Skip navigation
All Places > The Mimecaster Central Blog > Blog > Author: user.OKpiB6a4Le

Bob Adams is a Cyber Security Strategist at Mimecast. Originally joining Mimecast nearly four years ago as a Sales Engineer, Bob was recruited to Product Management after developing various unique ways of investigating cyber attacks and highlighting Mimecast's services. Bob now continues to use his time to help educate companies on protecting themselves against advanced cyber threats.

 

Hello, Mimecast Administrators. It’s been great going through Targeted Threat Protection's various capabilities over the past few weeks. If you’re just joining us, be sure to check out the Top 10 Ways to Optimize Mimecast Targeted Threat Protection (TTP) Guide, as well as Part 1, Part 2, and Part 3 of this blog series.

 

As you may have noticed at the end of Part 3, I revealed that this will be the conclusion of my discussion on Targeted Threat Protection. And, as a thank you for sticking with me, I saved a bonus 11th optimization tip just for you!

 

One of the most important aspects of Mimecast, and really any products you use, is to understand its customizability. How can it be tailored for your organization? What are your options? In writing the Top 10 Ways to Optimize TTP Guide, my goal was to familiarize you with the ins and outs of some of the more intricate settings of TTP. As part of that understanding, I want to conclude by elaborating on some customizations of the service.

 

In Step 8, I highlighted that, with Impersonation Protect, you can do more than use a generic ‘External’ tag in all inbound emails. Administrators can choose to tag the Subject Line and Message Body with customized plain text.

 

Additionally, the Header of emails can be tagged, which allows users and/or administrators to create rules to take an automated action on the emails. But don’t stop there. Mimecast allows you to use HTML in the Message Body tag to grab your users’ attention. Use bold, italics, colored font, or even images on specific messages that are suspicious. You can even create different alerts for different users or groups of users. For example, you can configure the Message Body tag for emails addressed to anyone in Finance to:

 

Be Cautious of Fraudulent Wire Transfer emails – Follow the Proper Procedure!!!


...while warning HR about people requesting employee information such as W2s, P60s, etc:

 

Warning – Attackers Often Request Personally Identifiable Information – Never Send Employee Data Through Email Insecurely!!! 

 

These are just some examples of the many ways in which you can customize Impersonation Protect and get more power out of the settings available. This is important because it allows you to do more than a blanket [EXTERNAL] tag on every inbound email, which users tend to stop noticing after a few days. These specific tags are added when your Impersonation Protect policy is triggered, which means only certain potentially suspicious emails (not all) are tagged, raising your users’ attention immediately.

 

There’s more than just customizing tags. You’ve guessed it, we’ve reached the Bonus 11th Optimization TipCustomization of the User Awareness pages!

 

As many customers of Mimecast’s URL Protect know, the User Awareness page is an important teachable moment that can give users an extra chance to make the right decision, as well as allow administrators to track user behavior. However, did you know that you can customize the User Awareness Page in multiple different ways?

 

By default, the User Awareness Page appears as follows:

 

 

You can customize the banner (color and logo) to represent your organization. Furthermore, instead of the default title “Do you think this link is safe?” and the Body Text beneath it, you can customize the text. In the example below, I’ve changed the text to deliver a slightly different message:

 

 

Additionally, you can choose what the various follow up pages detail as well. For example, if a user selects “It’s Safe” and the site is actually malicious, by default, users see:

 

 

As with the initial “Do you think this link is safe?” User Awareness page, the title and body text here can be customized. However, you can also edit the Safety Tips section. By default, Mimecast provides nearly two dozen tips, but you can add your own. Not only that, you can choose to display only Mimecast tips, custom tips, or both Mimecast and your custom tips, thereby giving users a broader set of informational guides to be more cautious and aware when clicking links.

 

Overall, Mimecast Targeted Threat Protection is more than just a set of check boxes to protect your organization. It’s a versatile solution that we’ve designed to allow administrators custom control across their environment and customizability in the complicated world of cybersecurity. I hope you have enjoyed learning about how you can optimize TTP, and that you’ve been able to implement some of this advice into your organization!

