Misaddressed Email Protect - Administrator Guide

Updated

This article describes how to access Misaddressed Email Protect (MEP), how it works, how to manage policies and apply them, and how to view logging information.

  • It is recommended to have CyberGraph in a Learning state for two weeks and then progress to an On state before setting a Misaddressed Email Protect policy. Doing so will feed the Cybergraph learning algorithms enough historical data to make more accurate Policy matches and hone their accuracy.
  • Customers already utilizing CyberGraph for at least this period will have the algorithmic data available for Misaddressed Email Protection to use immediately.

Misaddresed Email Protection guards against accidentally sending mail externally to the wrong adressee. It utilizes CyberGraph social graph intelligence to detect abnormal communication patterns, such as sending an email to someone you have not communicated with regularly or sending mail to an external addressee whose address is similar to an internal user.

This article describes how to administer the Misaddressed Email Protection function within the Mimecast Secure Gateway. 

Usage Considerations

Relationship Strength

Misaddressed Email Protect also considers the Relationship Strength of the sender(s) and the
recipient(s). If the sender has emailed the recipient two times, then on the third outbound mail,
strong communications has been established. Alternatively, if the sender has previously received mail
three times from the outbound recipient and has safe-listed this recipient via the banner reporting
process, then strong communications is established. In these cases, Mimecast will treat the
relationship as strong and not check for Potentially Misaddressed Recipients.

Matching Explained

Misaddressed Email Protection checks for mistaken addressee matches in both the sender's personal messaging history and in CyberGraph's organization listing. The latter considers all entities (people, mailboxes, etc.) associated with the customer that have routed through Cybergraph at some point

When a match is found, the mail is held by Misaddressed Email Protect. This section explains the
scenarios where a match is triggered.

  • High match means there is a high degree of overlap - specifically only one character is different. Exact matches will also trigger a hold under the High setting.
  • Low match means there is a lower degree of overlap needed to trigger a match, specifically two (or fewer) characters different. In other words, Low is more sensitive.
  • If three or more characters are different, it's considered no match, and a hold should not be triggered.
  • Generally: character order matters. So "rsmith" and "rthims" are completely different. Ditto: "Tom_Smith" and "Smith_Tom" are completely different and should not trigger a matching hold.
  • The match does not consider the intended recipient's domain, so it does not matter what the email domain is, as long as it is external to the organization. Internal mails are generally not processed by the Mimecast MTA, so do not flow through the Misaddressed Email Protect function.
  • Matches are case-insensitive.

In the examples below, the sender is addressing a message to "Rob_Stewart".

Match Level

Explanation Example

Exact

"Rob.Stewart" "Rob-Stewart" (delimiters don't matter)

High

These two individuals WOULD NOT be considered similar because:

  • “Livenshtein” and “Levenshtein” are similar enough in pronunciation and string similarity.
  • However, “Christopher” and “Christoph” are not similar enough in pronunciation.

We only have 1 match (“Livenshtein” and “Levenshtein”), which does not meet the requirement of 2 matches, so these two individuals ARE NOT similar.

Low

These two individuals WOULD be considered similar because:

  • “Christopher” and “Christoph” are similar enough in pronunciation AND string similarity.

  • “Livenshtein” and “Levenshtein” are similar enough in pronunciation AND string similarity.

We have two matches (“Livenshtein” and “Levenshtein”; “Christopher” and “Christoph”), which do meet the requirement of 2 matches, so these two individuals ARE similar.

No Match
  • "Roberta_Stewart" (this is 4 characters different which is more different than a Low Match).
  • "Robb_Stewerd" would also not match - 3 characters are different across both the first and last name.
  • "Stewart_Rob" - order matters, so this is not a match.

Accessing Misaddressed Email Protection

You can access the Misaddressed Email Protection settings, by using the following the steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Policies | Misaddressed Email Protection.

The dashboard for Misaddressed Email Protection is split between the Logs and Policies display screens.

Using Misaddressed Email Protection with Threat Remediation

If Misaddressed Email Protection is available, an additional option will appear, enabling automatic remediation of Misaddressed Emails sent to internal recipients. When this feature is enabled, Threat Remediation will automatically generate a remediation incident. Furthermore, if the option to Notify Internal Recipients is selected, the recipient of the internal email that has been remediated will receive a notification informing them of this action.

