Detections - Viewing Attacks

Updated

This article contains information on viewing and managing detected threats in Mimecast Email Security Cloud Integrated, including preconditions, search functionalities, and examples of searches across Microsoft services.

Also see Viewing Attack Details.

Preconditions

  • You have an existing Mimecast Email Security Cloud Integrated account.
  • You are using Microsoft Exchange.
  • You are optionally using:
      • Microsoft Teams.
      • Microsoft SharePoint.
      • Microsoft OneDrive.

Viewing Detected Threats

You can view detected threats, by using the following steps:

  1. Log in to the Email Security Cloud Integrated platform.
    ONE.jpg
  2. The Detections page displays the following:
        • A Search section.
        • A list of Detected Threats. This can include threats that have been detected via Emails, OneDrive, SharePoint, and Teams.

Search: 

TWO.jpg

Detections:

THREE.jpg

Navigating to Detections from the Home page applies a Date Range of 60 days, with the default filters of Malware, PhishingSafe/Clean, Spam and Untrustworthy. This overrides any Date Range and Filters you've used, having navigated to the page previously.

The Detected Threats information data displayed is detailed below:

Field Description
Content or Message Displays the message title or filename associated with the detected threat.

If you are using Microsoft Sharepoint and Microsoft OneDrive, you will see the Content column containing the corresponding data. If not, you will instead see the Message column containing the corresponding data.
Service Displays which service the detected threat was received from (e.g. Email).
Origin Displays the origin of the detected threat, if applicable (e.g. US).
Analysis Displays the type of threat that has been identified, classified as follows:
  • MalwareMalicious software designed to disrupt, damage, and gain unauthorized access to a network and its linked devices.
  • PhishingSocial Engineering emails, Malicious URLs, and Weaponized Attachments are some examples of phishing emails.
  • UntrustworthySuspicious messages detected by Mimecast systems as untrustworthy could be from a known bad source or contain content we cannot be sure is safe.
  • Spam: Unwanted and unsolicited bulk email.
  • Safe/CleanEmails are determined as safe by Mimecast's detection engines. 
Status Displays the current state of the detected threat, and can be classified as follows:
  • Delivered.
  • Quarantined: Quarantined emails are held for a maximum of 90 days; if this limit is exceeded, the message will be purged automatically.
  • Moved to junk.
  • Blocked.
  • Manually removed.
Details Displays subcategory details. A maximum of 3 subcategories associated with a certain detection will be listed.
Recipient This displays the email recipient of the detected threat, if applicable. 
Sender/Uploader or Sender

This displays the email sender, or the name of the person who uploaded a file, for detected threats.

 

If you are using Microsoft SharePoint and Microsoft OneDrive, you will see the Sender/Uploader column containing the corresponding data. If not, you will instead see the Sender column containing the corresponding data.
Date/Time This displays the date when the detected message was processed by Mimecast.
Policy This allows you to filter Detections by Policy Name
Direction This displays the direction of the detected message (e.g, Inbound).
This column is not shown by default. You can use the gear (settings) icon to add this as required.

You can use advanced Filters on your detected threats data. The default filters are Malware, PhishingSafe/Clean, Spam, and Untrustworthy. To make use of the Filter option, follow the instructions listed below.

FOUR.jpg
  1.  
    1. Log in to the Email Security Cloud Integrated platform.
    2. Click on Detections.
    3. Click on the Filter button to display the Filter flyout.
      FIVE.jpg
    4. To clear the applied filters, click Clear all filters.
    5. You can drill down to search for / select sub-items from Filter Categories listed in the table below.
    6. Finally, you can either choose to Apply the filter customizations that you have made, or click X to close the Filter flyout without applying changes.
Filter Categories Sub-items
Service
Email
OneDrive
SharePoint
Teams
Analysis
Block Rule 
Malware 
Phishing 
Policies Disabled 
Safe/Clean 
Spam 
Untrustworthy
Status
Blocked 
Delivered 
Delivery failed 
Delivery in progress 
Manually quarantined 
Manually released 
Manually removed 
Manually restored 
Moved to junk 
Moving to junk 
Quarantine failed 
Quarantine in progress 
Quarantined 
Release failed 
Release in progress 
Remove failed 
Remove in progress 
Restore failed 
Restore in progress 
Scanned
Direction
Inbound
Internal
Outbound
Origin
See Origin Sub-categories for the full list.

