Targeted Threat Protection - Impersonation Protect Best Practice

Document created by user.oxriBaJeN4 Employee on Aug 16, 2016Last modified by user.Yo2IBgvWqr on Jul 20, 2017
Version 29Show Document
  • View in full screen mode


Targeted Threat Protection - Impersonation Protect provides dedicated protection for impersonation attacks, often referred to as “whaling”. It looks for combinations of key identifiers commonly found in such attacks, to identify a suspicious message.


If a message is considered suspicious, actions can be applied including bounce, hold, or visually mark it as suspicious. Additionally, all messages coming from external sources can be visibly marked, to help users identify them as coming from outside your organization.


We recommend the settings below are used to ensure optimal protection from Targeted Threat Protection - Impersonation Protect. The settings are split between:

  • Impersonation Protection Definitions
  • Impersonation Protection Policies
These settings are based on commonly used configurations, that can provide an optimal solution to protect you against targeted whaling attacks. It is important to understand that one setting may not meet all your specific requirements. We recommend you review your environment, tweaking these options where necessary.

Impersonation Protection Definitions


In the initial phase, the following fields / options settings should be used to configure an Impersonation Protection Definition.


Field / OptionBest Practice SettingComments
Similar Internal DomainSelectedThis provides protection for inbound messages, where the sender's domain is similar to any of your internal domains. This option is used in conjunction with the "Similarity Difference" option.
Similarity Difference2

This indicates how many characters must be different from your internal domain for the "Similar Internal Domain" check to be triggered. Less or equal to logic is used for this check. For example with a value of 2, this check will trigger on any external domain that has a two or one character difference. 

A similarity distance of 2 is recommended however ensure you use a threshold that is optimal for your internal domains especially if you have domains that only contain a few characters.
Newly Observed DomainSelectedThis identifies whether the sender's domain has only been used to send traffic in the last week. This ensures domains that have only started to be active recently, possibly indicating suspicious activity, are detected.
Internal User NameSelected

This identifies if the sender's display name is the same as one of your internal user names, with the exception of the recipient’s user name. This ensures any threats that spoof an internal user is detected. For example, if a message is sent from "User One <>" to "userone@<domain>.com", because it is the same user name as the recipient, the recipient can tell if they are being spoofed.

Reply-to Address MismatchUnselectedEnable this option to identify if a mismatch has occurred between the sender’s email address (in either or both of the Header and Envelope) and the Reply-To email address.
If selected, this option may return false positives if the "Number of Hits" option is left with the best practice setting below. Consider increasing that value to "3".
Targeted Threat DictionarySelected

This compares characteristics in the message's header, subject, and body against a dictionary of suspicious content. This ensures attackers that focus on financial gain or access to sensitive information are detected.

Number of Hits2This ensures two or more of the four checks listed above, must be triggered for any action to take place. One check by itself could cause false positive results. Exceptions to this rule can include high profile targets (e.g. senior executives). See the Examples section below for further details.
When enabling Targeted Threat Protection - Impersonation Protect, we recommend a phased approach for the actions taken on detected messages. Start with a notification to administrators. Once you are comfortable with the settings listed above, consider changing the following options to hold and tag suspicious messages.
Field / OptionBest Practice SettingComments
ActionHold for Review

This ensures the message is not delivered directly to the recipient, but sent to the held queue instead. 

Hold TypeUserIf the "Notify (Internal) Recipient" option is selected a user (recommended) this ensures a notification is sent to the message's recipient. It allows them to release the message if it is a false positive.
Tag Message BodySelectedThis adds the following message into the message's body: “This message contains suspicious characteristics and has originated from outside your organization”.
Tag SubjectSelectedThis adds "[SUSPICIOUS MESSAGE]" into the message's subject.
Tag HeaderSelectedThis adds “X-Mimecast-Gateway-Protect: suspicious; Similar Domain = true/false; Newly Observed Domain = true/false; Internal User Name = true/false; Targeted Threat Dictionary = true/false” into the message's header.
Users can create rules in their email client based on the three tags (message body, subject, and header) to take action on the message (e.g. move messages to a "Held Messages" folder).

In addition to the actions above the following notifications should be set up to ensure messages detected as suspicious are highlighted immediately.


Field / OptionBest Practice SettingComments
Notify GroupSelectedThis ensures a group of users (e.g. Administrators) are notified when a malicious message is received. Use the "Lookup" button to select a group. See the Managing Profile Groups page for full details on creating the group.
Notify (Internal) RecipientSelectedThis ensures the messages's recipient is notified that a message destined for them, has been detected as suspicious. This enables them to take any necessary action.


Impersonation Protection Policies


The following fields / options settings should be used to configure an Impersonation Protection Policy.


Field / OptionBest Practice SettingComments
Select OptionSee "Comments"The options in the drop down list are your Impersonation Protection Definitions. Select the definition you want to use for the policy.
Emails From: Applies FromExternal Addresses

This ensures all inbound traffic is taken into account.

When creating the policy for External and Internal Addresses, apply it to a group of users first via the "Address Groups" option. This ensures the configuration works as expected in your environment.
Emails To: Applies ToInternal Addresses
Enable / DisableEnableThis activates the policy.


Depending on your organizational requirements, it may be beneficial to create Impersonation Protection policies to protect specific user groups (e.g. Senior Management). The "Emails From: Applies From" option has two additional options not available in other policies, that offer extra flexibility to target phishing messages:

  • Header Display Name: Use this option for messages purporting to come from a specific name. The name is specified in the "Specifically" field.
  • Freemail Domains: Use this option to hold messages coming from a freemail domain (e.g.




Example 1: Company Executives / High Profile Targets


For executives, particularly those disclosed on your company website, it is recommend implementing a hit score of 1 on messages with their name as a display name. It is also advisable to configure individual policies for other high profile targets, and consider alternative spellings. For example, "John Smith" (with a lowercase "I" in "Smith") and  John Smlth (with a lowercase "L" in "Smith").


For this example, we recommend the definition should have the following settings:


Field / OptionRecommended Setting
Similar Internal DomainSelected
Newly Observed DomainSelected
Internal User NameSelected
Number of Hits1


For this example, we recommend each policy should have the following settings:


Field / OptionRecommended Setting
Select OptionSpecify the Impersonation Protection definition created above.
Addresses Based OnBoth
Applied FromHeader Display Name
Specifically"John Smith" or "John Smlth" as appropriate.
Applies ToInternal Addresses


See Also...


5 people found this helpful