Targeted Threat Protection: Frequently Asked Questions

Document created by user.oxriBaJeN4 Employee on Nov 8, 2018Last modified by user.oxriBaJeN4 Employee on Jul 11, 2019
Version 13Show Document
  • View in full screen mode

This guide provides administrators with common troubleshooting solutions for various issues relating to the Targeted Threat Protection product suite.

All Targeted Threat Protection Products


Q:Are there any assets I can use to inform our users about TTP functionality?
A:Yes. Visit our Asset Library for Targeted Threat Protection assets.
Q:Do you have any recommended configurations?
A:Targeted Threat Protection can be used to protect you from a number of different use cases. As a result you can configure it in a number of different ways. We do provide a list of the optimum settings for those configuring TTP for the first time. See the following pages:
Q:Can I specify which user groups are moderators and administrators?
A:Yes, but this isn’t controlled by Targeted Threat Protection definitions. It is controlled by assigning each user group with a moderator or administrator role. See the User Groups and Managing Administrator Roles pages for further detail.
Q:Can we run Targeted Threat Protection in “monitor mode” to see the effect it has without taking any action?
A:Yes. Set the definition to take no action, but notify a group of users when a message triggers the policy.
Q:Does a Permitted Sender automatically bypass Targeted Threat Protection policies?
ANo. Permitted senders only bypass greylisting checks. To bypass Targeted Threat Protection checks, the relevant Targeted Threat Protection bypass policy must be configured.
Q:Can more than one URL Protect, Attachment Protect, or Impersonation Protect policy be applied to the same message?

Yes. Targeted Threat Protection policies (like Content Examination policies) don't stop processing a message once a policy is triggered. Take the example where there's a group of users for who you want an Attachment Protect policy that converts attachments to a safe file PDF, and an Impersonation Protect policy that holds the message for review. Should a message trigger an Impersonation Protect policy, the message is held, and the attachment is converted to a safe file PDF.


Targeted Threat Protection - Attachment Protect


Q:How long is the delay for preemptive sandboxing for a typical message?
A:The delay is dependent on the attachment size, but can vary from a few seconds to a few minutes.
Q:What's the difference between an Attachment Management and Targeted Threat Protection - Attachment Protect policy?
A:An Attachment Management policy allows you to block all file attachments you consider dangerous (e.g. .EXE). Targeted Threat Protection - Attachment Protect blocks file attachments that aren’t necessarily considered dangerous, but which could include a macro or malicious code.
Q:We have an Attachment Management policy that blocks all Microsoft Office files containing macros. This conflicts with our Targeted Threat Protection - Attachment Protect policy (blocking before it can be sandboxed). Should we remove the Attachment Management policy?
A:This depends on how you want to handle these files. You can continue to block Microsoft Office documents with macros. However to get the most value out of Targeted Threat Protection - Attachment Protect, consider letting them through and allowing the Targeted Threat Protection - Attachment Protect functionality to scan the files.
Q:Does Targeted Threat Protection affect DMARC, DKIM, or SPF?
A:No. Targeted Threat Protection is separate from DNS Authentication policies that address DMARC, DKIM, or SPF checks. Targeted Threat Protection checks are performed after SPF / DKIM / DMARC checks.
Q:Can we sandbox all inbound attachments instead of selecting the “Safe File with On-Demand Sandbox” action?
A:Yes. The “Safe File with On-Demand Sandbox” option is typically used for more specific use cases, where the user base does not need to edit documents (e.g. HR departments dealing with resumes).
Q:Our Targeted Threat Protection - Attachment Protect policy has resulted in corrupted files. How can this be solved?
A:Raise a Mimecast Support Case providing the original and corrupted versions of the files. If possible, place them in a password-protected zip.
Q:Certain messages are delayed after Targeted Threat Protection - Attachment Protect checks. What could be the problem?
A:Raise a Mimecast Support Case providing the message and attachment details, so we can investigate.
Q:Why have some attachments being blocked that appear legitimate? 
A:You can check the reason why attachments have been blocked in the Targeted Threat Protection - Attachment Protection logs. See the Targeted Threat Protection - Attachment Protect Dashboard page for further details.
Q:Why have certain attachments gone undetected?
A:Check the Targeted Threat Protection - Attachment Protection logs to verify that the message was scanned and if a policy was applied. See the Targeted Threat Protection - Attachment Protect Dashboard page for further details. If the attachment was scanned and a policy applied, raise a Mimecast Support Case complete with details and examples.


