Configuring Impersonation Protection Definitions and Policies

Document created by user.KZrHBaK4Vn Expert on Feb 20, 2016Last modified by user.oxriBaJeN4 on Nov 7, 2018
Version 31Show Document
  • View in full screen mode

Impersonation Protection policies, together with configured definitions, allow you to control:

  • What emails to protect.
  • The identifiers used to detect phishing, whaling, impersonation, and socially engineered phishing attacks.
  • The action taken if one or more of the identifiers are triggered.

Best Practice Settings

 

We provide a list of Impersonation Protection definition settings, based on commonly used configurations, that we consider best practice. They provide an optimal solution to protect you against targeted whaling attacks. See the Impersonation Protect Best Practice page for full details. You must log on to Mimecaster Central to access this page.

As one setting may not meet all your specific requirements, we recommend you review your requirements changing these options where necessary.

Configuring an Impersonation Protection Definition

 

To configure an Impersonation Protection definition:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button.
  3. Click on the Gateway | Policies menu item.
  4. Click on the Impersonation Protection option in the Definitions drop down. Any existing definitions are displayed.
  5. Either click on the:
    • New Definition button.
    • Definition to be changed.
  6. Complete the Identifier Settings dialog section:
    Field / OptionDescription
    DescriptionProvide a description of the definition to help you identify it. This is appended to emails in the archive that have this definition applied.
    Similar Internal Domain

    If selected the similarity distance of the sender's domain is checked against your internal domains. For example, if the sender's domain is "minecast.com", and you have the "mimecast.com" internal domain, it's a 'similarity distance' of '1' because one character is different. Mimecast automatically calculates the optimal similarity distance length to use specifically for the internal domains in your account. This allows the use of various character distances depending on the number of characters that are in each of your internal domains.

    For protection against exact spoofing of your internal domain, ensure an Anti-Spoofing Policy is enabled on your account.
    Similar Monitored External Domains

    If selected the sender's domain is checked against your external domains according to the options below, at least one of which must be selected:

    FieldDescription
    Check Mimecast Monitored External DomainsChecks the sender's domain against the Mimecast monitored external domains.
    Check Custom Monitored External DomainsChecks the sender's domain against your custom monitored external domains. To update your custom domains, click on the Custom Monitored External Domains button at the top of the Impersonation Protection definition list. See the Custom Monitored External Domains page for more information.
    Newly Observed Domain

    If selected the sender's domain is checked against a list of domains we maintain, that have only been seen sending traffic in the last week. This can include older domains that have only been sending traffic in the last week. Additionally, as we don't see all email traffic, it's possible the list doesn't contain every potential threat.

    Internal User Name

    If selected the sender's display name (e.g. their first and last name) is checked to see if it matches one of your internal user display names. This ensures any threats that spoof an internal user are detected.

    Users created manually in transit aren't checked. For example, if a message is sent from "User One <test@hotmail.com>" to "userone@<domain>.com", the recipient can tell if they are being spoofed because it's the same username as the recipient. Inbound messages from an external address which are extracted from a Directory sync as a mail contact will also not be subjected to internal user name checks. This can be seen by the following icon next to an external address from “External Directories".
    External Directories
    Reply-to Address Mismatch

    If selected a check is made to identify if a mismatch has occurred between the sender’s email address (Header only) and the Reply To email address.

    Message can contain links that respond to a different email address than the one who sent the message (e.g. newsletters). If this is the case, you may need to configure an Impersonation Protection Bypass Policy.
    Targeted Threat Dictionary
    The Mimecast Threat Dictionary and Custom Threat Dictionary options count as 1 hit in total, i.e. even when both dictionaries are in use.

    If selected the message content is checked against a Targeted Threat Dictionary according to one or both of the options below:

