Configuring an Impersonation Protection Definition

Document created by user.KZrHBaK4Vn Expert on Feb 9, 2016Last modified by user.Yo2IBgvWqr on Sep 22, 2017
Version 40Show Document
  • View in full screen mode

An impersonation protection definition is required to control what identifiers are used to detect phishing, whaling, impersonation, and socially engineered attacks. The definition also controls the action taken, if one or more identifiers are triggered.

 

Best Practice Settings

 

We've provided a list of Impersonation Protection definition settings which we consider best practice. These settings are based on commonly used configurations, that can provide an optimal solution to protect you against targeted whaling attacks. It is important to understand that one setting may not meet all your specific requirements. We recommend you review your environment, tweaking these options where necessary.

 

See the Targeted Threat Protection - Impersonation Protect Best Practice page for full details. You must log on to Mimecaster Central to access this page.

 

Configuring an Impersonation Protection Definition

 

To configure an Impersonation Protect definition:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item.
    If you don't see this menu item, your Mimecast account does not have the required permissions. Contact your administrator for assistance.
  4. Select the Impersonation Protection option in the Definitions drop down. Any existing definitions are displayed.
  5. Either:
    • Click the New Definition button.
    • Click the Definition to be changed.
  6. Complete the Identifier Settings dialog section:

    Field / OptionDescription
    DefinitionProvide a description of the definition to help you identify it. This is appended to emails in the archive that have this definition applied.
    Similar Internal Domain

    This option checks the similarity of the sender's domain to all your internal domains. If selected, the Similarity Distance field allows you to specify the number of different characters between the sender's domain and your internal domains before an action is applied. For example, if the external sender's domain is "minecast.com", and you have the "mimecast.com" internal domain, a Similarity Distance of '1' would detect this.

    Less or equal to logic is used for this check. Therefore if the Similarity Distance is set to 2, this check will trigger on any external domain which has 2 or 1 character difference compared to your internal domains. For protection against exact spoofing of your internal domain, ensure an Anti-Spoofing Policy is enabled on your account.
    Newly Observed Domain

    This option checks the sender's domain against a list of domains that have only been seen sending traffic in the last week. This list includes domains that have been around for a while, but have only been sending traffic in the last week. This check is not a "who is" lookup to check the domain's registration.

    This list contains most active domains from the last week. However as we don't see all email traffic, it is possible that the list does not contain every potential threat.
    Internal User Name

    This identifies if the sender's display name is the same as one of your internal user names, with the exception of the recipient’s user name. This ensures any threats that spoof an internal user is detected. Users created manually in transit are not checked. For example, if a message is sent from "User One <test@hotmail.com>" to "userone@<domain>.com", because it is the same user name as the recipient, the recipient can tell if they are being spoofed.

    Reply to Address Mismatch

    Enable this option to identify if a mismatch has occurred between the sender’s email address (both Header and Envelope) and the Reply To email address.

    Message may contain links that respond to a different email address that the one who sent the message (e.g. newsletters). If this is the case, you may need to configure an Impersonation Protection Bypass Policy.
    Targeted Threat Dictionary

    This option checks the message content against a Targeted Threat Dictionary. If selected, the "Mimecast Threat Dictionary" and "Custom Threat Dictionary" fields are displayed.

    Mimecast Threat Dictionary

    If selected, the message is checked against a dictionary maintained by Mimecast's dedicated Messaging Security team. They monitor threats and ensure the dictionary is kept up to date. Selecting this option helps detect suspicious characteristics in the email header, body, or subject.

    Custom Threat DictionaryIf selected, the message is checked against your own threat dictionary. Click on the Lookup button to select the required dictionary or create a new one.
    Number of HitsSpecify how many of the above identifiers have to match for an inbound mail to invoke an action. All checks are conducted on the Envelope AND Header From addresses by default.
    It is recommended that at least two identifiers are detected before taking any action.
    Ignore Signed MessagesIf enabled, Impersonation Protection will not be applied to digitally signed messages. This ensures the signature of the message remains intact, but means that attachments won't be security checked.
  7. Specify the Identifier Actions to take when the Number of Hits threshold has been reached.

