This article describes how to access Misaddressed Email Protect (MEP), how it works, how to manage policies and apply them, and how to view logging information.
- It is recommended to have CyberGraph in a Learning state for at least two weeks and then progress to an On state before setting a Misaddressed Email Protect policy. Doing so will feed the CyberGraph learning algorithms enough historical data to make more accurate policy matches and hone their accuracy.
- Customers already utilizing CyberGraph for at least this period will have the algorithmic data available for Misaddressed Email Protection to use immediately.
Misaddressed Email Protection guards against accidentally sending mail externally to the wrong addressee. It is an AI-driven feature that utilizes CyberGraph social graph intelligence to detect abnormal communication patterns. For example, it can detect when you attempt to send an email to someone you have not communicated with regularly, or to an external addressee whose address is similar to an internal user.
Misaddressed Email Protection operates at the SMTP level, inspecting the SMTP envelope (specifically the RCPT TO command) before full message delivery, and can temporarily hold the message and prompt the sender to confirm whether they intended to send to that recipient.
This article describes how to administer the Misaddressed Email Protection function within the Mimecast Secure Gateway.
Usage Considerations
- For initial configuration, consider starting with a No Action (audit-only) policy so you can observe results in the logs before moving to a Hold action. This helps you tune sensitivity and understand typical behavior in your environment.
Relationship Strength
Misaddressed Email Protect also considers the Relationship Strength of the sender(s) and the recipient(s). If the sender has emailed the recipient two times, then on the third outbound mail, strong communications has been established. Alternatively, if the sender has previously received mail three times from the outbound recipient and has safe-listed this recipient via the banner reporting process, then strong communications is established. In these cases, Mimecast will treat the relationship as strong and not check for Potentially Misaddressed Recipients.
Matching Explained
Misaddressed Email Protection checks for mistaken addressee matches in both the sender's personal messaging history and in CyberGraph's organization listing. The latter considers all entities (people, mailboxes, etc.) associated with the customer that have routed through CyberGraph at some point.
When a match is found, the mail is held by Misaddressed Email Protect. This section explains the scenarios where a match is triggered.
- High match means there is a high degree of overlap - specifically only one character is different. Exact matches will also trigger a hold under the High setting.
- Low match means there is a lower degree of overlap needed to trigger a match, specifically two (or fewer) characters different. In other words, Low is more sensitive.
- If three or more characters are different, it's considered no match, and a hold should not be triggered.
- Generally: character order matters. So "rsmith" and "rthims" are completely different. Ditto: "Tom_Smith" and "Smith_Tom" are completely different and should not trigger a matching hold.
- The match does not consider the intended recipient's domain, so it does not matter what the email domain is, as long as it is external to the organization. Internal mails are generally not processed by the Mimecast MTA, so do not flow through the Misaddressed Email Protect function.
- Matches are case-insensitive.
In the examples below, the sender is addressing a message to "Rob_Stewart".
| Match Level | Explanation Example |
| Exact | "Rob.Stewart" "Rob-Stewart" (delimiters don't matter) |
| High |
These two individuals WOULD NOT be considered similar because:
We only have 1 match ("Livenshtein" and "Levenshtein"), which does not meet the requirement of 2 matches, so these two individuals ARE NOT similar. |
| Low |
These two individuals WOULD be considered similar because:
We have two matches ("Livenshtein" and "Levenshtein"; "Christopher" and "Christoph"), which do meet the requirement of 2 matches, so these two individuals ARE similar. |
| No Match |
|
Accessing Misaddressed Email Protection
You can access the Misaddressed Email Protection settings, by using the following the steps:
- Log on to the Mimecast Administration Console.
- Navigate to Policies | Misaddressed Email Protection.
The dashboard for Misaddressed Email Protection is split between the Logs and Policies display screens.
Using Misaddressed Email Protection with Threat Remediation
If Misaddressed Email Protection is available, an additional option will appear, enabling automatic remediation of Misaddressed Emails sent to internal recipients. When this feature is enabled, Threat Remediation will automatically generate a remediation incident. Furthermore, if the option to Notify Internal Recipients is selected, the recipient of the internal email that has been remediated will receive a notification informing them of this action.
