web-driven interface that allows users from different organizations to exchange messages securely with various degrees of privacy and security. With various industries establishing regulatory compliance requirements on how secure and personally identifiable information should be stored and transferred, ExchangeDefender offers an all-in-one encryption solution that is capable of scaling and fitting business security requirements without inconveniencing the user.

ExchangeDefender Encryption is very easy to use and requires no software installation or complicated / antiquated technology – “sending an encrypted email is as simple as putting [ENCRYPT] in the subject” and our system makes sure that nobody can intercept and read your message except the intended recipient. Corporate encryption policies automate the process of email encryption based on message contents (via pattern recognition and encryption lexicons), send/recipient rules, and can be customized to include Compliance Officer escalation for approval and rejection.

ExchangeDefender Encryption Portal at gives users central access to all encryption messages, contacts, groups, as well as a full audit log. From this secure site, available via desktop and mobile, you can manage your entire email encryption experience and get an even more powerful control over how your encrypted messages are secured. The login credentials or password reset link will be sent to you by your IT department and you can access all services here:

If you are not an ExchangeDefender Encryption subscriber, your IT department needs to obtain a license for you to send encrypted messages. There is no cost or licensing required for your recipients, and there is no software to download or install to access messages. Everything simply works through any modern web browser, on any device.

Navigation through the ExchangeDefender User Interface (UI) features with a tool bar across the top for quick access to frequently used features, and management sections on the left. The rest of the UI contains the main area where you manage your Inbox, send messages, setup groups and contacts, audit activity, and manage your settings. Almost all pages will also have a tabbed interface for additional settings, ability to export the current view into a csv/pdf/Excel, and search/paging functions where available.

ExchangeDefender Encryption Dashboard features navigation, recent messages you have worked on, and recent activity in your account. Message Stats Graphs are featured prominently, showcasing what encryption users are concerned the most: are encrypted messages you sent being read, are you taking care of security and using adequate encryption levels, and quick access to items that need your immediate attention such as messages that are set to expire soon.

The purpose of the dashboard design is to get you back to your work right away, and to highlight recent activity to help you identify anything suspicious and how your encrypted messages have been received.

Toolbar across the top, which is featured in every section of the Encryption Portal, gives users quick access to frequently used actions. From left to right you will see the logo, << autohide button, Quick Actions button, Settings button, and your Profile tab.

• Autohide - Autohide feature is designed for power users that are familiar with the portal and want to automatically hide navigation clutter (useful when composing messages or reviewing Compliance Officer messages).
• Quick Actions - Quick actions feature quick access to the features of the portal you use the most, such as one-click access to send a new encrypted message.
• Settings - Account, Security, and Preferences can be accessed from every screen and help customize your experience and overall service behavior (such as date and time formatting preferences).
• Profile - Quick access to your other ExchangeDefender services, and a friendly reminder to stay secure by always logging out.

ExchangeDefender Encryption Inbox gives you an overview of all your encryption messages, their status, and gives you the ability to send new messages. Click on + Compose to start writing a new encrypted message.

Search bar across the top of the UI allows you to quickly locate messages by subject, encryption level, or date range. (keep in mind that encryption messages expire after 30 days by default for your security, but can be kept longer using our Corporate Archiving service)

Inbox also shows you how the message sender categorized the message when they sent it, as either [Secure Encryption] or [Basic Encryption]. The difference between the two is the level of security and authentication you require for your message to be accessed by your recipients (for more details see the “Should I use Basic or High Security to send encrypted messages?” section).

New and unread messages are highlighted with a blue background, while read messages have a white background. To read the message, simply click on the subject.

Composing a new Encrypted Message with ExchangeDefender can be as simple or as flexible as you wish to make it. Your selection will vary depending on the content of the message, recipient, your security policies, as well as personal preferences.

Simple way: Type in the email address of your recipient, type the subject and the message (along with any attachments) and click on Send. This will assign your organizations default security policy that has been configured by your Compliance Officer or IT. That’s it, you’re done!

Customized way: ExchangeDefender Encryption provides the most powerful customization policies for message encryption, and we’re the only omnichannel solution for message encryption allowing you to send messages securely to web services as well as mobile devices via SMS. Because your content never leaves your Encrypted Inbox, you do not have to worry about sensitive information being stored in mailboxes and devices you have no control or security assessment of – which is why default policies are created to be secure first, and secure by default. Let’s take a look at how encrypted message security policies can be customized to meet your security requirements.

