How Banner Remediation Works in Rotate

Back

How Banner Remediation Works in Rotate

Remediations4 min

How the Rotate “Suspicious E-Mail” Banner Works

Sometimes you don’t want to block or quarantine a message, but you do want the user to slow down and think before clicking anything.

That’s exactly what the Rotate email banner is for.

When an email is considered risky, Rotate can insert a clear warning banner at the top of the message body:

Suspicious E-Mail: Mail was flagged by Rotate with potential threats

This warning appears inside the email itself in Outlook, Gmail, and mobile clients, so users can’t easily miss it.

---

What Is the Rotate Email Banner?

The email banner is a visual warning strip added to the top of the email content when Rotate detects potential threats but your policy says:

• “Don’t block it, just warn the user and let them decide.”

The banner text is:

Suspicious E-Mail: Mail was flagged by Rotate with potential threats

The goal is simple:

Give users an immediate, unambiguous signal that this email may be dangerous.

No plug-in is required on the user’s device; the banner is injected at the mail level by Rotate as part of the remediation step.

---

When Does Rotate Add the Banner?

The banner is applied as part of your email security policy logic.

At a high level, the flow looks like this:

1. Email arrives

   A message reaches your environment (e.g. M365 / Google Workspace) and is passed through Rotate.

2. Rotate inspects the email

   Rotate evaluates multiple signals, such as:

   • Failed or missing SPF / DKIM / DMARC
   • Suspicious links, attachments, or domains
   • Impersonation / BEC-style content
   • Known threat intelligence indicators
   • User-targeting patterns (VIPs, finance, HR, admins, etc.)

3. Risk classification

   Based on your policies, the email may be classified as:

   • Clean / allowed
   • Malicious

4. Email is delivered with a warning banner

   Rotate injects the warning at the top of the email body and then hands it off for delivery.

---

How the Banner Looks to End Users

From the end user’s perspective, the experience is straightforward:

Before remediation

A regular email might look like this:

• Subject: Payment confirmation
• Body:

  Hi,

Please see attached payment confirmation for last month’s invoice.

…

Nothing visually indicates risk.

After Rotate banner remediation

The same email will now start with a warning banner:

• Subject: Payment confirmation
• Body:

  Suspicious E-Mail: Mail was flagged by Rotate with potential threats

Hi,

Please see attached payment confirmation for last month’s invoice.

…

The user immediately sees:

• This message has been flagged by Rotate
• There may be links or attachments that are unsafe
• They should double-check the sender, links, and context before acting

Because the banner is inside the message content, it appears in:

• Webmail clients
• Desktop clients
• Mobile mail apps

Users don’t need to install or enable anything extra.

---

Example: Before & After

Original email

• From: billing@payments-portal.com
• To: finance@yourcompany.com
• Subject: Payment confirmation
• Body:

  Hi,

Please see attached payment confirmation.

…

After analysis, Rotate identifies:

• Suspicious sender infrastructure
• Untrusted domain links in the body
• Known phishing patterns targeting finance teams

Policy result: Mark as suspicious, but still deliver.

Email after banner remediation

• From: billing@payments-portal.com
• To: finance@yourcompany.com
• Subject: Payment confirmation
• Body:

  Suspicious E-Mail: Mail was flagged by Rotate with potential threats

Hi,

Please see attached payment confirmation.

…

The user can still read and respond if needed but does so with a clear security warning up front.

---

Why the Banner Matters

The banner is designed to:

• Increase user awareness at the exact moment they’re about to interact with the email
• Reduce click-through on malicious content even when the email is not quarantined
• Support training-by-usage: over time, users learn to recognize warning patterns and behave more cautiously

For organizations, this means you can:

• Keep business flowing (fewer false-positive blocks)
• Still strongly nudge users away from risky actions
• Provide a consistent, client-agnostic warning that works everywhere

Frequently Asked Questions

Add-On

What is the Email Add-On?

The Email Add-On is a tool designed for Gmail and Outlook that helps you identify and manage malicious emails, including spam, phishing attempts, and malware. It enhances your email security by reporting suspicious emails and managing your personal spam list.

Mail Rules

Why are mail rules a security risk?

Mail rules can be exploited to exfiltrate data, hide security alerts, or modify incoming messages. Attackers often use forwarding rules to silently send emails to external accounts or create rules that auto-delete security notifications, making it harder to detect compromises.

Posture

Why is email security important?

Email is a common attack vector for phishing, spoofing, and other cyber threats. Properly configured DMARC, DKIM, and SPF records help prevent unauthorized parties from sending emails on behalf of your domain, protecting your organization from email-based attacks.

Scanning & Detection

What actions can I take on a malicious email?

When a malicious email is detected, you can take the following actions:

• Block the email to remove it from the user’s inbox.
• Release the email after it’s been blocked, putting it back in the inbox.

Can I deactivate Rotate Mail Scanning on a specific mailbox?

Yes, you can exclude specific mailboxes from Rotate Mail Scanning. This can be configured in the Configurations tab in the Email Hub under the Users and choose the users to exclude.

Email Hub

What does Email Threats mean?

• Phishing: A type of cyberattack where attackers impersonate legitimate organizations via email or websites to steal sensitive information like passwords or credit card numbers.
• Financial Fraud: Illegally obtaining money or assets through deceptive means, such as credit card fraud, investment scams, or identity theft.
• BEC (Business Email Compromise): A type of cybercrime where attackers impersonate company executives or employees to trick others into transferring money or sensitive information, often through email.
• Malware: Malicious software designed to harm, exploit, or otherwise compromise the data or functionality of a computer, network, or device. Examples include viruses, trojans, and ransomware.
• Spam: Unsolicited and often irrelevant or inappropriate messages, typically sent in bulk, usually through email. Often used for advertising or spreading malicious content.

On this page