______________________________________________________________

Check out the rest of the series here:

 

Optimizing Targeted Threat Protection Part 1: Introducing the TTP Optimization Guide and Blog Series 

Optimizing Targeted Threat Protection Part 2: Understanding Domain Detection and Impersonation 

Optimizing Targeted Threat Protection Part 3: Attachment Protect Is More than Just Sandboxing   

 

Also, our guide:

 

Top 10 Ways to Optimize Mimecast Targeted Threat Protection (TTP) 

Bob Adams is a Cyber Security Strategist at Mimecast. Originally joining Mimecast nearly four years ago as a Sales Engineer, Bob was recruited to Product Management after developing various unique ways of investigating cyber attacks and highlighting Mimecast's services. Bob now continues to use his time to help educate companies on protecting themselves against advanced cyber threats.

 

Hello, Mimecast Administrators. I hope that you have found some helpful takeaways in the Top 10 Ways to Optimize Mimecast Targeted Threat Protection (TTP) Guide, as well as in Part 1 and Part 2 of this blog series.

 

In Part 3, I will cover the various ways in which Mimecast Attachment Protect analyzes attachments and the different ways it can be configured to best protect your organization without compromising your security.

 

Before we discuss the different settings available to you and how Mimecast inspects files, it’s important to understand the evolution of malware attacks. Files don’t necessarily need to contain a virus or malware anymore, but simply the code to retrieve one. For example, in Mimecast’s Attachment Protect logs, you may see lines such as:

 

Deleting volume shadow copies

Disabling Windows Updates

Disabling installed firewalls

Disabling known security suites (AntiVirus, FireWall)

Stopping the Windows Security Center service

Attempting to download remote executable content

Connecting to server using hard-coded IP address

 

None of these are things a file should do to your users’ machines, but take a look at the level of depth these attacks go into. They delete your Windows backups (volume shadow copies), disable your security measures, connect to a hard-coded IP and try to download a remote executable file. Traditional anti-virus inspections, no matter how many signatures you’re checking against, are unable to detect this level of attack. To combat the evolution of attachment-based attacks, Attachment Protect has continuously evolved since it was released over three years ago.

 

As I mentioned in Tips 5 and 10 from the Top 10 Ways to Optimize Mimecast Targeted Threat Protection (TTP) Guide, Mimecast’s Attachment Protect is not a singular feature. There are multiple options that allow administrators to control how different users, groups, or even divisions of the organization receive and interact with files:

 

  • Safe File: Transcribe vulnerable file types to a different file format to ensure they are safe.
  • Safe File with On-Demand Sandbox: Transcribe vulnerable file types to a different file format to ensure they are safe and allow the user to request the original versions via the On-Demand Sandbox.
  • Pre-Emptive Sandbox: Analyze all vulnerable file types in the Pre-Emptive Sandbox, before delivering the mail and attachments to the user.
  • Dynamic Configuration: Allows users to toggle between delivery options for individual senders. By default, Safe File with On-Demand Sandbox is used. For trusted senders, Pre-Emptive Sandbox is used.

 

Safe File is versatile as it can be configured to convert a file into another format (e.g. a Word document to PDF). However, also note that it can convert a file into a safe copy of itself (e.g. Word to Word) thereby removing any macros, malicious code and any potential delivery delay.

 

Do your receptionists ever need to work with macro-enabled files, or receive external attachments that are editable? Perhaps not, so configure a Safe File Definition against their AD Group. Maybe some users will need an editable file, so convert files for those users to their original file format, and have another definition for others to simply convert to PDF only.

 

Meanwhile, your legal and finance teams may heavily use macro-enabled files. Depending on their needs, you can leverage a Dynamic Configuration or simply a Pre-Emptive Sandboxing approach to ensure they receive their files safely without needing to perform On-Demand Sandboxing each time.

 

Overall, Attachment Protect contains very powerful and flexible capabilities that allow you to both layer your security (through Mimecast’s multiple AV engines, Static File Analysis, Safe File Conversion and Behavioral Sandboxing) as well as customize the experience for different users across your organization.

 

For those interested in the granularity of Mimecast’s inspection funnel for email, I recommend reviewing the Cyber Resilience for Email Technical Deep Dive that my colleague, Matthew Gardiner, wrote.

 

Lastly, if you’re still reading this, then you’re one of the first people to find out that Part 4, the final blog in this series, will cover a bonus 11th Tip to optimize your TTP. It’s an important setting that I want more Mimecast customers to be aware of, so stay tuned. As always, please feel free to share with others and/or comment below!

