Targeted Threat Protection - Attachment Protect Best Practice

Document created by user.oxriBaJeN4 Employee on Aug 12, 2016Last modified by user.oxriBaJeN4 Employee on May 25, 2017
Version 19Show Document
  • View in full screen mode

Targeted Threat Protection - Attachment Protect is an advanced Mimecast service, that protects customers from the growing risk of spear phishing and other targeted attacks using attachments. This protection is provided on all devices used for the end user's enterprise email account, including smartphones or tablets, whether they are provided directly by the employer or not.


Targeted Threat Protection - Attachment Protect strips attachments that could potentially contain malicious code (e.g. PDF, Microsoft Office files) from inbound messages. Instead they are replaced them with a clean, transcribed version.


Employees have instant access to these clean attachments to maintain productivity. If they require read / write access, a link in the message can be used to request the original file via the sandbox. This safe file approach eliminates the latency inherent in traditional sandbox solutions, confining wait time to only those minority of instances where an editable document is required.



We recommend the settings below are used to ensure optimal protection from Targeted Threat Protection - Attachment Protect. The settings are split between:

  • Attachment Protection Definitions
  • Attachment Protection Policies
  • Targeted Threat Protection Device Enrollment
These settings are based on commonly used configurations, that can provide an optimal solution to protect you against targeted attacks via attachments. It is important to understand that one setting may not meet all your specific requirements. We recommend you review your environment, tweaking these options where necessary.

Attachment Protection Definitions


The following fields / options settings should be used to configure an Attachment Protection Definition.


Field / OptionBest Practice SettingComments
Attachment Protect Delivery OptionsSafe File with On-Demand SandboxThis allows end users to receive attachments in a ‘Safe File’ format, whereby malicious content (e.g. scripts) are stripped out. It also ensures there is no delay for users to access content that can occur whilst sandbox checks take place. If they do require the original attachment, users can release it via the notification message they receive with the safe file.
Release Forwarded Internal AttachmentSelectedThis ensures internally forwarded messages containing the attachment release instructions, can be used by another user to release the attachment.
Administrator NotificationSelectedTogether with the "Admin Review Group" field, this ensures a group of Administrators are notified when a message with malicious content is received. See the Managing Groups page for full details on creating the group.
Admin Review GroupSee commentsThis field is displayed if the "Administrator Notification" filed is selected. It allows you to select a group of users, via the "Lookup" button, who'll be notified when a message with malicious content is received.
Default Transcribed Document FormatPDFThis provides a read only PDF view of the document attachment for end users.
Default Transcribed Spreadsheet FormatCSVThis provides a read only CSV view of the spreadsheet attachment for end users.


Attachment Protection Policies


The following fields / options settings should be used to configure an Attachment Protection Policy.


Field / OptionBest Practice SettingComments
Select OptionSee "Comments"The options in the drop down list are your Attachment Protection definitions. Select the definition you want to use for the policy.
Emails From: Applies FromEveryone

This ensures all inbound traffic (including null addresses like is taken into account. 

When creating the policy, apply it to a group of users first via the "Address Groups" option. This ensures the configuration works as expected in your environment.
Emails To: Applies ToInternal Addresses
Enable / DisableEnableThis activates the policy.


Targeted Threat Protection - Device Enrollment


In addition to creating an Attachment Protection policy and definition, we recommend enabling Targeted Threat Protection: Device Enrollment. This makes use of browser cookies to enhance Targeted Threat Protection security, as well as:

  • Creating Targeted Threat Protection log entries attributed to the local user.
  • Releasing Targeted Threat Protection - Attachment Protect internal forwards to the local user.
  • Releasing Targeted Threat Protection - Attachment Protect attachments received by a distribution list to the local user


When users click on the link to release original attachment, they are presented with an enrollment page. Once their device has been enrolled, a cookie is added to their browser. This is used for future interactions with our Targeted Threat Protection service. 


The following fields / options settings should be used to configure the Your Mimecast Account Settings.


Field / OptionBest Practice SettingComments
Targeted Threat Protection AuthenticationEnabledThis option is in the "User Access and Permissions" settings.
Authentication Duration (Days)A value between 1 and 365

This controls when the cookie expires, and the user has to re-enroll their device. The default is 30 days.

This field is only displayed if the "Targeted Threat Protection Authentication" option is enabled.


See Also...


1 person found this helpful