Searching Detections

You can search within Detections by using the following steps:

  1. Log on to the Email Security Cloud Integrated platform.
  2. Click on Detections.
  3. The Search section allows you to specify:
  •  
    • Date Range: This field is used to specify the Date Range for your search:
      •  
        • Past 24 hours (this is the default value.)
        • Past 7 days.
        • Past 30 days.
        • Past 60 days.
    • Field / Operator: Select a Field to search by, a relevant Operator and a corresponding Expression, to create your search criteria. The available Operators will depend on the search Field type.
Field Operator Expression
Content, Message or Policy Name: Select this field to search by message title, filename, or the policy name associated with the detected threat

Equal to.
Not equal to.
Contains.
Does not contain.

 Enter a string, without double quotes.
Contains/Does not Contain only takes a single value.
Message ID: Select this field to search by the Message ID of the detected threat.

Equal to.
Not equal to.

 Enter an alphanumeric value, without double quotes.
Recipients: Select this field to search by the email recipient of the detected threat.

Equal to.
Not equal to.
Contains.
Does not contain.

 Enter a valid email address, without double quotes.
Contains/Does not Contain only takes a single value.
Sender/Uploader or Sender: Select this field to search by the email sender, or the name of the person who uploaded a file, for detected threats.

Equal to.
Not equal to.
Contains.
Does not contain.

 Enter a valid email address, without double quotes.
Contains/Does not Contain only takes a single value.
  •  
    • For Equal to and Not equal to searches, case match, complete email / Subject / Message ID matches are considered.
    • For Contains and Does not contain searches, case is not considered, and partial matches are included.
    • OR conditions for the same field can be aggregated into the row via a comma or the use of OR.
    • AND conditions for the same field can be added as multiple sets of search criteria.
  1. +Add Criteria: Click on this to add the criteria that you have entered. The Query View updates to display your search criteria.
  2. The Policy Name section allows you to choose an Operator. This field is used to specify the Date Range for your search:
  •  
    •  
      • Contains.
      • Does not contain.
      • Equal to.
      • Not Equal to.
  1. Click on Search to run the search. The list of detected threats is updated to display items corresponding to your search criteria, and shows a maximum of 100 items per page.
  2. You can enter further set(s) of criteria, by:
  •  
    •  
      • Selecting the Condition of AND.
      • Entering the Field, Operator, and Expression for the additional search criteria.
      • Click on +Add Criteria to add them. The Query View updates to display your search criteria, and the list of detected threats is updated accordingly.
  1. You can remove search criteria by clicking on the "X" next to the item.
  2. You can edit search criteria by clicking to select it, amending the values, then clicking on Update to save the changes, or Cancel to not save them. The list of detected threats is updated accordingly.
  3. You can click on Clear Search to clear the search criteria. The list of detected threats is updated accordingly.

Examples of Searches

Example One

This shows a search by multiple Recipients: (Each recipient address is separated by a comma.) 

SIX.jpg

Example Two

This search uses the AND criteria between two sets of search criteria:

SEVEN.jpg

Example Three

The following shows a search using OR between recipients within the search criteria:

EIGHT.jpg

Example Four

This example contains a search on Sender/Uploader, which will return partial matches:

NINE.jpg

This article contains information on removing or releasing individual emails in Mimecast Email Security Cloud Integrated, including steps for handling quarantined messages due to processing errors.

Only individual emails can be removed or released at once. Mass removals/releases are only possible when a single email has multiple recipients and is held under one detection entry.

 

Message Removal  

You can remove a message by using the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Navigate to Detections.
  3. Search for the message to be removed. Use the Filter by option to refine your search.
  4. Click on the message to be removed.
  5. Click Remove.
  6. Enter a reason for the remediation. This reason is displayed in the Audit Logs once the removal is complete.
  7. Click Remove.
  8. The status of the removed message is updated to Manually Removed.

 

The remove option is only available for messages that would have been delivered to the customer environment.

 

Message Release 

You can release a message by using the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Navigate to Detections.
  3. Search for the message to be released. Use the Filter by option to refine your search.
  4. Click on the message to be released.
  5. Click Release.
  6. Enter a reason for the remediation. This reason is displayed in the Audit Logs once the message has been released.
  7. Click Released.
  8. The status of the released message is updated to Manually Released. 

Quarantined emails are held for a maximum of 90 days; if the 90-day time limit is exceeded, the message will be purged automatically.