___________________________________________________________

Read the next blog in the series:

Optimizing Targeted Threat Protection Part 4: How to Customize Your TTP User Experience 

Bob Adams is a Cyber Security Strategist at Mimecast. Originally joining Mimecast nearly four years ago as a Sales Engineer, Bob was recruited to Product Management after developing various unique ways of investigating cyber attacks and highlighting Mimecast's services. Bob now continues to use his time to help educate companies on protecting themselves against advanced cyber threats.

 

Hello again Mimecast Administrators! I hope you’ve had a chance to review the Top 10 Ways to Optimize Mimecast Targeted Threat Protection (TTP) Guide and Part 1 in this blog series.

 

Continuing the discussion, I wanted to delve into how Mimecast handles domains. In Part 2, we will cover the first set of tips in more detail, give some more background on the settings and offer additional tips.

 

I first covered how to display the destination domain of a Mimecast rewritten URL. Enabling this feature helps users specifically take notice of the website’s domain only instead of an entire URL. For example, what would a user think of the following?

 

 

They would likely only see facebook.com. This attack is specifically designed for users on mobile devices: They click a link, and instead of opening the Facebook application (remember that it is not actually Facebook), they'll only see what the attacker wants them to see in their browser. In this example, they completely miss that the URL is an unsafe site:

 

 

In reality, the domain within that URL is badsite.com, which a user would see as https://protect-us.mimecast.com/s/abc123xyz?domain=badsite.com in the Mimecast rewritten URL.

 

Did you also know that, as a Mimecast Administrator, you can decode URLs rewritten by Mimecast? Understanding how Mimecast rewrites URLs is important, which highlights one of the most important areas of focus for email security: domain identification. Within an inbound email or URL, you can detect and display the destination domain. However, it’s not just about identifying a domain, but also analyzing it for impersonation.

 

Mimecast recently added Advanced Similarity Checks which go beyond Anti-Spoofing and DNS Authentication (SPF, DKIM, and DMARC). With these checks, organizations can identify attackers attempting to use domains intended to appear like their own, as well as organizations they work with such as suppliers and customers. This functionality applies to both Mimecast URL Protect and Mimecast Impersonation Protect.

 

Attackers also attempt to use various character manipulation tactics to trick your users. As outlined in the Top 10 guide, these enhancements are explained in great detail in a recent Service Update.

 

Remember, Mimecast’s Targeted Threat Protection (TTP) is only going to protect your organization if it’s configured. A crucial part of domain detection will be to populate your Custom Monitored Domain list to ensure Mimecast is protecting your organization from both the Mimecast Managed Domains list as well as the domains you specify for your organization.

 

I hope you’re becoming more comfortable with your environment’s email security and have learned some of the new ways we're enhancing our products. Stay tuned for Part 3, where we’ll cover how to understand the various Mimecast Attachment Protect options, and how TTP features can be versatile by applying different settings across your environment.

___________________________________________________________

Read the next blog in the series: Optimizing Targeted Threat Protection Part 3: Attachment Protect Is More than Just Sandboxing   

Bob Adams is a Cyber Security Strategist at Mimecast. Originally joining Mimecast nearly four years ago as a Sales Engineer, Bob was recruited to Product Management after developing various unique ways of investigating cyber attacks and highlighting Mimecast's services. Bob now continues to use his time to help educate companies on protecting themselves against advanced cyber threats.

 

Hello Mimecast administrators! I’m pleased to introduce a new blog series tailored just for you. As a follow-up to my Top 10 Ways to Optimize Mimecast Targeted Threat Protection (TTP) Guide, I wanted to share my thoughts on why I wrote it and provide additional insight into the topics discussed.

 

My goal is to help Mimecast admins evaluate their current security settings and get the most out of their Mimecast services. It’s important to remember that Targeted Threat Protection and its product updates are not enabled by default, as there are numerous settings that will vary from organization to organization.

 

Whether you still need to configure your TTP settings, want to review and update them, or are interested in learning more about the various features, this guide is for you.

 

When reading it, first review the Before You Start section to ensure your organization is at a proper baseline before making any changes. TTP is an evolving suite of services, and this guide is designed to help you perform a review of your current environment, and learn about best practices and recent product enhancements.