    Field / Option
    Description
    ActionSpecify the required action:
    ActionDescription
    Held for Review

    The email is accepted, but placed in the Held queue. It can be viewed by selecting the Monitoring | Held menu item from the Administration drop down menu.

    If you've digest notification enabled for the end user, mail detected by Impersonation Protection will be visible. Permitting via a digest won't bypass Impersonation Protection. Should this be required, a separate Impersonation Protection Bypass policy needs to be put in place for the sender.
    BounceThe email is accepted, but bounced back to the sender with a notification. It can be viewed by selecting the Monitoring | Bounces menu item from the Administration drop down menu.
    NoneThe email is accepted, and delivery to the recipient is attempted.
    Irrespective of the action configured, messages can also be tagged using the options below.
    Hold Type

    Select from the drop down to restrict the view of held messages in Mimecast end user applications.

    Moderator Group

    Use the Lookup button to select a group of users to moderate the specified action.

    Tag Message Body

    If selected, a text box is displayed that allows you to specify a message (up to 500 characters) that is added to the message's body. If no text is specified, the following default text is used. 

    Body Sus.png

    The text box displays plain text by default. If required, HTML can be specified instead to customize the look and feel of any notification.
    Tag Subject

    If selected, a text box is displayed that allows you to specify a message (up to 100 characters) that is added to the message's subject. If no text is specified, the following default text is used.Subject.png

    The text box displays plain text by default. If required, HTML can be specified instead to customize the look and feel of any notification.
    Tag Header

    If selected, this option adds the following message to the email's header:

    header.png

    To provide extra flexibility for administrators, if header tagging is enabled, Impersonation Protection will stamp all inbound headers regardless of whether the Number of Hits threshold has been reached. However the 'Suspicious' tagging will be removed if the Number of Hits is not met.

  8. Complete the General Actions section as required:

    Field / Option
    Description
    Mark All Inbound Items as 'External'

    When selected, the following tagging options are available; 

     

    Field / OptionDescription
    Tag Message BodyIf selected, a text box is displayed that allows you to specify a message (up to 500 characters) that is added to the messsage's body. If no text is specified, the following default text is used.
    Body copy.png
    Tag Subject

    If selected, a text box is displayed that allows you to specify a message (up to 100 characters) that is added to the messsage's subject. If no text is specified, the following default text is used.

    Tag Subject

    Tag Header

    If selected, the following is added to the email's header:

    Tag Header

  9. Complete the Notifications section as required:

    Field / Option
    Description
    Notify Group

    Use the Lookup button to select a group of users. They will be notified when the definition is triggered, and why.

    Notify (Internal) Recipient

    If selected, a notification is sent to the recipient of the message that triggered this definition. This applies to inbound messages only.

    Notify OverseersIf selected, a notification is sent to the members of the Oversight Group, when there is a Content Overseers policy active for the communication pair of the message and the message triggered this definition.
  10. Click the Save and Exit button.
  11. Add the definition to an Impersonation Protection policy.

 

Creating a Custom Threat Dictionary

 

To create a custom threat dictionary:

  1. Click on the Custom Threat Dictionary definition option.
  2. Click on the Lookup button.
  3. Click on the New Custom Dictionary button.
  4. Complete the Custom Dictionary Options dialog:

    Field / OptionDescription
    DescriptionEnter a description that enables you to identify the dictionary.
    Activation ScoreSpecify a value, that is used in conjunction with the "Word / Phrase Match List" field to determine if a threat is valid.
    Scan Subject LineSelect one or all of these option to scan a message's subject, header, or body for the content specified in the "Word / Phrase Match List" field.
    Scan Message Header
    Scan Message Body
    Word / Phrase Match ListSpecify a list of words, phrases, or regular expressions, preceded by a numerical weighting value. Multiple entries must be specified in separate lines. Messages are searched for the entries in the match list (in the components specified). If they are found, the individual weighting values are totaled, and if this value equals or exceeds the "Activation Score" value, a threat has been found. Example entries include:
    • 2 "urgent"
    • 2 "company confidential"
    • 1 regex \bpayment(s)?\b
    A maximum of 500 lines can be added.
  5. Click on the Save and Exit button. The dictionary is now available to select.

 

See Also...

 

3 people found this helpful

Attachments

    Outcomes