Impersonation Protection policies, together with configured definitions, allow you to control:
- What emails to protect.
- The identifiers used to detect phishing, whaling, impersonation, and socially engineered phishing attacks.
- The action taken if one or more of the identifiers are triggered.
Best Practice Settings
We've provided a list of Impersonation Protection definition settings which we consider best practice. These settings are based on commonly used configurations, that can provide an optimal solution to protect you against targeted whaling attacks. It's important to understand that one setting may not meet all your specific requirements. We recommend that you review your environment, tweaking these options where necessary.
See the Impersonation Protect Best Practice page for full details. You must log on to Mimecaster Central to access this page.
Configuring an Impersonation Protection Definition
To configure an Impersonation Protection definition:
- Log on to the Administration Console.
- Select the Administration toolbar button.
- Select the Gateway | Policies menu item.If you don't see this menu item, your Mimecast account doesn't have the required permissions. Contact your administrator for assistance.
- Select the Impersonation Protection option in the Definitions drop down. Any existing definitions are displayed.
- Either select the:
- New Definition button.
- Definition to be changed.
- Complete the Identifier Settings dialog section:
Field / Option Description Definition Provide a description of the definition to help you identify it. This is appended to emails in the archive that have this definition applied. Similar Internal Domain
This option checks the similarity of the sender's domain to all your internal domains. If selected, the Similarity Distance field allows you to specify the number of different characters between the sender's domain and your internal domains before an action is applied. For example, if the external sender's domain is "minecast.com", and you have the "mimecast.com" internal domain, a Similarity Distance of '1' would detect this.Less or equal to logic is used for this check. Therefore if the Similarity Distance is set to 2, this check will trigger on any external domain which has 2 or 1 character difference compared to your internal domains. For protection against exact spoofing of your internal domain, ensure an Anti-Spoofing Policy is enabled on your account.
Newly Observed Domain
This option checks the sender's domain against a list of domains that have only been seen sending traffic in the last week. This list includes domains that have been around for a while, but have only been sending traffic in the last week. This check is not a "who is" lookup to check the domain's registration.This list contains most active domains from the last week. However as we don't see all email traffic, it is possible that the list does not contain every potential threat.
Internal User Name
This identifies if the sender's display name (usually the first and last name), is the same as one of your internal user display names, excluding the recipient’s internal username. This ensures any threats that spoof an internal user are detected. For example, if a message is sent from "User One <email@example.com>" to "userone@<domain>.com", the recipient can tell if they are being spoofed because it's the same username as the recipient.Users created automatically by messages in transit are not considered for the Internal User Name check. However, users imported manually via spreadsheet upload are considered.
Reply to Address Mismatch
Enable this option to identify if a mismatch has occurred between the sender’s email address (both Header and Envelope) and the Reply To email address.Message may contain links that respond to a different email address that the one who sent the message (e.g. newsletters). If this is the case, you may need to configure an Impersonation Protection Bypass Policy.
Targeted Threat Dictionary
This option checks the message content against a Targeted Threat Dictionary. If selected, the "Mimecast Threat Dictionary" and "Custom Threat Dictionary" fields are displayed.
Mimecast Threat Dictionary
If selected, the message is checked against a dictionary maintained by Mimecast's dedicated Messaging Security team. They monitor threats and ensure the dictionary is kept up to date. Selecting this option helps detect suspicious characteristics in the email header, body, or subject.
Custom Threat Dictionary If selected, the message is checked against your own threat dictionary. Click on the Lookup button to select the required dictionary or create a new one. Number of Hits Specify how many of the above identifiers have to match for an inbound mail to invoke an action. All checks are conducted on the Envelope AND Header From addresses by default.It is recommended that at least two identifiers are detected before taking any action. Ignore Signed Messages If enabled, Impersonation Protection will not be applied to digitally signed messages. This ensures the signature of the message remains intact, but means that attachments won't be security checked.
- Specify the Identifier Actions to take when the Number of Hits threshold has been reached:
- Complete the General Actions section as required:
Field / Option Description Mark All Inbound Items as 'External'
When selected, the following tagging options are available;
Field / Option Description Tag Message Body If selected, a text box is displayed that allows you to specify a message (up to 500 characters) that is added to the message's body. If no text is specified, the following default text is used. Tag Subject
If selected, a text box is displayed that allows you to specify a message (up to 100 characters) that is added to the message's subject. If no text is specified, the following default text is used.