    FieldDescription
    Mimecast Threat DictionaryIf selected, the message is checked against a dictionary maintained by Mimecast's dedicated Messaging Security team. They monitor threats and ensure the dictionary is kept up to date. This option helps detect suspicious characteristics in the email header, body, or subject.
    Custom Threat DictionaryIf selected, the message is checked against your own threat dictionary. Click on the Lookup button to select the required dictionary. See the "Creating a Custom Threat Dictionary" section below for further details.
    Number of HitsSpecify how many of the above identifiers have to match for an inbound mail to invoke an action. All checks are conducted on the Envelope AND Header From addresses by default.
    It's recommended that at least two identifiers are detected before taking any action.
    Enable Advanced Similar Domain ChecksIs selected checks are made for attacks where the sender's domain is similar to your internal or monitored external domains. You must have selected one of the following definition options for this feature to work:
    • Similar Internal Domains
    • Similar Monitored External Domains
    Ignore Signed MessagesIf selected aren't performed on digitally signed messages. This ensures the signature of the message remains intact, but means attachments aren't security checked.
    Bypass Permitted SendersIf selected IP checks are bypassed for senders on your Permitted Senders list.
  7. Specify the Identifier Actions to take when the Number of Hits threshold has been reached:
    Field / Option
    Description
    ActionSpecify the required action to be taken if the value specified in the "Number of Hits" option is met.
    ActionDescription
    Hold for Review

    The message is accepted but placed in the Held queue. It can be viewed by selecting the Monitoring | Held menu item in the Administration Console.

    If you have digest notification enabled for the end user, mail detected by Impersonation Protection will be visible. Permitting via a digest won't bypass Impersonation Protection. Should this be required, a separate Impersonation Protection Bypass policy needs to be put in place for the sender.
    BounceThe message is accepted but bounced back to the sender with a notification. It can be viewed by selecting the Monitoring | Bounces menu item in the Administration Console.
    NoneThe message is accepted, and delivery to the recipient is attempted.
    Hold Type

    Select whether to restrict the view of held messages in Mimecast end user applications. The default value is "User", but you can restrict them to only be viewed by a moderator or administrator.

    Moderator Group

    Click on the Lookup button to select a group of users to moderate the specified action.

    Tag Message BodyIf selected, a text box is displayed that allows you to specify a message (up to 500 characters) that is added to the message's body. The text box displays plain text by default. If required, HTML can be specified to customize the text's look and feel. If no text is specified, the following default text is used. Body Sus.png
    Should we be unable to tag a message's body (e.g. due to the message's structure) the subject is tagged instead.
    Tag SubjectIf selected, a text box is displayed that allows you to specify a message (up to 100 characters) that is added to the message's subject. The text box displays plain text by default. If required, HTML can be specified instead to customize the text's look and feel. If no text is specified, the following default text is used.Subject.png
    Tag Header

    If selected, the following message is added to the email's header:

    header.png

    To provide extra flexibility for administrators, if header tagging is enabled, Impersonation Protection stamps all inbound headers regardless of whether the Number of Hits threshold has been reached. However, the 'Suspicious' tagging will be removed if the Number of Hits is not met.

  8. Complete the General Actions section as required:
    Field / Option
    Description
    Mark All Inbound Items as 'External'

    If selected, the following tagging options are available; 

    Field / OptionDescription
    Tag Message BodyIf selected, a text box is displayed that allows you to specify a message (up to 500 characters) that is added to the message's body. If no text is specified, the following default text is used.
    Body copy.png
    Tag Subject

    If selected, a text box is displayed that allows you to specify a message (up to 100 characters) that is added to the message's subject. If no text is specified, the following default text is used.

    Tag Subject

    Tag Header

    If selected, the following is added to the email's header:

    Tag Header

  9. Complete the Notifications section as required:
    Field / Option
    Description
    Notify Group

    Use the Lookup button to select a group of users. They will be notified when the definition is triggered, and why.

    Notify (Internal) Recipient

    If selected, a notification is sent to the recipient of the message that triggered this definition. This applies to inbound messages only.

    Notify OverseersIf selected, a notification is sent to the members of the Oversight Group, when there is a Content Overseers policy active for the communication pair of the message and the message triggered this definition.
  10. Click on the Save and Exit button.

 

Creating a Custom Threat Dictionary

 

To create a custom threat dictionary:

  1. Open the Definition to which you want to create the Custom Threat Dictionary.
  2. Click on the Targeted Threat Dictionary definition option (if not selected by default).
  3. Click on the Lookup button to the right of the "Custom Threat Dictionary" field.
  4. Click on the New Custom Dictionary button.
  5. Complete the Custom Dictionary Options dialog:
    Field / OptionDescription
    DescriptionEnter a description that enables you to identify the dictionary.
    Activation ScoreSpecify a value, that is used in conjunction with the "Word / Phrase Match List" field to determine if a threat is valid.
    Scan Subject LineSelect one or all of these option to scan a message's subject, header, or body for the content specified in the "Word / Phrase Match List" field.
    Scan Message Header
    Scan Message Body

    Word / Phrase Match List

    A maximum of 500 lines can be added.