ExchangeDefender Encryption enables you to send encrypted messages to individual email addresses, to predefined groups of contacts, to a web service or site (such as Slack, Teams, Facebook, forums, or your corporate web site), and even to mobile phones using SMS/text messages.

Sending encrypted messages to Contacts or Groups is as simple a typing in the email address. ExchangeDefender enables you to save contacts and groups of contacts (scroll down) that you send messages to frequently.

Provide the subject, message, and attach any file you may need or want to.

ExchangeDefender Encryption enables you to send encrypted messages to web sites and services while maintaining the security and custody of the message contents. The system generates a short URL that can be copied and pasted into Slack, Teams, Facebook, social media, or any other web site or service. URL Encrypted Messages are among the most popular features of ExchangeDefender Encryption because it provides a secure authentication layer, automatically deletes the content, and provides advanced tracking.

The process is exactly the same as sending a message to an email address, group, or mobile device: just type your subject, message, attach anything you wish to and click Send.

After you click Send, a dialog box will pop up with the link to the message. You can copy and paste this link and everyone with the access to it

ExchangeDefender Encryption enables you to send encrypted messages to mobile devices via SMS / text messages. This feature highly sought after by doctors, attorneys, insurance, and real estate personnel that is frequently interacting with clients that are not in front of their PC or with full access to email at all times. “We’ll just text it to you” is an easy way to deliver a secure message while still keeping the contents in your custody in your secure Inbox.

Sending a secure message to the mobile device is same as sending any other encrypted message through ExchangeDefender encryption – with one important difference – you only need to know the recipients mobile phone number.

The recipient will receive an SMS message with the link to the secure encrypted message.

When they click on it, the default web browser on the phone will go to the secure SSL-encrypted web site and show them the message and contents.

ExchangeDefender Encryption features a very powerful and flexible set of policy engines that help automate the security and privacy of your content. Some encryption options are established by the Compliance Officer or IT department using https://admin.exchangedefender.com Encryption control panel – these are the default settings for the organization.

Each user has the ability to customize the encryption policy for each message on-demand. Because each message contains different content, we enable the sender to pick the most appropriate encryption policy that can get the message to the recipient safely. Every account is assigned two default policies: Basic Security and High Security. They can be further customized with Advanced Options and users have the ability to save policy changes as brand new personal Encryption policies.

Both Basic and High Security encryption levels will get your message to the recipient in a safe, secure, and encrypted fashion with a full audit trail. The primary difference between the two is that High Security requires the recipient to create a profile so that the message cannot be compromised by a third party. ExchangeDefender strongly encourages the use of High Security.

So which one should I use? When in doubt, use the safest, most secure settings possible. The best practice is to discuss the email or message with the recipient and advise them that you’ll be sending them an encrypted message. If you are sending sensitive information to a public freemail system or to someone you suspect may not have the best security standards, we recommend using a password to protect the message. Some Fortune 500 companies have a policy that prohibits employees from providing personally identifiable information over the web or signing up for services, so if they cannot enroll in ExchangeDefender Encryption you’ll fall back on Basic Security level (just set a password and inform them ahead of time).

ExchangeDefender Encryption enables you to customize the level of security in realtime as you’re composing your message. Advanced Options, to the right of the New Message section, allow you to specify advanced message handling parameters and to save the encryption policy so you can reuse it later.

By default, the security options are established by your IT department or Compliance Officer at https://admin.exchangedefender.com and are published as the Default encryption policy. Here is how you can customize and create your own.

Automatically destroy this message after # days: ExchangeDefender Encryption can automatically destroy messages between 1 and 30 days after the message has been sent. The less trustworthy the recipient is, the shorter your automatic destruction period should be.

Notify this user when the recipient reads this message: ExchangeDefender Encryption can automatically send an email notification when the recipient accesses/reads the message. This policy is helpful if you need to notify a coworker, distribution group, or any 3rd party.

Password protect this message: ExchangeDefender Encryption can provide an additional layer of password security for both encryption levels. Once the recipient logs in (High Security) or clicks on the link (Basic Security) clicking on the message will display a password prompt. Without it, the message will not be displayed.