 

Throughout this series, each blog will introduce several tips and highlight different options for best customizing Targeted Threat Protection for your environment. For example, did you know that Mimecast can prevent attackers from impersonating external organizations you work with?

 

Additionally, since Mimecast is built to have its services work together, I will also shed some light on how certain settings interact with other aspects of Mimecast’s services. For example, we recently launched Mimecast Web Security. If you use Mimecast as your Secure Email Gateway with Targeted Threat Protection, and use Mimecast Web Security, you’ll find that some features from URL and Attachment Protect are available to help protect your Web Security as well.

 

I’ll explain all of this in more detail when I cover those features and settings in the coming blogs – stay tuned and get involved! I hope this will be an engaging series, and am looking forward to your feedback. Please feel free to comment on the optimization guide, this post, or on the coming blogs.

___________________________________________________________

Read the next blog in the series: Optimizing Targeted Threat Protection Part 2: Understanding Domain Detection and Impersonation 

Bob Adams is the Product Marketing Manager for Mimecast's Security portfolio. Bob joined Mimecast three years ago as a Sales Engineer, and was recently recruited to Marketing after developing various educational materials for Mimecast's services. He continues to help educate companies on protecting themselves against advanced cyber threats.

 

I received a very interesting, and convincing, phone call this morning from what I (spoiler alert!) ultimately determined was a scammer.

 

What occurred over the next 13 minutes was a lesson that can be applied to many aspects of daily life – both as an everyday person as well as a user within a company. Whether you receive a phone call, email, text, or even knock on your door, here's some important tips to keep in mind.

 

Tip #1: Always be suspicious

 

My phone rang at 8:11 in the morning, and the Caller ID showed a local area code. I answered and was greeted by Lt. Brandon Kennedy from the Middlesex County Warrants and Citation Division. This is suspicious right away, as it’s unlikely a government office will call regarding any matter.

 

Tip #2: Don’t give them any additional information

 

Lt. Kennedy is adamant I confirm that I am Robert Adams. When I refused and asked what this was about, he stated he couldn’t tell me until I confirm my identity, or there would be repercussions.

 

Again, I’m suspicious and always avoid giving out any personal information. However, since they’re calling, already asking for me by name, and a reverse phone number lookup would show my name in the White Pages, I conceded: “This is him.” 

 

Tip #3: Always question the validity of what you’re being told

 

I learned that a Jury Duty summons was delivered to me on Wednesday, September 25th at 2:23pm, signed for, and returned. I apparently "failed" to appear in court on my assigned day. My absence resulted in two warrants out for my arrest, and there’s a $500 post on each. Failure to resolve this today could result in my immediate imprisonment for 30-45 days. I still remained calm despite their intent to catch me off guard.

 

Taking notes, I realized September 25th was a Monday, and not a Wednesday. I asked him to repeat the date, year, and where it was delivered, and explain the 25th was a Monday and that his response was not my address.

 

Regardless of all the red flags here, my curiosity was piqued, and figured that the longer we talked, the less people he could scam (NOTE: While I’m experienced and well versed in scamming tactics, I do not recommend trying this at home!).

 

Tip #4: Learn from their mistakes

 

I explained I never received the summons and didn't recall ever having to sign for one before. He assured me the process had changed due to so many people claiming they hadn't received the notice.

 

To avoid arrest, I needed to “report to the Medford Sheriff’s Department at 400 Mystic Ave, 4th Floor. They cannot accept Cash, Credit, or personal information due to a high volume of transactions, and you need to get a MoneyPak voucher from Walgreens, CVS, or Rite Aid.” 

 

My warrants are for $500 each, which coincidentally is the maximum limit per voucher. When I ask if I can call my local Police Department to confirm there's a warrant, he assured me I can. However, he of course can’t help me with any arrests along the way there if I hang up, so it’s best if we stay on the phone until I arrive.

 

At this point, the ruse was up, I had my fun, and tried to engage the scammer directly. To the scammer's credit, he insisted it was not a scam and was merely trying to help. Further inquiries went unmet until he eventually hung up. 

 

The moral of the story here is to be suspicious, don’t give out any information, always question what you’re being told, and learn from the mistakes of these criminals to better arm yourself in the future.

 

RELATED CONTENTMy Grandfather was Scammed: Why User Education Reigns Supreme