Enabling this function also allows a notification to be sent to the internal recipient, indicating that it has been removed from their inbox.
Misaddress Email Protection actively employs Threat Remediation to eliminate emails, regardless of whether they are deemed threats. See more on Threat Remediation.
Policies
Creating or Editing a Policy
You can Create or Edit an existing Policy, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Policies | Misaddressed Email Protection.
- Click on Policies.
- Click the Create New Policy button, select an existing policy to modify from the list, and click Edit on the slide-in panel.
- Create a Policy Step 1 - Details and Settings.
| Field / Option | Step 1 - Details and Settings |
| Name | Give the Policy a suitable name so you can quickly identify it later. |
| Description |
Provide a meaningful narrative.
|
| Action |
Set the Action this Policy is to take.
|
| Matching Level |
Select how sensitive the Policy should be when matching against potentially Misaddressed recipients:
See the Matching Explained section for a more detailed explanation of the Matching Level process.
|
- Click Next.
- Create a Policy Step 2 - Applies From.
| Field / Option | Step 2 - Applies From |
| Everyone | Selecting this will apply the Policy to all users in your organization. |
| Groups and Users |
Selecting this option will enable two other buttons. Clicking each button will open a slide-in panel on the right-hand side of the screen for you to choose specific Groups or Users as senders this policy applies to. |
- Click Next.
- Create a Policy Step 3 - Summary and Create / Save Policy.
| Field / Option | Step 3 - Summary and Create / Save Policy |
| Policy Status |
Set the Policy Status to Enabled or Disabled upon creation, or when saving any changes. |
| Review Details | Review the policy details you have entered in the previous steps. You can click Cancel or Previous to go back and make any changes. |
- If satisfied with the Summary Details, click the Create Policy button for a new policy, or Save & Close if you have been editing an existing policy.
Managing Policies
Existing policies can be updated and modified. Click on the Policy name you wish to amend, and the Policy Details panel opens on the right side of the screen. You can then toggle the Policy state between Enabled / Disabled. Options to Edit and Delete the Policy are also here.
- A common configuration pattern is to maintain a global protection policy for Everyone, and then add more specific No Action policies for trusted senders, services, or test accounts that you want to exclude from MEP evaluation.
- Because MEP relies on CyberGraph's social graph and historical communication patterns, you may periodically adjust policy scope, Matching Levels, or exclusions if you observe unexpected or noisy matches in the logs.
Deleting a Policy and toggling a policy status between Enabled / Disabled will open a confirmation pop-up box for the Administrator to confirm this action.
Viewing the Logs & Message Actions
The Log screen lists all Potentially Misaddressed Recipient emails detected by Mimecast, accompanied by filter options, date range selection, and the ability to adjust the results shown per page. This data can also be extracted via the Export Data button, allowing the Administrator to download and analyze log data in both .XLSX and .CSV file formats outside the Administration Console if desired.
Log data will populate under the following headings:
Sender |
Recipient |
Potentially Misaddressed Recipient |
Subject |
Status |
Date & Time |
The Potentially Misaddressed Recipient column refers to the specific recipient address in the sent mail that triggered the Misaddressed Email Protect, check and any subsequent hold or audit log entry. To see which recipient MEP believes may have been the intended addressee, click on the log entry row to open the View Details panel for that MEP hold.
Filters enable you to refine your searches further if needed, and you can select from the following message status criteria:
- Held
- Released by User
- Released by Admin
- Auto Released
- Dropped by User
- Dropped by Admin
- No Action (Delivered)
Message Actions
Administrators can either Release a message to continue its journey or Drop a message to prevent it from being delivered. Click the 3-dot options button at the end of the log-entry line and select the desired option. The following options are available:
- Drop.
- Release.
- View Details.
Clicking anywhere along a message log entry will also open the View Details panel to the right side of the screen. This panel provides Drop and Release options, general message details, the Held Reason, and precisely which Policy.
Comments
Please sign in to leave a comment.