If selected, the following is added to the email's header:
- Complete the Notifications section as required:
Field / Option Description Notify Group
Use the Lookup button to select a group of users. They will be notified when the definition is triggered, and why.
Notify (Internal) Recipient
If selected, a notification is sent to the recipient of the message that triggered this definition. This applies to inbound messages only.
Notify Overseers If selected, a notification is sent to the members of the Oversight Group, when there is a Content Overseers policy active for the communication pair of the message and the message triggered this definition.
- Select the Save and Exit button.
Creating a Custom Threat Dictionary
Configuring an Impersonation Protection Policy
You can configure up to 20 Impersonation Protection policies. To do so:
- Log on to the Administration Console.
- Select the Services toolbar button.
- Select the Gateway | Policies menu item.
- Select Impersonation Protection.
- Click the New Policy button to create a policy
- Click on the policy to be changed.
- Complete the Options section as required:
Field / Option Description Policy Narrative Provide a description of the policy to enable you to identify it. This is appended to emails in the archive that have the policy applied. Select Option Click on the Lookup button to display a list of Impersonation Protection definitions. Click on the Select link to the left of the definition to be applied when this policy is triggered. Preview This field is only displayed once a definition is selected in the "Select Option" field. Click on the icon to display a read only version of the definition. Click on the Go Back button to return to the policy.
- Complete the Emails From section as required:
Field / Option Description Addresses Based On
Specify the email address characteristics the policy is based on. The options are:
Option Description Return Address (Mail Envelope From) Applies the policy to the SMTP address match, based on the email's envelope or true address (i.e. the address used during SMTP transmission). Message From Address (Message Header From) Applies the policy based on the masked address used in the message's header. The "Addressed Based On" option is only available in the Emails From section. Both Applies the policy to both the Mail Envelope and Message Header From addresses. This is the default setting for Impersonation Protection policies.
As Targeted Threat Protection - Impersonation Protect checks both the Envelope and Header From address, it will always use both addresses.
Specify the sender characteristics the policy is based on. For multiple policies, apply them from the most to least specific. The options are:
Option Description External Addresses Includes only external organization addresses. Freemail Domains Includes sender domains that are present on a Mimecast list of freemail domains. Email Domain
Enables you to specify one or more domain names to which the policy is applied. If selected, the "Specifically" field allows you to enter the required domain names.
Address Groups Enables you to specify a predefined directory or group. If selected, the "Profile Group" field allows you to select the required group by clicking the "Lookup" button. Header Display Name
Enables you to specify a Header Display Name. If selected, the "Specifically" field allows you to enter the required name. This option is only available if the "Address Based on" option has been set to "The Message From Address" or "Both".
Enables you to specify a predefined attribute. If selected, the "Where Attribute" field allows you to select the required attribute, and the "Is Equal To" field allows you to specify an attribute value.This option can only be used if attributes have been configured for user accounts.
Individual Email Address Enables you to specify an SMTP address. If selected, the "Specifically" field allows you to enter the required email address.
- Complete the Emails To section as required:
Field / Option Description Applies From / To
Specify the sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
Option Description Internal Address Includes only internal organization addresses. Email Domain Enables you to specify one or more domain names to which the policy is applied. If selected, the "Specifically" field allows you to enter the required domain names. Address Groups Enables you to specify a predefined directory or group. If selected, the "Profile Group" field allows you to select the required group by clicking the "Lookup" button. Address Attributes Enables you to specify a predefined attribute. If selected, the "Where Attribute" field allows you to select the required attribute, and the "Is Equal To" field allows you to specify an attribute value.This option can only be used if attributes have been configured for user accounts. Individual Email Address Enables you to specify an SMTP address. If selected, the "Specifically" field allows you to enter the required email address.
- Complete the Validity section as required:
Field / Option Description Enable / Disable Use this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached. Set Policy as Perpetual If the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires. Date Range Use this field to specify a start and/or end date for the policy. If the Eternal option is selected, no date is required. Policy Override This overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override. Bi-Directional If selected the policy is applied when the policy's recipient is the sender, and the sender is the recipient. Source IP Ranges (n.n.n.n/x) Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
- Select the Save and Exit button.