MEP1.jpg

Enabling this function also allows a notification to be sent to the internal recipient, indicating that it has been removed from their inbox.

Misaddress Email Protection actively employs Threat Remediation to eliminate emails, regardless of whether they are deemed threats. See more on Threat Remediation.

Policies

Creating or Editing a Policy

You can Create or Edit an existing Policy, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Misaddressed Email Protection.
  3. Click on Policies.
  4. Click the Create New Policy button, select an existing policy to modify from the list, and click Edit on the slide-in panel.
  5. Create a Policy Step 1 - Details and Settings.
Field / Option Step 1 - Details and Settings
Name Give the Policy a suitable name so you can quickly identify it later.
Description
Provide a meaningful narrative.
  • What does it do?
  • Who does it affect?
Action
Set the Action this Policy is to take.
  • Hold: Matching messages will be temporarily placed in the Held Messages queue.
    • 15 Minutes, 30 Minutes, 1 Hour, and 2 Hours Hold options are available before the message is automatically released to continue its journey.
  • No Action: Matching messages will be delivered as expected. However, Mimecast will create a log entry for auditing potential misaddressed messages.
Matching Level
Select how sensitive the Policy should be when matching against potentially Misaddressed recipients:
  • High: Match highly similar names.
  • Low: Match somewhat similar names.

See the Matching Explained section for a more detailed explanation of the Matching Level process.

 
  1. Click Next.
  2. Create a Policy Step 2 - Applies From.

Field / Option

Step 2 - Applies From

Everyone

Selecting this will apply the Policy to all users in your organization.

Groups and Users

Selecting this option will enable Two other Buttons. Clicking each button will open a slide-in panel on the Right-Hand side of the screen for you to choose.
  1. Click Next.
  2. Create a Policy Step 3 - Summary and Create / Save Policy.

Field / Option

Step 3 - Summary and Create / Save Policy

Policy Status

Set the Policy Status to Enabled or Disabled upon creation or save any changes.

Review Details

Review the policy details you have entered in the previous steps, and you can click Cancel or Previous to go back and make any changes.
  1. If satisfied with the Summary Details, click the Create Policy button for a new Policy, or Save & Close if you have been editing an existing policy.

 Managing Policies

Existing policies can be updated and modified. Click on the Policy name you wish to amend, and the Policy Details panel opens on the right side of the screen. You can then toggle the Policy state between Enabled / Disabled. Options to Edit and Delete the Policy are also here.

MEP2.jpg

Deleting a Policy and toggling a policy status between Enabled / Disabled will open a confirmation pop-up box for the Administrator to confirm this action.

Viewing the Logs & Message Actions

The Log screen lists all Potentially Misaddressed Recipient emails detected by Mimecast, accompanied by filter options, date range selection, and the ability to adjust the results shown per page. This data can also be extracted via the Export Data button, allowing the Administrator to download and analyze log data in both .XLSX and .CSV file formats outside the Administration Console if desired.

Log Data will populate under the following headings: 

Sender
Recipient
Potentially Misaddressed Recipient
Subject
Status
Date & Time

The Potentially Misaddressed Recipient column refers to the specified recipient in the sent mail that triggered the hold. To learn about the potentially intended recipient, click on the log entry row to see the View Details screen for the MEP hold.

Filters enable you to refine your searches further if needed, and you can select from the following message status criteria:

  • Held
  • Released by User
  • Released by Admin
  • Auto Released
  • Dropped by User
  • Dropped by Admin
  • No Action (Delivered)

Message Actions

Administrators can either Release a message to continue its journey or Drop a message to prevent it from being delivered. Click the 3-dot options button at the end of the log-entry line and select the desired option. The following options are available: 
  • Drop.
  • Release.
  • View Details.
MEP3.jpg

Clicking anywhere along a message log entry will also open the View Details panel to the right side of the screen. Which also provides Drop and Release options, general message details, the Held Reason, and precisely which Policy the message triggered.

Related to

Was this article helpful?
2 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.