 

Remediation Status 

You can view manually remediated messages using the Filter By options. You can select the filter options below to view remediations in different statuses: 

 

Messages Quarantined due to processing errors

Should a message fail to be processed by Email Security Cloud Integrated, it will be placed in quarantine, with Processing Error appended to the policy name.

You can view quarantined messages by using the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Navigate to Detections.
  3. Use the  Filter By options to filter by Quarantined Status.
  4. The Policy/Rule column shows a Processing Error appended to the policy name.
  5. You can then release the message as required.

    Use caution when releasing messages that have been quarantined, as any threats within the message have not been detected.

If you have chosen to receive alerts for message quarantines, you will get an email notification containing the same information.

Managing Detected Threats

You can manage detected threats by using the following steps:

  1. Log on to the Email Security Cloud Integrated platform.
  2. Click on Detections.
  3. You can click on a detected threat to display threat details. See Viewing Attack Details.
  4. You can carry out bulk actions on detected threats from the Detections page. Note the following regarding bulk actions:
  •  
    • With no detected threats selected, the Bulk Action button is not enabled.
    • With one or more detected threats selected, the Bulk Action button is enabled.
    • You can select up to a maximum of 100 items; this corresponds to the number of search results displayed per page, as a result of Searching Detections.
    • You can Select All or Unselect All by clicking on the checkbox at the top of the list.
  1. One of the following options can be selected from the Bulk Actions dropdown:
  •  
    • Release/Restore: This action is applicable to:
      •  
        • Emails / Microsoft Teams items that have been quarantined that you wish to release.
        • Microsoft SharePoint / Microsoft OneDrive items you wish to restore.
    • Release and Allow Sender: This action is applicable to:
      •  
        • Emails only, and does not apply to Teams messages or SharePoint and OneDrive files.
        • Rules are only created for the Envelope Addresses of emails.
    • Remove/Quarantine:  This action is applicable to:
      •  
        • Emails / Microsoft SharePoint / Microsoft OneDrive items that have been identified as Safe/Clean to Remove that you wish to remove.
        • Microsoft Teams items you wish to quarantine.
    • Remove and Block Sender: This action is applicable to:
      •  
        • Emails only and do not apply to Teams messages or SharePoint and OneDrive files.
        • Rules are only created for the Envelope Addresses of emails.
  1. Once you have selected a Bulk Action to apply to your items, you are taken to a summary page, which displays a single-page full list of items that you can apply the Bulk Action to.

The data shown in the table in the summary page is not selectable.

Bulk Action summary page
  •  
    •  
      • Reason: Enter the reason for taking this action, between 3 to 300 characters. This field is mandatory.
      • Reporting: You can select Report to Mimecast to report these items to the Mimecast Security Team. This field is not mandatory.
      • You can click on the browser Back arrow or the Cancel button to return to the Detections page.

If none of the entries chosen are applicable for the Bulk Action, you will stay on the Detections page. You will see a notification: “None of your selected entries can be Released/Restored.”, or "None of your selected entries can be Removed/Quarantined.", accordingly.

  1. Finally, click on Confirm to apply the Bulk Action. The Bulk Action Processing popover will be displayed, and you will not be able to carry out further actions until this has been completed.
TWELVE.jpg
  •  
    • You will return to the Detections page and be notified when the Release/Restore or Removed/Quarantined action is complete.
    • The Status of the actioned items will be updated accordingly.

Considerations for Allow/Block Sender Detection

Regarding rules from Allow/Block that are in effect, also applicable to Release and Allow Sender and Remove and Block Sender:

  • Allow/Block Rules are only created for emails (and URLs, but given we only have email or collaboration security threats, we will only support this for emails).
  • Allow/Block Rules page is not visible in Threat Scan Only mode. Therefore, the  Release and Allow Sender and Remove and Block Sender options are only visible in Monitor and Protect modes, since live mail flow is not integrated in Threat Scan Only mode.
  • Creating a rule from the Allow/Block Rules page will create an audit entry log - Release and Allow Sender and Remove and Block Sender will also create Audit Log entries.
  • Rules are only created for the Envelope Addresses of emails.
  • These rules will be visible in the Allow/Block Rules Page.

Detection Details [Singular Action]

  1. If the Envelope Address already has a pre-existing rule created, in this case, no new rules are created. Users can still release or remove messages. They can also see corresponding Toast messages on completion.