Notify me when the recipient reads this message: ExchangeDefender Encryption will send you an email notification when your recipient has accessed/read the message. This is convenient when you don’t send a large volume of encrypted messages and want to have a near realtime alert that your secure message has been accessed (so you can revoke it and limit exposure).

Actions allowed for recipients: Allow Reply: Checking this box will enable the recipient to Reply to your message using the encryption portal, and you will receive a notification of the response in a safe and encrypted email.

Actions allowed for recipients: Allow Forward: Checking this box will enable the recipient to Forward the message to the third party. If this box is not checked and they click on the Forward button, you and your Compliance Officer will be alerted to the possible violation. (they will not be allowed to forward the message).

Actions allowed for recipients: Allow Print: Checking this box will enable the recipient to print the message. If this box is not checked and they click on the Print button, you and your Compliance Officer will be alerted to the possible violation (they will not be allowed to print the message).

Save these options to a new Policy – Pick a name for your new policy and click Save. You will be able to select the policy from Encryption Policy: dropdown which will then populate the saved settings (so you can further customize it on demand).

ExchangeDefender Encryption makes it easy to be more productive by saving contacts you often send messages to. If you would like to import or create your contacts ahead of time so you don’t have to copy and paste or remember their email address, click on the contacts tab.

Click on +Create New Contact and just provide the name and email address. It’s that simple.

ExchangeDefender Encryption also supports groups so you don't have to sit and type in email addresses of your recipients every time you send an encrypted message to multiple users.

You can add contacts to a group by clicking on +Create New Group and providing information about your contacts.

At any time, you can also click on the + icon next to the group name to +Add more members or click on the red X button next to the contacts you wish to remove from the group.

ExchangeDefender cares about your privacy and security. Every single action related to encryption is listed here and it can give you an idea of what was done even after the messages are gone.

This screen is important for compliance and auditing purposes, and can be provided to your Compliance Officer (CO) if there is ever a question about who sent the message, when it was received, by whom, and which IP address they were using.

ExchangeDefender recommends reviewing the activity log periodically for security purposes.

When you send an encrypted message to the recipient, your message is automatically encrypted and kept on ExchangeDefender's secure platform. The message never goes across plain text, nor are message contents transferred to the recipient's mailbox in any way. They simply get the message above telling them that an encrypted message is waiting for them.

To access, view, and respond all the recipient has to do is click on View Message on any device with a modern web browser and they will be taken to the message.

If you used the [ENCRYPT] option to send the message, the recipient will need to enroll in the ExchangeDefender service and provide the following information. This information is required for legal and security purposes. Once the user has identified themselves and set their password and four-digit PIN the account is officially enrolled and locked down with personally identifiable information no other individual or organization is aware of. These credentials are used to further encrypt and secure the message transfer. They are also used to eliminate the possibility of a man-in-the-middle attack, to keep out the IT department rogue personnel that may be reading emails without authorization, or anyone that has access to recipients' email.

After they complete the process they will be taken to the message.

Recipient can then respond to the message, configure their own encryption settings, access attachments or otherwise act on the message as they wish.

If you chose to receive a notice when the recipient has received your message, ExchangeDefender Encryption will send you an email when the recipient reads the message.

ExchangeDefender Corporate Encryption provides a Compliance Officer facility to review messages that triggered a blocking policy: so that messages that may have included something that matched a lexicon entry or other restriction can still be delivered to the intended recipient or returned to the sender. 

Compliance Officer’s role within the company is to review and approve/reject messages that do not meet the corporate security policy established in the admin.exchangedefender.com Corporate Encryption tab. Some organizations tend to be very conservative in terms of content they allow to leave their network and they can setup very restrictive lexicons (words or sentences that when detected in the message will automatically be subject to review). ExchangeDefender enables these managed organizations to be cautious and block messages from going out while still providing for a failsafe of a compliance officer review screen so that messages can be reviewed.

ExchangeDefender Compliance Officer screen is available to everyone designated as a Compliance Officer at https://encryption.exchangedefender.com in the tab labeled “CSO”, if you need to add more users as Compliance Officers please go to admin.exchangedefender.com, login as the Domain Administrator, and click on Corporate Encryption > Compliance Officers. (note: if you do not see this tab you do not have a license for corporate encryption, please contact us). 

