Optimizing Targeted Threat Protection

Document created by user.oxriBaJeN4 Employee on Nov 6, 2018Last modified by user.oxriBaJeN4 Employee on Jul 11, 2019
Version 9Show Document
  • View in full screen mode

While simple spammers and phishing malware are still real risks, the most damaging attacks now occur with well researched social engineering, targeted malware, precise impersonations, and specially constructed credential phishing sites. The only way to keep your organization safe from these types of attacks is to use an equally sophisticated and versatile email security system.


Targeted Threat Protection is an evolving product suite which has received ongoing developments to address these issues. This guide is designed to help administrators perform a review of their current environment and learn about the latest Targeted Threat Protection optimizations and recommended best practice settings.


Prerequisite Considerations


Before beginning, we recommend:

  • Evaluating Policies and Definitions: Check to see if you've definitions but no policies set up for them, as your Targeted Threat Protection settings won't be applied to any email traffic. Similarly identify if you've too many policies and / or definitions configured, as there may be conflicting settings which restrict your users.
  • Test Before Deploying: Targeted Threat Protection definitions and policies have many settings. Prior to deploying a feature organization-wide, ensure you've performed testing within your IT department or some other isolated team. This allows you to understand how the settings affect your users.
  • Inform Users Prior to Deploying: Targeted Threat Protection settings affect your users’ experience, and should be communicated before enabling. Take advantage of the following resources to help you:


Optimizing Targeted Threat Protection


Having evaluating and tested your environment’s policies / definitions, as well as our best practice recommendations (see above) continue to our tips on how to get the most out of your Targeted Threat Protection deployment.


Enabling Display of the URL Destination Domain


Applies to: URL Protect


Many organizations may be initially hesitant to roll out a URL rewriting solution, as security teams often train users to hover over URLs and look at the link destination. Mimecast rewrites URLs and, in the process, obfuscates the URL string to ensure users are not able to bypass the protection. There have been several enhancements to URL Protect to help you. For example the “Display URL Destination Domain” option provides users with the ability to see where a link is going, without compromising security.


URLs and AttachmentsProtecting Against URLs Within Attachments


Applies to: URL Protect


When configuring a URL Protect definition, enable all the options under URLs and Attachments. These settings protect your organization from URLs with dangerous file extensions, rewrite URLs, as well as scan URLs in attachments which cannot be rewritten. It's important to set the URL File Download setting to “Sandbox”, as this causes inspection of a directly downloaded file for deep security analysis.


Enabling Advanced Similarity Checks


Applies to: URL Protect, Impersonation Protect

Advanced Similarity Checks


Mimecast added the ability to identify advanced impersonation attacks, where the domain of inbound emails or links appear similar to your internal domains or domains of external organizations. To utilize this, enable the Advanced Similarity Checks options for Inbound mail when configuring a definition. Depending on your organizations’ preferences, select the "Action" to either warn users when a similar link is detected, or block users from accessing the link and display a block page.


Populating Your Custom Monitored Domains


Applies to: URL Protect, Impersonation Protect


Attackers often impersonate domains of key business partners or application providers, in an attempt to gain your employee’s trust. Adding these external domains to your Custom Monitored Domain list, ensures these domains are analyzed in URLs as well as headers of inbound emails. View the Custom Monitored External Domains page for more information.


Maximizing User Productivity via Attachment Protect


Applies to: Attachment Protect


Mimecast’s Attachment Protect inspection is versatile and flexible, and many organizations find it beneficial to apply different settings to various user groups. The How Does Targeted Threat Protection - Attachment Protect Work? guide outlines how you can gain more granular control over your organization to protect users from malicious files.


Enabling Device Enrollment


Applies to: URL Protect, Attachment Protect


Device Enrollment enhances security when accessing rewritten URLs and attachments in messages, by using an authentication system that stores a cookie on the end user’s device. This cookie enables Mimecast to identify the actual user, which is particularly important when URLs or converted safe files are forwarded around an organization. View the Targeted Threat Protection: Managing Device Enrollment page for further details.



Applies to: URL Protect


Mimecast rewrites URLs in inbound emails, which can cause an issue with one-time click URLs (e.g. password reset links). Once a rewritten URL is clicked, Mimecast analyzes the site before redirecting the user. To avoid issues with one-time links when deploying URL Protect either:

  • Configure a URL Protection Bypass policy to exclude specific senders or recipients. For example, set a bypass for your automated system that sends password reset emails / links to users.
  • Whitelist a URL or Public IP in your Managed URLs, and select “Disable rewriting for this entry” to prevent Mimecast from rewriting or scanning one-time click links of these URLs.


Using More Than "Mark All Inbound Items As External" Setting


Identifier Actions

Applies to: Impersonation Protect


Mimecast’s Impersonation Protect includes a general action to "Mark All Inbound Items as External". While this is useful for some organizations, many users tend to stop seeing an external tag after a few days if every email from outsiders has that flag applied. Instead, leverage Impersonation Protect’s Identifier Actions to apply custom HTML tags on specific emails that are suspicious.


Inspect and Remediate Internal and Outbound Emails


Applies to: Internal Email Protect


Most organizations focus on inbound emails when it comes to protecting against phishing. However internally generated emails are a growing threat to organizations, as they are used to spread an attack using a compromised account or are a vehicle for careless user activity.


Internal Email Protect adds Outbound and Journal settings (for internal-to-internal emails) to the URL Protect, Attachment Protect, and Content Examination (DLP) definitions. This allows you to inspect and remediate internally generated emails that contain malicious URLs, attachments, or policy violating content. Additionally, Internal Email Protect constantly monitors the status of all file attachments globally. If the security score of a delivered file changes, Mimecast can:

  • Automatically or manually remediate attachment based malware.
  • Quickly alert and update administrators.
  • Log incident actions.
View the Internal Email Protect and Threat Remediation pages for additional information.

Using Multiple Policies and Definitions


You can apply some of our best practice recommendations and optimization tips in a variety of ways. Here are some additional considerations to help finalize your Targeted Threat Protection configurations: 

  • You can configure more aggressive security settings and more frequent user awareness training for their end users, but a more relaxed setting for the IT Team.
  • With Attachment Protect, consider that an organization’s Legal and Finance team often works with macro enabled files. Therefore their emails should have Pre-Emptive Sandboxing applied, while the rest of the employees have Safe File conversion enabled to speed up mail delivery.
  • Administrators can apply more restrictive Identifier settings for Impersonation Protection for Executives and other key employees, while applying a broader set of Identifier settings against end users. This is because executives are far more likely to be impersonated by attackers.
  • While Internal Email Protect allows organizations to monitor internal and outbound emails for malicious URLs and attachments, administrators can also configure Content Examination policies to monitor, detect, and remediate emails based on content that should not be shared between users. For example, the healthcare industry can use Content Examination to prevent patient records from being sent to unauthorized users, whether intentionally or accidentally.


See Also...


1 person found this helpful