Security Reports

Data security is critical to any organization that uses email as their business communication. To prevent your organization's data from being misused, Security reports play an important role. Zoho Mail provides various reports related to security, allowing you to monitor the phishing attempts made against your organization's users and ensure take proactive steps to ensure each user's data is safe and secure.

Login Reports

The login reports section provides an overview of the Suspicious login attempts and Session history of your organization's users.

Suspicious Login Report

Based on a user's previous login behaviour, Zoho Mail alerts if there is any suspicious login activity. Administrators can view the list of suspicious login activities based on the selected duration. To view the suspicious logins, follow these steps:

  1. Log in to Zoho Mail Admin Console and select Reports on the left pane.
  2. Navigate to Security and select Suspicious login.
  3. Select the desired date range from the drop-down. Below are the details available in the report :
    • Name/Email - Name and email address of the user.
    • Login time - Mentions the time that the user logged in to the account.
    • Location - Displays the location from where the user has logged in.
    • Login source - Mentions the source of login (protocol types), such as POP, IMAP, WEB, SMTP_IN, and SMTP_OUT.
    • Client IP address - The IP address from which the login was performed.
  4. Use the Seach bar to filter the report based on the email address, client IP address, location or login source. The suspicious login report appears for the selected filter criteria.
    suspicious login report

Session History

The session history report displays the number of live sessions for the selected user. The report displays the Client IP address and Session start time. Navigate to Session history under the Security section in Admin Reports. Enter a user name in the search bar to view the corresponding session history. You can also export or expand the graph view as per your requirement.
session history

Threat Activity

Threat activity report lists the malicious activities targeted against your organization's users, which can end up as a threat to your organization's data security. This report aids you to identify and understand cyberattack attempts and address them in a timely manner.


  • The Threat Activity report will be rolled out in a phased manner and be available only for organizations that use one of our paid plans.
  • If you want the option enabled for your organization, please reach out to us at

The Threat activity report in Zoho Mail Admin Reports is grouped into different categories based on the nature of the threat. The table given below provides an overview of each threat type:

Threat typeDescription
AnamolyThe unusual behaviours observed in the incoming and outgoing emails of a user are identified and displayed under Anamoly.
Bulk spam markingUsers marking multiple emails as spam are displayed under Bulk spam marking.
LoginsSuspicious login and failed login reports help you to keep track of user logins. If a user reports an account block issue, admins can check the Login report and take necessary actions (unblock) based on the user's request.
Mail rejectionCertain email attachments can contain a virus. Mail rejection report provides a list of emails that get rejected due to a virus or blocked attachment.
PhishingThe emails which are marked as Phishing fall under the Phishing threat activity report.
Spam actionsSpam actions report gets generated whenever a user clicks on a URL/ downloads an attachment in a spam email or replies to a spam message. This allows you to educate users on a timely basis about the email security steps that each user should observe on a daily basis.
Spam markingThe list of emails marked as spam by the users can be found under the Spam marking report category.
Virus detectionWhen email attachments are scanned for viruses, a report gets generated for those emails which were marked as spam due to a virus found in the attachment. Such reports are grouped as Virus detection.

Accessing Threat Activity Reports

Follow these steps to view the threat activity reports:

  1. Log in to Zoho Mail Admin Console and select Reports on the left pane.
  2. Navigate to Security and select Alert center. The threat activity report appears with the following details:
    1. Threat type - Mentions the threat type. Refer to the table given above for details about each threat type.
    2. Description - Provides a brief description of the threat. For example, if a user marks an email as phishing, the description displays "Email was marked as phishing by the user".
    3. Details - Contents of the Details column differ based on the threat type. Some of the details are - From email address (spam marking), count of emails (anomaly), Location (login activity), etc.
    4. Time - Displays the date and time at which the threat was detected.
  3. Select the preset duration or a custom date range for which you want to view the report. By default, All will be selected.
  4. Use the Search bar and Filter options to narrow down the report based on your requirement.
  5. If required, click Filter on the top menu, hover over a threat and choose the sub-category from the available list:
    • User reported - As spam, As spam (bulk) and As phishing
    • Mail moved - As attachment in spam and As mail is spam
    • Spam actions - URL clicked, Attachment downloaded and User replied
    • Mail rejected - Virus attachment and Blocked attachment
    • Spam detected - Marked as spam
    • Anomaly - By incoming and By outgoing mail
    • Login - Suspicious login and Failed login 

The threat activity report appears for the selected filter criteria.

Still can't find what you're looking for?

Write to us: