Configuring a URL Protection Definition

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on Sep 26, 2017
Version 39Show Document
  • View in full screen mode

Applies To...

 

This guide describes how administrators can configure URL protection definitions. Once configured, they can be applied to a URL Protection Policy to protect users against spear phishing and targeted attacks.

 

Best Practice Settings

 

 

When configuring your definitions, you should consider our recommended best practice settings. Where a field or option has a best practice setting, it is displayed in the "Configuring a Definition" subsections below. These are based on commonly used configurations, and can provide an optimal solution to protect you against targeted attacks via URLs. However it is important to understand that one setting may not meet all your specific requirements. We recommend you review your environment, amending these options where necessary.

 

Internal Email Protect Differences

 

If you've Targeted Threat Protection: Internal Email Protect enabled on your account, the following differences will be seen:

  • When configuring a URL Protection definition, the "Outbound Settings" and "Journal Settings" sections are displayed. This aren't displayed if you don't have Internal Email Protect enabled.
  • The checks conducted on links in outbound and internal traffic, are at the point of entry into Mimecast. Due to how these checks are conducted, the results may differ slightly from the inbound checks where Internal Email Protect isn't enabled.

 

Configuring a Definition

 

To configure a URL Protection definition:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Definition ListingClick on the Gateway | Policies menu item.
  4. Hover over the Definitions button.
  5. Select URL Protection from the drop down menu. Any existing definitions are listed.
  6. Either click the:
    • New Definition button to create a definition.
    • Definition to be changed.
  7. In the Definition Narrative field, provide a description of the definition. This is kept in the archive for messages that have this definition applied.
  8. Complete the following sections as required:
    1. Inbound Settings: See the Inbound Settings section below for full details.
    2. Outbound Settings: See the Outbound Settings section below for full details.
    3. Journal Settings: See the Journal Settings section below for full details.
  9. Click on the Save and Exit button.

 

Inbound Settings

 

Field / OptionDescriptionBest Practice Setting
Enable Inbound ChecksIf selected, the fields / options listed below are displayed. These can be used to protect against malicious URLs in inbound traffic. When setting up inbound checks, use a policy with the correct routing to activate this definition.-
Rewrite ModeSelect one of the following URL rewrite modes:
  • Aggressive: Rewrites anything that looks like a URL or contains formatting similar to a URL (e.g. http://, www., or .co.uk).
  • Moderate: Rewrites strings that contain a valid URL or path (e.g. www.domain.com).
  • Relaxed: Rewrites only URLs that contain valid URLs and Top Level Domain (e.g. http//:www.domain.co.uk).
Aggressive
Rewrite URLs Found in AttachmentsIf this option is selected, you can select one or more of the following options:

 

OptionFile TypeDescription
HTML Parts.HTMEach of these options looks for file attachments in the message of the same file type, and rewrites any URLs found in them.
Text Parts.TXT
Calendar Parts.CAL
Enabled with all options also enabled.
URL Category ScanningSpecify how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each setting are:

 

CategoryRelaxedModerateAggressive
CompromisedYYY
Phishing & FraudYYY
Spam SitesNYY
MalwareYYY
BotnetsYYY
Private IP AddressesNNY
Moderate
ActionSpecify the action taken when an unsafe URL is detected:
  • Allow: Users can access the link, but all clicks are logged.
  • Warn: A warning page is displayed, but users are able to continue to the original destination. All clicks are logged.
  • Block: A block page is displayed, and users are prevented from accessing the URL. All clicks are logged.
Block
Message Subject ProtectionMicrosoft Outlook for Windows automatically converts URLs in the message's subject to hyperlinks. This option specifies how they are handled:
  • None: URLs in the message subject are ignored. URLs will not be scanned if clicked.
  • Remove URLs: URLs are removed from the message's subject.
  • Rewrite URLs: URLs in the message's subject are rewritten, so they are scanned.
    Rewritten links can be up to 200 characters long. Choosing "Rewrite URLs" will visibly alter the format of the message subject.
Rewrite URLs
Block URLs Containing Dangerous File ExtensionsSpecifies whether URLs containing file extensions that commonly contain malware are blocked. See the What is a Dangerous File Type? page for further details.Enabled
Create Missing HTML BodySpecifies whether inbound plain text emails are reformatted as HTML. Doing so allows URLs to be rewritten.Enabled
Administrator NotificationsEnables a groups of users to be notified when a user clicks an unsafe URL. If selected, the "Notify Group" field is displayed. The notification received depends on the value of the "Action" field:
  • Allow: No notification is sent, but all clicks are logged.
  • Warn: A notification is sent when a link is clicked and blocked. Another alert is sent if the user selects the "Continue to Page" option.
  • Block: A notification is sent when a link is clicked and blocked.
Enabled
Notify GroupUse the Lookup button to select a group of users to be notified when a user clicks on an unsafe URL.Select the appropriate group of users.
Notification URL FormatControls the format of the rewritten URL notification sent to the group of users specified in the "Notify Group" option. The options are:
  • Safe URL: URLs are scanned, and blocked if considered unsafe.
  • Safe URL with Preview: URLs are displayed in a web page showing the original link.
Safe URL with Preview
Force Secure ConnectionBy default, all links protected by Targeted Threat Protection - URL Protect are rewritten as HTTPS. If enabled, this option rewrites all links as HTTPS. If disabled, all links are rewritten as HTTP. 
A confirmation is displayed if this option is disabled. 
Enabled
Set to DefaultSpecifies this as the default definition. Any previously rewritten links that do not have a valid policy will use this definition. This option can only be set on one definition.-
Ignore Signed MessagesIf enabled, URL Protect is not applied to digitally signed messages. This ensures the message's signature remains intact, but means the URLs are not rewritten.-
Display URL Destination DomainIf enabled, the URL's destination domain is displayed at the end of the rewritten link. For example:
url.png
Enabled
Strip External Source ModeIf set to "Aggressive", all external components are removed from the message. This includes  CSS, SVG files, font-types, and HTML tags (e.g. <embed>, <iframe>, <frame>, <object>).
This may impact the formatting and readability of messages.
Off
Enable User AwarenessIf enabled, user awareness messages are displayed in the browser when links are clicked in a message. The frequency of these messages is controlled by the "User Awareness Challenge Percentage" and "Disable User Awareness Dynamic Challenge Adjustment" fields.
We recommend that Targeted Threat Protection authentication is enabled via the Administration | Account | Account Settings menu item. Using user awareness without authentication, can result in a security risk.
Enabled
User Awareness Challenge PercentageSelect the frequency for displaying user awareness pages to the user when URLs in messages are clicked.5%
Disable User Awareness Dynamic Challenge AdjustmentBy default incorrectly responding to user awareness prompts, increases the frequency that the prompts are displayed to the user. Select this option to disable these adjustments.Disabled

Outbound Settings

This section is only available if you have Targeted Threat Protection: Internal Email Protect enabled on your account.
Field / OptionDescription

Best Practice Setting

Enable Outbound ChecksIf selected, the fields / options listed below are displayed. These can be used to protect against unsafe URLs in outbound traffic. When setting up outbound checks, use a policy with the correct routing to activate this definition.Enabled
URL ModeSpecify the URL check mode:
  • Aggressive: Checks anything that looks like a URL, or contains formatting similar to a URL (e.g. http://, www., or .co.uk).
  • Moderate: Checks only when the URL contains a valid URL or path (e.g. www.domain.com).
  • Relaxed: Checks only URLs that contain a valid scheme (i.e. http:// or https://.
Moderate
Block URLs Containing Dangerous File ExtensionsSpecifies whether URLs containing file extensions that commonly contain malware are blocked. See the What is a Dangerous File Type? page for further details.Enabled
URL Category ScanningSpecify how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each setting are:

 

CategoryRelaxedModerateAggressive
CompromisedYYY
Phishing & FraudYYY
Spam SitesNYY
MalwareYYY
BotnetsYYY
Private IP AddressesNNY
Moderate
Check URLs Found in AttachmentsIf this option is selected, you can select one or more of the following options:

 

OptionFile TypeDescription
HTML Parts.HTMEach of these options looks for file attachments in the message of the same file type, and rewrites any URLs found in them.
Text Parts.TXT
Calendar Parts.CAL
Enabled
Gateway ActionSelect the action (or fallback action) to take, if a message containing an unsafe URL is detected. A "Gateway Fallback Action" is only applied if we are unable to check a URL. 
  • None: The message is delivered to the recipients.
  • Hold: The message is sent to the hold queue, and not delivered to the recipients.
  • Bounce: The message is rejected, and not delivered to the recipients.
Hold
Gateway Fallback Action
User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox, if a message containing an unsafe URL is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a URL.
  • None: No action is taken on the user's mailbox, and the message is delivered to the recipients.
  • Remove Message: The message containing the URL, is removed from the user's mailbox.
In non-Exchange environments automatic remediation is not supported. However if a support journal connector is used, you can leverage detection, and through these alerts perform manual remediation.
None
This is an initial setting, but should be reviewed periodically.
User Mailbox Fallback Action
Enable NotificationsEnables a group of users to be notified, as well as the internal sender / recipient, when an unsafe URL is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.Enabled
Notify GroupSelect a group of administrators, via the Lookup button, to receive notifications of any unsafe URLs.Select the appropriate group of users.
Internal SenderIf selected, a notification is sent to the message's internal sender, if there is an unsafe URL.Enabled
Internal RecipientIf selected, a notification is sent to the message's internal recipient, if there is an unsafe URL.Enabled

 

Journal Settings

This section is only available if you have Targeted Threat Protection: Internal Email Protect enabled on your account.
Field / OptionDescription

Best Practice Setting

Enable Journal ChecksIf selected, the fields / options listed below are displayed. These can be used to protect against malicious URLs in journaled traffic.Enabled
URL ModeSpecify the URL check mode:
  • Aggressive: Checks anything that looks like a URL, or contains formatting similar to a URL (e.g. http://, www., or .co.uk).
  • Moderate: Checks only when the URL contains a valid URL or path (e.g. www.domain.com).
  • Relaxed: Checks only URLs that contain a valid scheme (i.e. http:// or https://.
Moderate
Block URLs Containing Dangerous File ExtensionsSpecifies whether URLs containing file extensions that commonly contain malware are blocked. See the "What is a Dangerous File Type?" section below for further details.Enabled
URL Category ScanningSpecify how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. The categories blocked by each setting are:

 

CategoryRelaxedModerateAggressive
CompromisedYYY
Phishing & FraudYYY
Spam SitesNYY
MalwareYYY
BotnetsYYY
Private IP AddressesNNY
Moderate
Check URLs Found in AttachmentsIf this option is selected, you can select one or more of the following options:

 

OptionFile TypeDescription
HTML Parts.HTMEach of these options looks for file attachments in the message of the same file type, and rewrites any URLs found in them.
Text Parts.TXT
Calendar Parts.CAL
Enabled
Gateway ActionSelect the action (or fallback action) to take, if a message containing an unsafe URL is detected. A "Gateway Fallback Action" is only applied if we are unable to check a URL. 
  • None: The message is delivered to the recipients.
  • Hold: The message is sent to the hold queue, and not delivered to the recipients.
  • Bounce: The message is rejected, and not delivered to the recipients.
Hold
Gateway Fallback Action
User Mailbox ActionSelect the action (or fallback action) to take on the user's mailbox, if a message containing an unsafe URL is detected. A "User Mailbox Fallback Action" is only applied if we are unable to check a URL.
  • None: No action is taken on the user's mailbox, and the message is delivered to the recipients.
  • Remove Message: The message containing the URL, is removed from the user's mailbox.
None
This is an initial setting, but should be reviewed periodically.
User Mailbox Fallback Action
Enable NotificationsEnables a group of users to be notified, as well as the internal sender / recipient, when an unsafe URL is found. If selected, the "Notify Group", "Internal Sender", and "Internal Recipient" fields are displayed.Enabled
Notify GroupSelect a group of administrators, via the Lookup button, to receive notifications of any unsafe URLs.Select the appropriate group of users.
Internal SenderIf selected, a notification is sent to the message's internal sender, if there is an unsafe URL.Enabled
Internal RecipientIf selected, a notification is sent to the message's internal recipient, if there is an unsafe URL.Enabled

 

See Also...

 

1 person found this helpful

Attachments

    Outcomes