Applies To...
An attachment protection definition sets the conditions under which an email attachment is considered safe, or whether action should be taken if considered unsafe. This guide describes how administrators can configure attachment protection definitions. Once configured, they can be applied to an Attachment Protection Policy to protect users against spear phishing and targeted attacks.
Best Practice Settings
When configuring your definitions, you should consider our recommended best practice settings. Where a field / option has a best practice setting, it is displayed in the "Configuring a Definition" subsections below. These are based on commonly used configurations, and can provide an optimal solution to protect you against targeted attacks via attachments. However it is important to understand that one setting may not meet all your specific requirements. We recommend you review your environment, amending these options where necessary.
Configuring a Definition
To configure an attachment protection definition:
- Log in to the Administration Console.
- Click on the Administration toolbar button. A menu drop down is displayed.
Click on the Gateway | Policies menu item.
- Hover over the Definitions button.
- Select Attachment Protection from the drop down menu. Any existing definitions are listed.
- Either click the:
- New Definition button to create a definition.
- Definition to be changed.
- In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
- Complete the following sections as required:
- Inbound Settings: See the Inbound Settings section below for full details.
- Outbound Settings: See the Outbound Settings section below for full details.
- Journal Settings: See the Journal Settings section below for full details.
The "Outbound Settings" and "Journal Settings" sections are only displayed if your account has Internal Email Protect enabled. - Click on the Save and Exit button.
Inbound Settings
Field / Option | Description | Best Practice Setting |
---|---|---|
Enable Inbound Check | If selected, the fields / options listed below are displayed. These can be used to protect against malicious attachments in inbound traffic. When setting up inbound checks, use a policy with the correct routing to activate this definition. | Enabled |
Attachment Protect Delivery Options | Specify a delivery option for the definition. The options are:
| Dynamic Configuration |
Ignore Signed Messages | If selected, attachment protection is not applied to digitally signed messages. This ensures the message signature remains intact, but means attachments are not security checked. This option is not displayed if the "Attachment Protect Delivery Options" field is set to a value of "Pre-emptive Sandbox". | Disabled |
Sandbox Fallback Action | Specify the action to take if an attachment cannot be processed by the pre-emptive sandbox. the options are:
This option is only displayed if the "Attachment Protect Delivery Options" field is set to a value of "Preemptive Sandbox". | Hold for Administrator Review |
Release Forwarded Internal Attachment | Controls whether any internally forwarded attachment can be released from the sandbox. | Enabled |
Administrator Notification | Enables a groups of users to be notified when an attachment is unsafe. If selected, the "Admin Review Group" field is displayed. See the Managing Groups page for full details on creating the group. | Enabled |
Admin Review Group | Select a group of administrators, via the Lookup button, to receive notifications of any unsafe attachments. | Select the appropriate group of users. |
Default Transcribed Document Format | Specify the default file format to be used for safe file document transcription. The options are:
| |
Default Transcribed Spreadsheet Format | Specify the default file format to be used for safe file spreadsheet transcription. The options are
| HTML |
Spreadsheet Worksheet Options | Specify the option to use for spreadsheets containing multiple worksheets. The options are:
| Transcribe All Worksheets |
Outbound Settings
Field / Option | Description | Best Practice Setting |
---|---|---|
Enable Outbound Check | If selected, the fields / options listed below are displayed. These can be used to protect against malicious attachments in outbound traffic. When setting up outbound checks, use a policy with the correct routing to activate this definition. | Enabled |
Gateway Action | Select the action (or fallback action) to take when a message containing an unsafe attachment is detected. A "Gateway Fallback Action" is only applied if we are unable to check a message's attachment.
| Hold |
Gateway Fallback Action | ||
User Mailbox Action | Select the action (or fallback action) to take on the user's mailbox when a message containing an unsafe attachment is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a message's attachment.
In non-Exchange environments automatic remediation is not supported. However if a support journal connector is used, you can leverage detection, and through these alerts perform manual remediation. | None This is an initial setting, but should be reviewed periodically. |
User Mailbox Fallback Action | ||
Enable Notifications | Enables a group of users to be notified, as well as the internal sender / recipient, when an unsafe URL is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed. | Enabled |
Notify Group | Select a group of administrators, via the Lookup button, to receive notifications of any unsafe attachments. | Select the appropriate group of users. |
Internal Sender | If selected, a notification is sent to the message's internal sender, if an unsafe attachment is detected. | Enabled |
Internal Recipient | If selected, a notification is sent to the message's internal recipient, if an unsafe attachment is detected. | Enabled |
Journal Settings
Field / Option | Description | Best Practice Setting |
---|---|---|
Enable Journal Check | If selected, the fields / options listed below are displayed. These can be used to protect against malicious attachments in journaled traffic. | Enabled |
User Mailbox Action | Select the action (or fallback action) to take on the user's mailbox when a message containing an unsafe attachment is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a message's attachment.
| None This is an initial setting, but should be reviewed periodically. |
User Mailbox Fallback Action | ||
Enable Notifications | Enables a group of users to be notified, as well as the internal sender / recipient, when an unsafe attachment is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed. | Enabled |
Notify Group | Select a group of administrators, via the Lookup button, to receive notifications of any unsafe attachments. | Select the appropriate group of users. |
Internal Sender | If selected, a notification is sent to the message's internal sender, if there is an unsafe attachment. | Enabled |
Internal Recipient | If selected, a notification is sent to the message's internal recipient, if there is an unsafe attachment. | Enabled |
See Also...
In the "Default Transcribed Spreadsheet Format" section, you recommend HTML, but in the video you recommend CSV. Which one is it?