This guide provides new users of Targeted Threat Protection - Attachment Protect, with what we consider to be an optimal configuration to protect you against malicious attachments. When configuring Targeted Threat Protection - Attachment Protect, we recommend you:
- Define your requirements before starting any configuration.
- Create a group of users you'll use to test the configuration. See Managing Groups.
- Read Attachment Protect - Configuration, which includes links to information on definitions and policies.
- Configure the definition with the required protection, applying it to your group of users.
- Test the configuration meets your requirements.
- Apply the configuration to the wider audience only when you're happy that it meets your requirements.
- It is important to recognize that the threat landscape is constantly evolving, but there is no one-size-fits-all formula. What works perfectly for one customer, may not for another. We recommend you regularly review your configuration to ensure it still meets your requirements.
-
Due to the highly dynamic nature of phishing attacks, some phishing emails, sites, or attachments may not be identified, and some safe emails, sites, or attachments may be identified in error.
Attachment Protect Definitions
The following settings can be used to configure an Attachment Protect definition:
Inbound Settings
| Field / Option | Setting | Comments |
|---|---|---|
| Enable Inbound Check | Enabled | If selected, the fields/options listed below are displayed. When setting up inbound checks, use a policy with the correct routing to activate this definition. |
| Attachment Protect Delivery Options | Dynamic Configuration | This gives control to the end user to decide whether individual users are added to a trusted list. By default, Safe File With On-Demand Sandbox is used, but for users on the trusted list, Pre-Emptive Sandbox is used. |
| Ignore Signed Messages | Disabled | If selected, attachment protection is not applied to digitally signed messages. This ensures the message signature remains intact, but means attachments are not security checked. This option is not displayed if the Attachment Protect Delivery Options field is set to a value of Pre-emptive Sandbox. |
| Sandbox Fallback Action | Hold for Administrator Review | If selected, messages and attachments are placed in the held queue. |
| Release Forwarded Internal Attachment | Enabled | This ensures that internally forwarded messages containing the attachment release instructions can be used by another user to release the attachment. |
| Enable Notifications | Enabled | Together with the Administrator Group field, this ensures a group of administrators are notified when a message with malicious content is received. See the Managing Groups page for full details. |
| Administrator Group | See "Comments" | This field is displayed if the Administrator Notification field is selected. It allows you to select a group of users, via the Lookup button, who'll be notified when a message with malicious content is received. |
| Default Transcribed Document Format | This provides a read-only PDF view of the document attachment for end users. | |
| Default Transcribed Spreadsheet Format | HTML | This provides an HTML file of the spreadsheet attachment for end users. |
Outbound Settings
| Field / Option | Setting | Comments |
|---|---|---|
| Enable Outbound Check | Enabled | If selected, the fields/options listed below are displayed. When setting up outbound checks, use a policy with the correct routing to activate this definition. |
| Gateway Action | Hold | When a message containing an unsafe attachment is detected, it is sent to the hold queue, and not delivered to the recipient. |
| Gateway Fallback Action | Hold | This option is only applied if we are unable to check a message's attachment. |
| User Mailbox Action | None | No action is taken on the user's mailbox, and messages are delivered to the recipients. This initial setting should be reviewed periodically. |
| User Mailbox Fallback Action | None | This option is only applied if we are unable to check a message's attachment. |
| Enable Notifications | Enabled | Enables a group of users to be notified, as well as the internal sender/recipient, when an unsafe URL is found. If selected, the Notify Group, Internal Sender, and Internal Recipient fields are displayed. |
| Notify Group | Select a Group via the Lookup button. | Notifies the selected group of administrators of any unsafe attachments. |
| Internal Sender | Enabled | Notifies a message's internal sender if an unsafe attachment is detected. |
Journal Settings
| Field / Option | Setting | Comments |
|---|---|---|
| Enable Journal Check | Enabled | If selected, the fields/options listed below are displayed. These can be used to protect against malicious attachments in journaled traffic. |
| User Mailbox Action | None | No action is taken on the user's mailbox, and messages are delivered to the recipients. This initial setting should be reviewed periodically. |
| User Mailbox Fallback Action | None | This option is only applied if we are unable to check a message's attachment. |
| Enable Notifications | Enabled | Enables a group of users to be notified, as well as the internal sender/recipient, when an unsafe URL is found. If selected, the Notify Group, Internal Sender, and Internal Recipient fields are displayed. |
| Notify Group | Select a Group via the Lookup button. | Notifies the selected group of administrators of any unsafe attachments. |
| Internal Sender | Enabled | Notifies a message's internal sender if an unsafe attachment is detected. |
| Internal Recipient | Enabled | Notifies a message's internal recipient if an unsafe attachment is detected. |
Targeted Threat Protection Device Enrollment
In addition to creating an Attachment Protection policy and definition, we recommend enabling Device Enrollment. This makes use of browser cookies to enhance Targeted Threat Protect security, as well as:
- Creating Targeted Threat Protection log entries attributed to the local user.
- Releasing Targeted Threat Protection - Attachment Protect internal forwards to the local user.
- Releasing Targeted Threat Protection - Attachment Protect
- attachments received by a distribution list to the local user.
When users click on the link to release the original attachment, they are presented with an enrollment page. Once their device has been enrolled, a cookie is added to their browser. This is used for future interactions with our Targeted Threat Protection service.
The following fields/options settings should be used to configure your Account Settings.
| Field / Option | Setting | Comments |
|---|---|---|
| Targeted Threat Protection Authentication | Enabled | This option is in the User Access and Permissions settings. |
| Authentication Duration (Days) | A value from 1 to 365 | This controls when the cookie expires, and the user has to re-enroll their device. The default is 30 days.
This field is only displayed if the Targeted Threat Protection Authentication option is enabled. |
Attachment Protect Policies
The following settings can be used to configure an Attachment Protect policy:
| Field / Option | Setting | Comments |
|---|---|---|
| Select Option | See "Comments" | The options in the drop-down list are your Attachment Protect definitions. Select the definition you want to use for the policy. |
| Emails From: Applies From | Everyone | This ensures all inbound traffic (including null addresses like postmaster@yourmomain.com) is taken into account.
When creating the policy, apply it to a group of users first via the Address Groups option. This ensures the configuration works as expected in your environment. |
| Emails To: Applies To | Internal Addresses | |
| Enable / Disable | Enabled | This activates the policy. |
Comments
Please sign in to leave a comment.