Configuring URL Protection Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on May 21, 2018
Version 32Show Document
  • View in full screen mode

URL Protection provides email security technology that protects users against spear phishing and targeted attacks. With a URL Protection policy, your organization can benefit from the following:

  • Instant protection from targeted attacks and spear phishing attempts across all devices without any client side software.
  • Protection against good websites turning bad, or delayed exploits.
  • Centrally managed, rapid deployment without using any additional infrastructure to maintain.
  • Centrally visible administrative monitoring and reporting on user activity.

 

Best Practice Settings

 

We provide a list of URL Protection definition settings, based on commonly used configurations, that we consider best practice. They provide an optimal solution to protect you against targeted spear phishing attacks. See the Targeted Threat Protection - URL Protect Best Practice  page for full details. You must log on to Mimecaster Central to access this page.

As one setting may not meet all your specific requirements, we recommend you review your requirements changing these options where necessary.

Internal Email Protect Differences

 

If you have Targeted Threat Protection: Internal Email Protect enabled on your account, the following differences will be seen:

  • When configuring a URL Protection definition, the "Outbound Settings" and "Journal Settings" sections are displayed. These aren't displayed if you don't have Internal Email Protect enabled.
  • The checks conducted on links in outbound and internal traffic are at the point of entry into Mimecast. Due to how these checks are conducted, the results may differ slightly from the inbound checks where Internal Email Protect isn't enabled.

 

Configuring a URL Protection Definition

 

To configure a URL Protection definition:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Definition ListingClick on the Gateway | Policies menu item.
  4. Click on the Definitions button.
  5. Select URL Protection from the drop down menu. Any existing definitions are listed.
  6. Either click on the:
    • New Definition button to create a definition.
    • Definition to be changed.
  7. In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
  8. Completethe Inbound, Outbound, and Journal Settings as required. If the setting applies, a 'Y' will show in the appropriate column below:
    Outbound and Journal settings are only displayed if your account has Targeted Threat Protection: Internal Email Protect enabled.
    Field / OptionInboundOutboundJournalDescription
    Enable Inbound / Outbound / Journal ChecksYYYIf selected, the additional fields / options below are displayed. These can be used to protect against malicious URLs in inbound traffic. When setting up inbound checks, use a policy with the correct routing to activate this definition.
    Rewrite ModeYNNSelect one of the following URL rewrite modes:
    • Aggressive: Rewrites anything that looks like a URL or contains similar formatting (e.g. http://, www., or .co.uk).
    • Moderate: Rewrites strings that contain a valid URL or path (e.g. www.domain.com).
    • Relaxed: Rewrites only URLs that contain valid URLs and Top Level Domain (e.g. http//:www.domain.co.uk).
    URL ModeNYYSpecify the URL check mode:
    • Aggressive: Checks anything that looks like a URL, or contains similar formatting (e.g. http://, www., or .co.uk).
    • Moderate: Checks only when the URL contains a valid URL or path (e.g. www.domain.com).
    • Relaxed: Checks only URLs that contain a valid scheme (i.e. http:// or https://).
    URL Category ScanningYYYSpecify how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each setting are:
    CategoryRelaxedModerateAggressive
    CompromisedYYY
    Phishing & FraudYYY
    Spam SitesNYY
    SuspiciousNNY
    MalwareYYY
    BotnetsYYY
    Private IP AddressesNNY
    ActionYNN

    Specify the action taken when an unsafe URL is detected either in a message or attachment. All clicks are logged.

    ActionDetected URLDetected URL in an Attachment
    AllowUsers can access the link.The message is delivered with the attachment.
    WarnA warning page is displayed, but users are able to continue to the original destination.The attachment is stripped from the message before it's delivered to the end user. A notification provides details of the detection but allows the end user to release the attachment.
    If the attachment is released and you have an attachment protection policy active using sandboxing, we'll release the attachment to the sandbox before releasing to the end user.
    BlockA block page is displayed. Users are prevented from accessing the URL.The attachment is stripped from the message before it's delivered to the end user. A notification provides details and informs the end user to contact their administrator if they need to release the attachment.
    Message Subject ProtectionYNNMicrosoft Outlook for Windows automatically converts URLs in the message's subject to hyperlinks. This option specifies how they are handled:
    • None: URLs in the message subject are ignored. URLs will not be scanned if clicked.
    • Remove URLs: URLs are removed from the message's subject.
    • Rewrite URLs: URLs in the message's subject are rewritten, so they are scanned.
      Rewritten links can be up to 200 characters long. Choosing "Rewrite URLs" will visibly alter the format of the message subject.
    Create Missing HTML BodyYNNSpecifies whether inbound plain text emails are reformatted as HTML. Doing so allows URLs to be rewritten.
    Force Secure ConnectionYNNBy default, all links protected by Targeted Threat Protection - URL Protect are rewritten as HTTPS. If enabled, this option rewrites all links as HTTPS. If disabled, all links are rewritten as HTTP. A confirmation displays if this option is disabled. 
    Set to DefaultYNNSpecifies this as the default definition. Any previously rewritten links that do not have a valid policy will use this definition. This option can only be set on one definition.
    Ignore Signed MessagesYNNIf enabled, URL Protect is not applied to digitally signed messages. This ensures the message's signature remains intact but means the URLs are not rewritten.
    Display URL Destination DomainYNNIf enabled, the URL's destination domain is displayed at the end of the rewritten link. For example:
    url.png
    Strip External Source ModeYNNIf set to "Aggressive", all external components are removed from the message. This includes  CSS, SVG files, font-types, and HTML tags (e.g. <embed>, <iframe>, <frame>, <object>).
    This may impact the formatting and readability of messages.
    Block URLs Containing Dangerous File ExtensionsYYYSpecifies whether URLs containing file extensions that commonly contain malware are blocked. See the What is a Dangerous File Type? page for further details.
    Rewrite URLs Found in AttachmentsYNNIf this option is selected, you can choose one or more of the following attachment parts to rewrite:
    Attachment PartsFile TypeDescription
    HTML .HTMEach of these options looks for file attachments in the message of the same file type and rewrites any URLs found in them.
    Text .TXT
    Calendar .CAL
    URL File Download
    Malicious detections are logged under Administration | Monitoring | URL Protection in the Administration Console.
    YYYIf enabled, a check is made to ascertain if the URL points to a download file of the specific file types listed below. If a URL points to one of these file types and is found to be potentially dangerous, you can set this option to warn or block the file. If you have Targeted Threat Protection - Attachment Protect, you can additionally choose to sandbox the file.
    • HTML
    • TXT
    • PDF
    • Archived files in ZIP, BZIP, GZIP, JS, RAR, TAR, LHA, LZH and XZ format.
    • All Microsoft Office file formats
    • All Open Office file formats
    If User Awareness notifications are enabled, a user can download the scanned file via the email notification for 12 hours, after which time they'll be taken through the checking process again. See the How Does Targeted Threat Protection - URL Protect Work? page for more information.
    Scan URLs in Attachments
    Malicious detections are logged under Administration | Monitoring | URL Protection in the Administration Console.
    YYYIf selected, all attachments less than 50 MB and supported by the safe file option are checked to ensure there are no malicious URLs contained in them. The supported file types are as follows:
    • HTML
    • TXT
    • PDF
    • Archived files in ZIP, BZIP, GZIP, JS, RAR, TAR, LHA, LZH and XZ format.
    • All Microsoft Office file formats
    • All Open Office file formats
    This option also works with compressed files, with the individual files scanned as if they weren't part of a compressed file. If malicious links are found in an attachment, the action taken depends on the "Action" setting (above). Stripped files are logged under Administration | Monitoring | Attachments in the Admin Console.

