Configuring URL Protection Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on Dec 13, 2017
Version 24Show Document
  • View in full screen mode

URL Protection provides email security technology that protects users against spear phishing and targeted attacks. With a URL Protection policy, your organization can benefit from the following:

  • Instant protection from targeted attacks and spear phishing attempts across all devices without any client side software.
  • Protection against good websites turning bad, or delayed exploits.
  • Centrally managed, rapid deployment without using any additional infrastructure to maintain.
  • Centrally visible administrative monitoring and reporting on user activity.

 

Best Practice Settings

 

We've provided a list of URL Protection definition settings which we consider best practice. These settings are based on commonly used configurations, that can provide an optimal solution to protect you against spear phishing and targeted attack. It is important to understand that one setting may not meet all your specific requirements. We recommend you review your environment, tweaking these options where necessary.

 

See the URL Protection Best Practice page for full details. You must log on to Mimecaster Central to access this page.

 

Internal Email Protect Differences

 

If you've Targeted Threat Protection: Internal Email Protect enabled on your account, the following differences will be seen:

  • When configuring a URL Protection definition, the "Outbound Settings" and "Journal Settings" sections are displayed. These aren't displayed if you don't have Internal Email Protect enabled.
  • The checks conducted on links in outbound and internal traffic are at the point of entry into Mimecast. Due to how these checks are conducted, the results may differ slightly from the inbound checks where Internal Email Protect isn't enabled.

 

Configuring a URL Protection Definition

 

To configure a URL Protection definition:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Definition ListingClick on the Gateway | Policies menu item.
  4. Click on the Definitions button.
  5. Select URL Protection from the drop down menu. Any existing definitions are listed.
  6. Either click on the:
    • New Definition button to create a definition.
    • Definition to be changed.
  7. In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
  8. Complete the Inbound Settings as required:
    Field / OptionDescription
    Enable Inbound ChecksIf selected, the fields / options listed below are displayed. These can be used to protect against malicious URLs in inbound traffic. When setting up inbound checks, use a policy with the correct routing to activate this definition.
    Rewrite ModeSelect one of the following URL rewrite modes:
    • Aggressive: Rewrites anything that looks like a URL or contains formatting similar to a URL (e.g. http://, www., or .co.uk).
    • Moderate: Rewrites strings that contain a valid URL or path (e.g. www.domain.com).
    • Relaxed: Rewrites only URLs that contain valid URLs and Top Level Domain (e.g. http//:www.domain.co.uk).
    URL Category ScanningSpecify how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. Categories blocked by each setting are:
    CategoryRelaxedModerateAggressive
    CompromisedYYY
    Phishing & FraudYYY
    Spam SitesNYY
    MalwareYYY
    BotnetsYYY
    Private IP AddressesNNY
    Action

    Specify the action taken when an unsafe URL is detected either in a message or attachment. All clicks are logged.

    ActionMessageAttachment
    AllowUsers can access the link.The message is delivered with the attachment.
    WarnA warning page is displayed, but users are able to continue to the original destination.The attachment is stripped from the message before it is delivered to the end user. The message contains a notification with details of the detection, but allows the end user to release the attachment.
    If the attachment is released and you've an attachment protection policy active using sandboxing. we'll release the attachment to the sandbox before releasing to the end user.
    BlockA block page is displayed, and users are prevented from accessing the URL. The attachment is stripped from the message before it is delivered to the end user. The message contains a notification with details of the detection and informs the user to contact their administrator if they need to release the attachment.
    Message Subject ProtectionMicrosoft Outlook for Windows automatically converts URLs in the message's subject to hyperlinks. This option specifies how they are handled:
    • None: URLs in the message subject are ignored. URLs will not be scanned if clicked.
    • Remove URLs: URLs are removed from the message's subject.
    • Rewrite URLs: URLs in the message's subject are rewritten, so they are scanned.
      Rewritten links can be up to 200 characters long. Choosing "Rewrite URLs" will visibly alter the format of the message subject.
    Create Missing HTML BodySpecifies whether inbound plain text emails are reformatted as HTML. Doing so allows URLs to be rewritten.
    Force Secure ConnectionBy default, all links protected by Targeted Threat Protection - URL Protect are rewritten as HTTPS. If enabled, this option rewrites all links as HTTPS. If disabled, all links are rewritten as HTTP. 
    A confirmation is displayed if this option is disabled. 
    Set to DefaultSpecifies this as the default definition. Any previously rewritten links that do not have a valid policy will use this definition. This option can only be set on one definition.
    Ignore Signed MessagesIf enabled, URL Protect is not applied to digitally signed messages. This ensures the message's signature remains intact, but means the URLs are not rewritten.
    Display URL Destination DomainIf enabled, the URL's destination domain is displayed at the end of the rewritten link. For example:
    url.png
    Strip External Source ModeIf set to "Aggressive", all external components are removed from the message. This includes  CSS, SVG files, font-types, and HTML tags (e.g. <embed>, <iframe>, <frame>, <object>).
    This may impact the formatting and readability of messages.
  9. Complete the URLs and Attachments option in the Inbound Settings section as required:
    Field / OptionDescription
    Block URLs Containing Dangerous File ExtensionsSpecifies whether URLs containing file extensions that commonly contain malware are blocked. See the What is a Dangerous File Type? page for further details.
    Rewrite URLs Found in AttachmentsIf this option is selected, you can select one or more of the following options:
    OptionFile TypeDescription
    HTML Parts.HTMEach of these options looks for file attachments in the message of the same file type, and rewrites any URLs found in them.
    Text Parts.TXT
    Calendar Parts.CAL
    Scan URLs in Attachments