Targeted Threat Protection - URL Protect


Q:How can I test a policy for bad URLs without having something malicious on the back end?
A:We recommend that you add a fake URL to your block list for testing.
Q:Where can I customize our user awareness notification?
A:Click on the "User Awareness Page Sets" button from the Services | URL Protection menu item in the Administration Console. See the Targeted Threat Protection: Configuring URL Protection User Awareness page for further details.
Q:Where do I enter my user awareness percentage value?
A:Ensure the “Enable User Awareness” option is enabled in the Targeted Threat Protection - URL Protect definition. This displays the “User Awareness Challenge Percentage” field where you can specify the required value.
Q:Can I send a URL for someone to use without it being re-written?
A:We don’t rewrite URLs in outbound messages sent externally or internally. For inbound messages, you can select the “Display URL Destination Domain” option in the Targeted Threat Protection - URL Protect definition. This appends the URL's destination domain at the end of the rewritten link.
Q:How long is a rewritten link valid for?
A:Forever. Mimecast always performs a fresh scan when a URL is clicked.
Q:If a user wants us to release a message with a blocked URL, can we check why it was blocked before doing so?
A:Yes. The logs on the URL Protect dashboard provides additional insight into what we discovered in our scan of the destination (e.g. whether it was a phishing or fraudulent site).
Q:Why are users experiencing timeout issues when clicking on certain links?
A:Check that the destination URL is known to be legitimate and safe. If it is, test the connectivity from another browser.
Q:Why are users being blocked from URLs that appear legitimate?

Check the URL Protection logs against the URL Checker tool available from the URL Protection dashboard. Make a note of the category and escalate if it's a false positive. See the URL Protect Logs and Targeted Threat Protection: Decoding / Checking URLs pages for further details.


What can we do about an unsafe URL that went undetected?

A:Check the URL Protection logs and verify the user actually clicked the link and it was allowed. If so, escalate to Support with details.


Targeted Threat Protection - Impersonation Protect


Q:If our employees use their personal email, the “Reply To” address can be different. If the “Internal User Name” option is selected, this results in the policy being activated. Is there a workaround?
A:In this scenario, we recommend the Targeted Threat Protection - Impersonation Protect definition’s action is to “Hold for Review” rather than “Bounce” or “None”.
Q:Where does the tag display if the "Mark All Inbound Items as External" option is selected in a Targeted Threat Protection - Impersonation Protect definition?
A:The tag is displayed at the beginning of the message’s body, subject, or header.
Q:Is the tag added to all messages, or just ones that meet the activation score?
A:Only those messages that have met the activation score are tagged. However, you can tag all external emails as "external" in Impersonation Protect.
Q:Does Targeted Threat Protection - Impersonation Protect allow Google group messages?
A:Yes. Targeted Threat Protection - Impersonation Protect works on all inbound messages that come through the Mimecast Gateway. They can also be bypassed based on the sender or recipient characteristics.
Q:Why doesn’t whitelisting work for Targeted Threat Protection - Impersonation Protect?
A:A Permitted Senders policy bypasses our spam scoring, reputation, and greylisting checks. If Targeted Threat Protection - Impersonation Protect Bypass policies aren’t working, there may be a configuration issue. Contact our Support Desk who’ll help rectify the settings.
Q:A Targeted Threat Protection - Impersonation Protect definition gets triggered every time a former staff member emails our firm, despite them being on our permitted senders list. Is there a way to stop the definition from triggering?
A:Adding a user to your permitted sender list does not bypass Impersonation Protect. Create an Impersonation Protect Bypass policy for the specific email address. See the Configuring an Impersonation Protection Bypass Policy page for further details.
Q:How can we optimally configure Targeted Threat Protection - Impersonation Protect for users?
  • Check the Internal User Name match by comparing the user's Global Name in Internal Directories to the display name of the message.
  • Ensure the user is synchronized in your Active Directory.
  • Check the Impersonation Protection logs if you need to further troubleshoot message details.


Targeted Threat Protection - Internal Email Protect


Q:How can we check our server connections to ensure Internal Email Protect policies work correctly?
A:Check your server connectivity under the Services | Server Connections menu item in the Administration Console. For On-Premise exchanges, ensure the master mailbox has appropriate permissions. See the Managing Server Connections page for further details.


See Also...


1 person found this helpful