    Enable User Awareness

    These settings are used to display user awareness messages in the user's browser when links are clicked in a message. 

                         
    Y

    N

    NCheck the Enable User Awareness box to display the additional fields below:
    OptionDescription
    User Awareness Challenge PercentageSelect the frequency for displaying user awareness pages to the user when URLs in messages are clicked.
    Disable User Awareness Dynamic Challenge AdjustmentBy default, incorrectly responding to user awareness prompts increases the frequency of the prompts displayed to the user. Select this option to disable the adjustments.
    Use a Custom Page SetSelect this option to apply a previously configured customized User Awareness Page Set, via the drop down menu that displays. See the URL Protection User Awareness page for how to configure custom page sets.
    We recommend enabling Targeted Threat Protection authentication via the Administration | Account | Account Settings menu item. Enabling user awareness without authentication can result in a security risk.
    Gateway ActionNYNSelect the action (or fallback action) to take if a message containing an unsafe URL is detected. A fallback action is only applied if we are unable to check a URL. 
    • None: The message is delivered to the recipients.
    • Hold: The message is sent to the hold queue, and not delivered to the recipients.
    • Bounce: The message is rejected, and not delivered to the recipients.
    Gateway Fallback ActionNYN
    User Mailbox ActionNYYSelect the action (or fallback action) to take if a message containing an unsafe URL is detected. A fallback action is only applied if we are unable to check a URL.
    • None: No action is taken, and the message is delivered to the recipients.
    • Remove Message: The detected message is removed from the user's mailbox.
    In non-Exchange environments automatic remediation is not supported. However if a support journal connector is used, you can leverage detection, and through these alerts perform manual remediation.
    User Mailbox Fallback ActionNYY

    Enable Notifications

    These settings are used to send notifications to specific users should a policy be triggered
    YYYCheck the Enable Notifications box to display the additional fields below:
    OptionDescription
    Notification GroupUse the Lookup button to select a group of users to be notified when a user clicks on an unsafe URL.

    Notification URL Format

    (Inbound Only)

    Controls the format of the rewritten URL notification sent to the group of users specified in the "Notification Group" option. The options are:
    • Safe URL: URLs are scanned, and blocked if considered unsafe.
    • Safe URL with Preview: URLs are displayed in a web page showing the original link.
    Internal Sender (Outbound and Journal Only)If selected, a notification is sent to the message's internal sender if there is an unsafe URL.
    Internal Recipient (Journal Only)If selected, a notification is sent to the message's internal recipient if there is an unsafe URL.
  9. Click on the Save and Exit button.

 

Configuring a URL Protection Policy


To configure a URL Protection policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item.
  4. Click on URL Protection. A list of policies is displayed.
  5. Either select the:
    • Policy to be changed.
    • New Policy button to create a policy.
  6. Complete the Options section as required:
    Field / OptionDescription
    Policy NarrativeProvide a description of the policy to allow you to easily identify it in the future.
    Select OptionSelect a URL Protection definition from the drop down list.
  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on, available only in the "Emails From" section. The options are:
    OptionDescription
    The Return Address (Mail Envelope From)This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
    The Message From Address (Message Header From)Applies the policy based on the masked address used in the message's header.
    BothApplies the policy based on either the Mail Envelope From or the Message Header From whichever matches. When both match, the specified value the Message Header From will be used.
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    OptionDescription
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, then it is automatically disabled.
    Set Policy as PerpetualSpecifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
    Date RangeSpecify a start and end date for the policy. This automatically deselects the "Eternal" option.
    Policy OverrideSelect this to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
    Bi-DirectionalIf selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.

 

See Also...

 

7 people found this helpful

Attachments

    Outcomes