    If selected, all attachments less than 50 MB and supported by the safe file option (e.g. HTML, PDF, TXT, and Microsoft Office files) are checked to ensure there are no malicious URLs contained in them. This option also works with compressed files, which are decompressed and the individual files scanned for links as if they weren't part of a compressed file. If malicious links are found in an attachment, the action taken depends on the value of the "Action" option (see step 8 above). 

  10. Click on the Enable User Awareness option to display the fields below. These can be used to display user awareness messages in the user's browser when links are clicked in a message. See the Targeted Threat Protection User Awareness page for more details.
    We recommend Targeted Threat Protection authentication is enabled via the Administration | Account | Account Settings menu item. Using user awareness without authentication, can result in a security risk.
    Field / OptionDescription
    User Awareness Challenge PercentageSelect the frequency for displaying user awareness pages to the user when URLs in messages are clicked.
    Disable User Awareness Dynamic Challenge AdjustmentBy default incorrectly responding to user awareness prompts, increases the frequency that the prompts are displayed to the user. Select this option to disable these adjustments.
    Use a Custom Page SetSelect this option to apply a customized User Awareness Page Set you've previously configured, via the drop down menu that displays. View the Configuring URL Protection User Awareness page for full instructions on configuring Custom Page Sets. 
  11. Click on the Enable Notifications option in the Inbound Settings section to display the fields below. These can be used to send notifications to specific users should a policy be triggered:
    Field / OptionDescription
    Notify GroupUse the Lookup button to select a group of users to be notified when a user clicks on an unsafe URL.
    Notification URL FormatControls the format of the rewritten URL notification sent to the group of users specified in the "Notify Group" option. The options are:
    • Safe URL: URLs are scanned, and blocked if considered unsafe.
    • Safe URL with Preview: URLs are displayed in a web page showing the original link.
  12. Click on the Outbound Settings option to display the fields below. These can be used to protect against malicious URLs in outbound traffic. When setting up outbound checks, use a policy with the correct routing to activate this definition.
    This section is only displayed if your account has Targeted Threat Protection: Internal Email Protect enabled.
    Field / OptionDescription
    Enable Outbound CheckIf selected, the fields / options listed below are displayed. These can be used to protect against unsafe URLs in outbound traffic. When setting up outbound checks, use a policy with the correct routing to activate this definition.
    URL ModeSpecify the URL check mode:
    • Aggressive: Checks anything that looks like a URL, or contains formatting similar to a URL (e.g. http://, www., or .co.uk).
    • Moderate: Checks only when the URL contains a valid URL or path (e.g. www.domain.com).
    • Relaxed: Checks only URLs that contain a valid scheme (i.e. http:// or https://).
    URL Category ScanningSpecify how aggressively the URL engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each setting are:
    CategoryRelaxedModerateAggressive
    CompromisedYYY
    Phishing & FraudYYY
    Spam SitesNYY
    MalwareYYY
    BotnetsYYY
    Private IP AddressesNNY
    Gateway ActionSelect the action (or fallback action) to take, if a message containing an unsafe URL is detected. A "Gateway Fallback Action" is only applied if we are unable to check a URL. 
    • None: The message is delivered to the recipients.
    • Hold: The message is sent to the hold queue, and not delivered to the recipients.
    • Bounce: The message is rejected, and not delivered to the recipients.
    Gateway Fallback Action
    User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox if a message containing an unsafe URL is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a URL.
    • None: No action is taken on the user's mailbox, and the message is delivered to the recipients.
    • Remove Message: The message containing the URL is removed from the user's mailbox.
    In non-Exchange environments automatic remediation is not supported. However if a support journal connector is used, you can leverage detection, and through these alerts perform manual remediation.
    User Mailbox Fallback Action
    Enable NotificationsEnables a group of users to be notified, as well as the internal sender / recipient, when an unsafe URL is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.
    Notify GroupSelect a group of administrators, via the Lookup button, to receive notifications of any unsafe URLs.
    Internal SenderIf selected, a notification is sent to the message's internal sender, if there is an unsafe URL.
    Internal RecipientIf selected, a notification is sent to the message's internal recipient, if there is an unsafe URL.
  13. Complete the URLs and Attachments section in the Outbound Settings as follows:
    Field / OptionDescription
    Block URLs Containing Dangerous File ExtensionsSpecifies whether URLs containing file extensions that commonly contain malware are blocked. See the What is a Dangerous File Type? page for further details.