    Specify a list of words, phrases, or regular expressions, preceded by a numerical weighting value. Multiple entries must be specified in separate lines. Messages are searched for the entries in the match list (in the components specified). If they are found, the individual weighting values are totaled, and if this value equals or exceeds the "Activation Score" value, a threat has been found. Example entries include:
    • 2 "urgent"
    • 2 "company confidential"
    • 1 regex \bpayment(s)?\b
    A maximum of 500 lines can be added.
  6. Click on the Save and Exit button. The dictionary is now available to select.

 

Configuring an Impersonation Protection Policy

 

You can configure up to 20 Impersonation Protection policies. To do so:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button.
  3. Click on the Gateway | Policies menu item.
  4. Click on Impersonation Protection.
  5. Either:
    • Click the New Policy button to create a policy
    • Click on the policy to be changed.
  6. Complete the Options section as required:
    Field / OptionDescription
    Policy NarrativeProvide a description of the policy to enable you to identify it. This is appended to emails in the archive that have the policy applied.
    Select OptionClick on the Lookup button to display a list of Impersonation Protection definitions. Click on the Select link to the left of the definition to be applied when this policy is triggered.
    PreviewThis field is only displayed once a definition is selected in the "Select Option" field. Click on the preview definition icon icon to display a read only version of the definition. Click on the Go Back button to return to the policy.
  7. Complete the Emails From section as required:
    Field / OptionDescription
    Addresses Based On

    Specify the email address characteristics the policy is based on. The options are:

    OptionDescription
    Return Address (Mail Envelope From)Applies the policy to the SMTP address match, based on the email's envelope or true address (i.e. the address used during SMTP transmission).
    Message From Address (Message Header From)Applies the policy based on the masked address used in the message's header. The "Addressed Based On" option is only available in the Emails From section.
    BothApplies the policy to both the Mail Envelope and Message Header From addresses. This is the default setting for Impersonation Protection policies.

    As Targeted Threat Protection - Impersonation Protect checks both the Envelope and Header From address, it will always use both addresses.

    Applies From

    Specify the sender characteristics the policy is based on. For multiple policies, apply them from the most to least specific. The options are:

    OptionDescription
    External AddressesIncludes only external organization addresses.
    Freemail DomainsIncludes sender domains that are present on a Mimecast list of freemail domains.
    Email Domain

    Enables you to specify one or more domain names to which the policy is applied. If selected, the "Specifically" field allows you to enter the required domain names.

    Address GroupsEnables you to specify a predefined directory or group. If selected, the "Profile Group" field allows you to select the required group by clicking the "Lookup" button.
    Header Display Name

    Enables you to specify a Header Display Name. If selected, the "Specifically" field allows you to enter the required name. This option is only available if the "Address Based on" option has been set to "The Message From Address" or "Both".

    Address Attributes

    Enables you to specify a predefined attribute. If selected, the "Where Attribute" field allows you to select the required attribute, and the "Is Equal To" field allows you to specify an attribute value.

    This option can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. If selected, the "Specifically" field allows you to enter the required email address.
  8. Complete the Emails To section as required:
    Field / OptionDescription
    Applies From / To

    Specify the sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:

    OptionDescription
    Internal AddressIncludes only internal organization addresses.
    Email DomainEnables you to specify one or more domain names to which the policy is applied. If selected, the "Specifically" field allows you to enter the required domain names.
    Address GroupsEnables you to specify a predefined directory or group. If selected, the "Profile Group" field allows you to select the required group by clicking the "Lookup" button.
    Address AttributesEnables you to specify a predefined attribute. If selected, the "Where Attribute" field allows you to select the required attribute, and the "Is Equal To" field allows you to specify an attribute value.
    This option can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. If selected, the "Specifically" field allows you to enter the required email address.
  9. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached.
    Set Policy as PerpetualIf the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires.
    Date RangeUse this field to specify a start and/or end date for the policy. If the Eternal option is selected, no date is required.
    Policy OverrideThis overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override.
    Bi-DirectionalIf selected the policy is applied when the policy's recipient is the sender, and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  10. Click on the Save and Exit button.

 

See Also...

 

3 people found this helpful

Attachments

    Outcomes