Optimizing Targeted Threat Protection Part 3: Attachment Protect Is More than Just Sandboxing 

Blog Post created by user.OKpiB6a4Le Employee on Jan 7, 2019

Bob Adams is a Cyber Security Strategist at Mimecast. Originally joining Mimecast nearly four years ago as a Sales Engineer, Bob was recruited to Product Management after developing various unique ways of investigating cyber attacks and highlighting Mimecast's services. Bob now continues to use his time to help educate companies on protecting themselves against advanced cyber threats.


Hello, Mimecast Administrators. I hope that you have found some helpful takeaways in the Top 10 Ways to Optimize Mimecast Targeted Threat Protection (TTP) Guide, as well as in Part 1 and Part 2 of this blog series.


In Part 3, I will cover the various ways in which Mimecast Attachment Protect analyzes attachments and the different ways it can be configured to best protect your organization without compromising your security.


Before we discuss the different settings available to you and how Mimecast inspects files, it’s important to understand the evolution of malware attacks. Files don’t necessarily need to contain a virus or malware anymore, but simply the code to retrieve one. For example, in Mimecast’s Attachment Protect logs, you may see lines such as:


Deleting volume shadow copies

Disabling Windows Updates

Disabling installed firewalls

Disabling known security suites (AntiVirus, FireWall)

Stopping the Windows Security Center service

Attempting to download remote executable content

Connecting to server using hard-coded IP address


None of these are things a file should do to your users’ machines, but take a look at the level of depth these attacks go into. They delete your Windows backups (volume shadow copies), disable your security measures, connect to a hard-coded IP and try to download a remote executable file. Traditional anti-virus inspections, no matter how many signatures you’re checking against, are unable to detect this level of attack. To combat the evolution of attachment-based attacks, Attachment Protect has continuously evolved since it was released over three years ago.


As I mentioned in Tips 5 and 10 from the Top 10 Ways to Optimize Mimecast Targeted Threat Protection (TTP) Guide, Mimecast’s Attachment Protect is not a singular feature. There are multiple options that allow administrators to control how different users, groups, or even divisions of the organization receive and interact with files:


  • Safe File: Transcribe vulnerable file types to a different file format to ensure they are safe.
  • Safe File with On-Demand Sandbox: Transcribe vulnerable file types to a different file format to ensure they are safe and allow the user to request the original versions via the On-Demand Sandbox.
  • Pre-Emptive Sandbox: Analyze all vulnerable file types in the Pre-Emptive Sandbox, before delivering the mail and attachments to the user.
  • Dynamic Configuration: Allows users to toggle between delivery options for individual senders. By default, Safe File with On-Demand Sandbox is used. For trusted senders, Pre-Emptive Sandbox is used.


Safe File is versatile as it can be configured to convert a file into another format (e.g. a Word document to PDF). However, also note that it can convert a file into a safe copy of itself (e.g. Word to Word) thereby removing any macros, malicious code and any potential delivery delay.


Do your receptionists ever need to work with macro-enabled files, or receive external attachments that are editable? Perhaps not, so configure a Safe File Definition against their AD Group. Maybe some users will need an editable file, so convert files for those users to their original file format, and have another definition for others to simply convert to PDF only.


Meanwhile, your legal and finance teams may heavily use macro-enabled files. Depending on their needs, you can leverage a Dynamic Configuration or simply a Pre-Emptive Sandboxing approach to ensure they receive their files safely without needing to perform On-Demand Sandboxing each time.


Overall, Attachment Protect contains very powerful and flexible capabilities that allow you to both layer your security (through Mimecast’s multiple AV engines, Static File Analysis, Safe File Conversion and Behavioral Sandboxing) as well as customize the experience for different users across your organization.


For those interested in the granularity of Mimecast’s inspection funnel for email, I recommend reviewing the Cyber Resilience for Email Technical Deep Dive that my colleague, Matthew Gardiner, wrote.


Lastly, if you’re still reading this, then you’re one of the first people to find out that Part 4, the final blog in this series, will cover a bonus 11th Tip to optimize your TTP. It’s an important setting that I want more Mimecast customers to be aware of, so stay tuned. As always, please feel free to share with others and/or comment below!


Read the next blog in the series:

Optimizing Targeted Threat Protection Part 4: How to Customize Your TTP User Experience