    Scan URLs Found in AttachmentsIf this option is selected, you can select one or more of the following options:
    OptionFile TypeDescription
    HTML Parts.HTMEach of these options looks for file attachments in the message of the same file type, and rewrites any URLs found in them.
    Text Parts.TXT
    Calendar Parts.CAL
    Other File TypesAll Microsoft Office, Open Office, and PDF files
  14. Click on the Enable Notifications option in the Outbound Settings section to display the fields below. These can be used to send notifications to specific users should a policy be triggered:
    Field / OptionDescription
    Notify GroupUse the Lookup button to select a group of users to be notified when a user clicks on an unsafe URL.
    Notification URL FormatControls the format of the rewritten URL notification sent to the group of users specified in the "Notify Group" option. The options are:
    • Safe URL: URLs are scanned, and blocked if considered unsafe.
    • Safe URL with Preview: URLs are displayed in a web page showing the original link.
  15. Click on the Enable Journal Checks option to display the fields below. These can be used to protect against malicious URLs in journaled traffic.
    This section is only displayed if your account has Targeted Threat Protection: Internal Email Protect enabled.
    Field / OptionDescription
    URL ModeSpecify the URL check mode:
    • Aggressive: Checks anything that looks like a URL, or contains formatting similar to a URL (e.g. http://, www., or .co.uk).
    • Moderate: Checks only when the URL contains a valid URL or path (e.g. www.domain.com).
    • Relaxed: Checks only URLs that contain a valid scheme (i.e. http:// or https://.
    URL Category ScanningSpecify how aggressively the URL engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each setting are:
    CategoryRelaxedModerateAggressive
    CompromisedYYY
    Phishing & FraudYYY
    Spam SitesNYY
    MalwareYYY
    BotnetsYYY
    Private IP AddressesNNY
    User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox, if a message containing an unsafe URL is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a URL.
    • None: No action is taken on the user's mailbox, and the message is delivered to the recipients.
    • Remove Message: The message containing the URL, is removed from the user's mailbox.
    User Mailbox Fallback Action
    Block URLs Containing Dangerous File ExtensionsSpecifies whether URLs containing file extensions that commonly contain malware are blocked. See the "What is a Dangerous File Type?" section below for further details.
    Scan URLs Found in AttachmentsIf this option is selected, you can select one or more of the following options:
    OptionFile TypeDescription
    HTML Parts.HTMEach of these options looks for file attachments in the message of the same file type, and rewrites any URLs found in them.
    Text Parts.TXT
    Calendar Parts.CAL
    Other File TypesAll Microsoft Office, Open Office, and PDF files
  16. Click on the Enable Notifications option in the Journal Settings section to display the fields below. These can be used to send notifications to specific users should a policy be triggered:
    Field / OptionDescription
    Notify GroupUse the Lookup button to select a group of users to be notified when a user clicks on an unsafe URL.
    Internal SenderIf selected, a notification is sent to the message's internal sender, if there is an unsafe URL.
    Internal RecipientIf selected, a notification is sent to the message's internal recipient, if there is an unsafe URL.
  17. Click on the Save and Exit button.

 

Configuring a URL Protection Policy


To configure a URL Protection policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item.
  4. Click on URL Protection. A list of policies is displayed.
  5. Either select the:
    • Policy to be changed.
    • New Policy button to create a policy.
  6. Complete the Options section as required:
    Field / OptionDescription
    Policy NarrativeProvide a description for the policy to allow you to easily identify it in the future.
    Select OptionSelect a URL Protection definition from the drop down list.
  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on, available only in the "Emails From" section. The options are:
    OptionDescription
    The Return Address (Mail Envelope From)This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
    The Message From Address (Message Header From)Applies the policy based on the masked address used in the message's header.
    BothApplies the policy based on either the Mail Envelope From or the Message Header From whichever matches. When both match, the specified value the Message Header From will be used.
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    OptionDescription
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, then it is automatically disabled.
    Set Policy as PerpetualSpecifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
    Date RangeSpecify a start and end date for the policy. This automatically deselects the "Eternal" option.
    Policy OverrideSelect this to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
    Bi-DirectionalIf selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.

 

See Also...

 

3 people found this helpful

Attachments

    Outcomes