Reasons Why a Ticket Message is Marked as Suspicious and Added as Private Note

When any unauthorized user who does not have access to the ticket replies to a ticket via email, then those messages will be marked as suspicious and will be added to the private note instead of public comment, this message will be private and not visible to the customer until an agent reviews it manually and move it to public comment.

A suspicious note will be denoted by a tag Suspicious on the note and there will be a default message appended on the note.
For example, when a user who is not authorized to update the ticket replies via email, the system flags the message as suspicious and adds it as a private note. In such cases, the following message is automatically appended to the note:

“This user is not authorized to update. As a result, the update was flagged as suspicious. If it is valid, you can convert it to a public comment.”

This message helps agents quickly identify unauthorized replies and decide whether to move them to public comments.

• The user is not part of CC.
• The user is not part of the requester company (if access to share tickets in the organization is enabled).
• The user might have used an alternate email ID to reply to a ticket email (A different Email ID that he used for creating the ticket)
• The user forwards an email to some other user who is not part of the ticket, and that user has replied to the ticket.
• An attacker might have gained access to the email and replied to the ticket.

Purpose of suspicious note

The main purpose of the suspicious notes is to prevent security flaws. Sometimes an attacker may gain access to the email and may reply to a ticket to gain access. If this comment is considered as a public comment directly instead of marking suspicious, it will add the attacker’s email in the ticket loop and consider that user as part of the ticket which will create a security flaw. This feature is implemented to avoid this flaw and not to allow any unauthorized user to have access to the ticket via email.

Convert to public comment

When the agent finds that the suspicious message is valid, then it can be moved to public comment.

To move the suspicious messages to public comment, follow the given steps:

1. Select the Move comment to public option to open a dialog box.
   
   
2. Select Move to move the suspicious messages to public comment.
   
   

How to Convert a Suspicious Note to a Public Comment Without Notifying the Contact

By default, when a suspicious note is moved to a public comment, the contact receives an email notification, and the message is posted with the time of moving the private message to public, not the time the client sent the message. If you want to avoid sending this notification, follow these steps:

1. Set the ticket’s visibility to Private.
   This ensures that any changes made to the ticket, including comment updates, do not trigger email notifications to the contact.

2. Move the suspicious note to a public comment.
   The note will be converted and made public, but no email will be sent because the ticket is currently private.

3. Change the ticket visibility back to Public.
   Once the comment has been successfully moved, you can restore the ticket’s visibility to resume normal operations.

Configuring Email Response Permission Checks

You also have the option to disable this restriction by checking the box, such that all emails sent from anyone who is not part of the ticket will not be marked as suspicious (added as public reply). However, when unchecked, the system will check permissions and add replies from unauthorized senders as private notes. The Disable Reply Email Permission Check setting determines whether permission checks are applied to email responses.

Enabled: The system does not verify sender permissions. All email replies will be posted as public comments, regardless of the sender’s access.

Disabled: The system verifies sender permissions. If the sender is unauthorized, their response will be marked as suspicious and added as a private note instead of a public comment.

Frequently Asked Questions (FAQ)

1. What is a suspicious note in BoldDesk?
A suspicious note is a private comment automatically added to a ticket when an email reply is received from a user who is not authorized to access or update the ticket. It helps prevent unauthorized access and potential security risks.

2. How does BoldDesk determine if a user is unauthorized?
The system checks if the sender is part of the ticket (e.g., requester, CC or Agent Assigned to that ticket). If the sender is not recognized or uses a different email ID, the reply is flagged as suspicious.

3. Will the customer see the suspicious note?
No. Suspicious notes are private and not visible to the customer unless an agent manually converts them to public comments.
If converted, the timestamp shown to the customer will reflect the time the note was made public, not the original time the reply was received via email.

4. How can I convert a suspicious note to a public comment?
Agents can use the Move comment to public option, then click Move in the dialog box to make the note visible to the customer.

5. What happens when I enable the “Disable Reply Email Permission Check” setting?
When enabled, all email replies—regardless of sender permissions—are posted as public comments. This bypasses the suspicious note mechanism.

6. Is it safe to disable permission checks for email replies?
Disabling permission checks may expose tickets to unauthorized updates. It’s recommended to keep this setting disabled unless you have strong email security controls in place.

7. Can attackers exploit email replies to gain access to tickets?
Yes. That’s why suspicious notes exist—to prevent attackers from injecting themselves into ticket conversations via email.

8. What kind of scenarios trigger a suspicious note?
Examples include:

• Replying from an alternate email ID.
• Forwarding the ticket email to someone who is not part of the ticket, and that person replied to it.
• Malicious actors replying to ticket emails.