ExchangeDefender Corporate Encryption relies on auto-detection (AI) to determine If the message contains personally identifiable information (PII), or matches a blocking policy defined by the Compliance Officer at admin.exchangedefender.com. Organizations can define as many patterns, words, sentences, and policies that will automatically detect sensitive content of the available actions is to Alert Compliance Officer.

In that scenario, messages that trigger such rules are presented to the Compliance Officer under the CSO tab at https://encryption.exchangedefender.com:

ExchangeDefender’s friendly interface is nearly identical to the Inbox experience, and messages can be accessed in the same way: by clicking on the subject:

Compliance Officers can review all messages, all attachments that trigger the alerting policy, and have the ability to either Approve the message or Reject it.

In the event that the message is not reviewed and either Approved or Rejected, it will be automatically deleted.

Dashboard also features multi-select, with the ability to mass-approve or mass-reject multiple messages at the same time.

ExchangeDefender Corporate Encryption offers two actions that a compliance officer can take when the message is auto-detected as violating the corporate policy: Approve or Reject.

• Send Now - ExchangeDefender will send the message to the recipient as it was originally sent with no modifications.
• Force Basic Security - ExchangeDefender will send the message to the recipient but it will encrypt it. The recipient will receive a notice that the encrypted message is waiting and they’ll be able to click on the link and read/respond to the message.
• Force High Security - ExchangeDEfender will send the message to the recipient but it will encrypt it as highly secure. The recipient will receive a notice that the encrypted message is waiting and they’ll be able to click on the link and authenticate to read/respond to the message.

ExchangeDefender Corporate Encryption enables Compliance Officers three different actions to approve the message delivery:

ExchangeDefender Corporate Encryption enables Compliance Officers two options for handling a message that triggered auto-detection and in their opinion, needs to be blocked:

• Reject Now - ExchangeDefender will reject the message and immediately remove it from the system. Neither the sender nor the recipient will be notified.
• Reject and Notify Sender - ExchangeDefender will reject the message and send the notice to the sender of the message explaining that the message was blocked by the Compliance Officer. The recipient will not be notified.

ExchangeDefender Corporate Encryption administration is done through the ExchangeDefender Domain Admin portal at https://admin.exchangedefender.com. Corporate Encryption tab (contact us to obtain licensing if you do not see it) contains all the global settings for the organization, encryption policies, compliance officers, as well as access to logs and troubleshooting tools.

ExchangeDefender Corporate Encryption supports strict routing-based encryption policy that can automatically encrypt mail when it’s going between defined sender/recipient combinations.

To add another encryption policy click on +Add New, and provide either an email or the domain name. When ExchangeDefender detects messages that match your patterns, it will automatically encrypt the message regardless of it’s contents.

Lexicon enables Compliance Officers to provide a defined dictionary of terms (words or sentences) to scan all sent messages for. If ExchangeDefender detects a word defined in the lexicon, it will automatically apply the desired policy.

Available policies are:

• Hold for CSO Approval - (recommended) ExchangeDefender Corporate Encryption will not deliver the message to the recipient unless the CSO approves it at https://encryption.exchangedefender.com under the CSO tab. We recommend this setting because sometimes compliance officers and IT personnel can become overly aggressive in their policies and it’s best to have another look instead of rejecting the message automatically and causing further inconvenience (or worse, having it sent through another insecure service)
• Basic Security - ExchangeDefender will allow the message to be delivered but will encrypt the message using Basic Security settings.
• High Security - ExchangeDefender will allow the message to be delivered but will encrypt the message using High Security settings.
• Alert Compliance Officer - Message will be sent as-is, but the Compliance Officer will be emailed with a notice.

ExchangeDefender Corporate Encryption supports pattern matching in emails, exceeding the capabilities provided by encryption routing and lexicon (word and sentence) dictionaries.

Pattern matching allows us to use regular expressions to search the message for the presence of specific, well defined patterns such as credit card numbers and social security numbers:

Available policies are:

• Hold for CSO Approval - (recommended) ExchangeDefender Corporate Encryption will not deliver the message to the recipient unless the CSO approves it at https://encryption.exchangedefender.com under the CSO tab. We recommend this setting because sometimes compliance officers and IT personnel can become overly aggressive in their policies and it’s best to have another look instead of rejecting the message automatically and causing further inconvenience (or worse, having it sent through another insecure service)
• Basic Security - ExchangeDefender will allow the message to be delivered but will encrypt the message using Basic Security settings.
• High Security - ExchangeDefender will allow the message to be delivered but will encrypt the message using High Security settings.
• Alert Compliance Officer - Message will be sent as-is, but the Compliance Officer will be emailed with a notice.

