Targeted Threat Protection: Frequently Asked Questions

Document created by user.oxriBaJeN4 Employee on Nov 8, 2018Last modified by user.oxriBaJeN4 Employee on Nov 12, 2018
Version 6Show Document
  • View in full screen mode

This page answers common questions administrators have about the Targeted Threat Protection product suite. To make them easier to find, the questions are split into the following categories:

All Targeted Threat Protection Products


Q:Are there any assets I can use to inform our users about TTP functionality?

Yes. Visit our Asset Library for Targeted Threat Protection assets.

Q:Are your best practice settings documented?
A:Yes. Our Knowledge Base has the following pages:
Q:Can I specify which user groups are moderators and administrators?

Yes, but this isn’t controlled by the Targeted Threat Protection definitions. This is controlled by assigning each User Group with a moderator or administrator role. See the User Groups and Managing Administrator Roles pages for further detail.

Q:Can we run Targeted Threat Protection in “monitor mode” to see the effect it has without taking any action?

Yes, just set the definition to take no action, but notify a group of users when a message triggers the policy.

Q:Does a Permitted Sender automatically bypass Targeted Threat Protection policies?

No. Permitted senders only bypass greylisting checks. The relevant Targeted Threat Protection bypass policy should be configured.


Targeted Threat Protection - Attachment Protect


Q:How long is the delay for pre-emptive sandboxing for a typical message?
A:The delay is dependent on the attachment size, but can vary from a few seconds to a few minutes.
Q:What's the difference between an Attachment Management and Targeted Threat Protection - Attachment Protect policy?
A:An Attachment Management policy allows you to block all file attachments you consider dangerous (e.g. .EXE). Attachment Protect blocks file attachments that aren’t necessarily considered dangerous, but which could include a macro or malicious code.
Q:We have an Attachment Management policy that blocks all Microsoft Office files containing macros. This conflicts with our Attachment Protect policy (blocking before it can be sandboxed). Should we remove the Attachment Management policy?

This depends on how you want to handle these files. You can continue to block Microsoft Office documents with macros. However to get the most value out of Attachment Protect, consider letting them through and allowing the Attachment Protect functionality to scan the files.

Q:Does Targeted Threat Protection affect DMARC, DKIM, or SPF?
A:No, Targeted Threat Protection is separate from DNS Authentication policies that address DMARC, DKIM, or SPF checks. Targeted Threat Protection checks are performed after SPF / DKIM / DMARC checks.
Q:Can we sandbox all inbound attachments instead of selecting the “Safe File with On-Demand Sandbox” action?

Yes. The “Safe File with On-Demand Sandbox” option is typically used for more specific use cases, where the user base does not need to edit documents (e.g. HR departments dealing with resumes).


Targeted Threat Protection - URL Protect


Q:How can I test a policy for bad URLs without having something malicious on the back end?
A:We recommend that you add a fake URL to your block list for testing.
Q:Where can I customize our user awareness notification?
A:Click on the "User Awareness Page Sets" button from the Services | URL Protection menu item.
Q:Where do I enter my user awareness percentage value?

In the “User Awareness Challenge Percentage” field. This is only displayed when the “Enable User Awareness” option is selected.

Q:Can I send a URL for someone to use without it being re-written?
A:We don’t rewrite URLs in outbound messages sent externally or internally. For inbound messages, you can select the “Display URL Destination Domain” option. This appends the URL's destination domain at the end of the rewritten link.
Q:How long is a rewritten link valid for?

Forever, as Mimecast always performs a fresh scan when a URL is clicked.


If a user wants us to release a message with a blocked URL, can we check why it was blocked before doing so?


Yes. The logs on the URL Protect dashboard provides additional insight into what we discovered in our scan of the destination (e.g. whether it was a phishing or fraudulent site).


Targeted Threat Protection - Impersonation Protect


Q:If our employees use their personal email, the “Reply To” address can be different. If the “Internal User Name” option is selected, this results in the policy being activated. Is there a workaround?
A:In this scenario, we recommend the definition’s action is to “Hold for Review” rather than “Bounce” or “None”.
Q:Where does the tag display if the "Mark All Inbound Items as External" option is selected in a definition?
A:The tag is displayed at the beginning of the message’s body, subject, or header.
Q:Is the tag added to all messages, or just ones that meet the activation score?

Only those messages that have met the activation score are tagged. However, you can tag all external emails as "external" in Impersonation Protect.

Q:Does Impersonation Protect allow Google group messages?
A:Yes. Impersonation Protect works on all inbound messages that come through the Mimecast Gateway. They can also be bypassed based on the sender or recipient characteristics.
Q:Why doesn’t whitelisting work for Impersonation Protect?

A Permitted Senders policy bypasses our spam scoring, reputation, and greylisting checks. If Impersonation Protect Bypass policies aren’t working, there may be a configuration issue. Contact our Support Desk who’ll help rectify the settings.


An Impersonation Protect definition gets triggered every time a former staff member emails our firm, despite them being on our permitted senders list. Is there a way to stop the definition from triggering?


Adding a user to your permitted sender list does not bypass Impersonation Protect. Create an Impersonation Protect bypass policy for the specific email address.


See Also...