ExchangeDefender Corporate Encryption service features designated Compliance Officers (CSO): organizations personnel in charge of determining if messages comply with the corporate IT or data protection policy. Corporate Officers are in charge of reviewing messages that ExchangeDefender is instructed to intercept from reaching the recipient (due to presence of sensitive or personally identifiable information):

To add a new Compliance Officer just select them from the New Account: dropdown and click on +Add Officer.

On the right you will see a customizable notice that the CSO will receive on behalf of ExchangeDefender.

ExchangeDefender Corporate Encryption features extensive logging and can help you locate encryption messages as well as the policy that was applied:

ExchangeDefender Corporate Encryption enables Domain Admins to destroy recipients accounts on our encryption portal.

If you use High Security as an encryption policy, your recipients are required to enroll in the service by providing a password and a PIN. This a security precaution that eliminates man-in-the-middle attacks, harvesting, and unauthorized personnel from accessing organizations sensitive data. Unfortunately, sometimes recipients forget their password and PIN or simply cannot/will not reset their password. For those scenarios, Domain Admins can destroy the recipients account and allow them to re-enroll.

ExchangeDefender Corporate Encryption enables organizations to customize notifications sent to recipients when they receive an encrypted message. In those situations you really want to present your brand and your message (not ExchangeDefender’s) and this is where you can provide your logo and message contents.

Header is featured above the button that takes the recipient to the encrypted message.

Footer is located below the button that takes the recipient to the encrypted message.

ExchangeDefender Corporate Encryption enables Domain Administrators to set the default encryption policy for all the accounts in the organization. These settings are customizable for each user, and for each message they send: the only policy you are defining here is what the defaults are for messages sent through email or mobile devices, as well as the default settings the users see when they send the message through the portal:

Please keep in mind that these are merely the defaults that are pre-set when the client logs in. They are free to change them (and save as new policy templates).

• Add In refers to an add-in within Outlook and Outlook Web that will extend the behavior within those products.

• Basic Encryption refers to sending an encrypted email in which any recipient can open the link to view the message with no additional layers of security or reporting

• Secure Encryption refers to sending an encrypted email in which every recipient must login to encryption in order to view the message
  
  
• Header Trigger Key refers to the invisible header, X-ExchangeDefender-Encryption which gets appended to the message body to trigger encryption when using this add-in inside Outlook or Outlook Web (Office 365 only). This is a backup method to Subject Trigger Words and cannot be invoked manually by the user
  
  
• Subject Trigger Words / Trigger Words refer to the tags such as [ENCRYPT] or [CLEARENCRYPT] which are prepended to a subject in order to signal for encryption during transport. A space is not required after the tag, but is allowed
  
  

For example, the following subjects will yield the following results

In order to install the add-in, users must import the add-in manifest into their Mailbox Add-ins, unless the deployment is being facilitated by administrators on Office 365

Please see the following article to deploy the above manifest link

Select File

Select Manage Add Ins

At this point your browser should open to your Exchange Control Panel

When you enable encryption you will see a notification that the message will be encrypted. The message’s subject will be altered to include either [ENCRYPT] or [CLEARENCRYPT] (secure and basic, respectively). 

To remove encryption you simply need to select the icon again. When encryption is disabled, any previous notifications regarding encryption being enabled will be removed.

After selecting an encryption type, Outlook will notify you of the encryption setting used

While composing a message in Outlook Web you will see one icon at the bottom which contains the options to

• Encryption buttons are visible but my message is not being encrypted
  • I am using Outlook
  • I am using Outlook Web
    • I do see the subject modified to include either [ENCRYPT] or [CLEARENCRYPT]
      • Make sure you are not removing the tags [ENCRYPT] or [CLEARENCRYPT] as the presence of these tags in the subject are critical.  
    • I do not see the subject modified
      •   Reinstall the add-in or contact support 
• Encryption buttons are not visible when composing a message
  • I do not see “ExchangeDefender Encryption” inside my add-ins
    • Make sure you followed the installation documentation
  • I do see “ExchangeDefender Encryption” inside my add-ins
    • Make sure the add on is turned on