THIRTEEN.jpg

  1. If the Envelope Address does not have a pre-existing rule created: 

FOURTEEN.jpg

In this case, new rules will be created. Adding a reason is mandatory; however, notifying the administrator is optional to the administrator.

  1. Message Action: Release/Remove with a mandatory reason of minimum 3 characters.
  2. Sender Action:
  •  
    • Allow/Block, requiring a user to choose the category to be attributed (Safe/Clean is the default chosen for Allow, while it is blank for Block, and then the user can choose from [Malware, Phishing, Untrustworthy, and Spam]).
    • The email address is listed (Envelope Address).
    • Users can also choose to notify administrators.

The rules for Allowed/Blocked senders should be visible in the Allow/Block Rules Page.

Detection Details [Bulk action]

Visible in the Bulk Actions menu. The Bulk Action summary page also supports multiple scenarios: 

Scenario One: The administrator selects emails, where all senders have pre-existing rules created. New sender rules will be created. This is displayed in the info alert on the summary page. The emails will still be released or removed. 

FIFTEEN.jpg

Scenario Two: The administrator selects emails, which some senders have pre-existing rules created. The administrators can view the list of senders that already have pre-existing rules. One rule will be created for the rest of the senders (that do not have any pre-existing rules).

SIXTEEN.jpg

Scenario Three: The administrator selects emails, where none of the senders have pre-existing rules created. In this case, all the senders' Envelope Addresses will be included in the one rule that is created.

SEVENTEEN.jpg

Scenario Four: The administrator selects emails and collaboration security items. Only emails will be listed in the summary table, as only emails can have sender rules applied.

EIGHTEEN.jpg

Scenario Five: The administrator selects only Collaboration Security items. The administrator stays on the Detections page with the following message appearing: 

NINETEEN.jpg

Delete from Quarantine

This feature allows administrators to Permanently Remove an item from quarantine without releasing it to users.

  1. This action is irreversible; administrators do not need to cite a reason to delete
  2. This will currently apply only to emails, in the first round. SharePoint and OneDrive have been redacted (Teams currently does not quarantine items)
  3. Only items with the following statuses can be deleted: Quarantined.
  4. Selecting Delete marks the item (email) as deleted. It will no longer appear in the Quarantine queue, but will instead show a status of Deleted, accompanied by a trash can icon
  5. An entry is recorded in the Audit Log, similar to other administrative actions such as Release or Remove
  6. There are two facets to consider: deleting as a Singular Action and deleting as a Bulk Action. Both seek the same information and occur similarly.

TWENTY.jpg

  1. In both scenarios, confirmation is required. A pop-up will appear for a single-action delete, and the action will only be completed if the user confirms it. For Bulk Actions, the administrator will receive a summary list and must click Confirm to proceed.

TWENTY-ONE.jpg

Restore Remediated Detections 

Administrators can restore messages that have been remediated and need to be recovered to end-user mailboxes. This can be done on individual detections or using the bulk action feature. 

Restoring an Individual Remediated Detection

  1. To restore an individual remediated detection, navigate to the remediated detections page where  a Restore button will be visible:

Restore1.png

  1. You will be prompted to provide a reason for the restoration. Once this has been provided, click Restore to complete the restoration. 

Restore2.png

Restoring Multiple Remediated Detections 

  1. To restore multiple remediated messages, select the messages from the Detections Search page and click Release/Restore.

Restore3.png

  1. You will be prompted to provide a reason for the restoration. Once this has been provided in the Reason field, click Confirm to complete the restoration. 

Restore4.png

Origin Sub-categories

The following countries are the sub-categories for the Origin Filter Category:

Afghanistan 
Åland Islands 
Albania 
Algeria 
American Samoa 
Andorra 
Angola 
Anguilla 
Antarctica 
Antigua and Barbuda 
Argentina 
Armenia 
Aruba 
Australia 
Austria 
Azerbaijan 
Bahamas 
Bahrain 
Bangladesh 
Barbados 
Belarus 
Belgium 
Belize 
Benin 
Bermuda 
Bhutan 
Bolivia (Plurinational State of) 
Bonaire, Sint Eustatius and Saba 
Bosnia and Herzegovina 
Botswana 
Bouvet Island 
Brazil 
British Indian Ocean Territory 
Brunei Darussalam 
Bulgaria 
Burkina Faso 
Burundi 
Cabo Verde 
Cambodia 
Cameroon 
Canada 
Cayman Islands 
Central African Republic 
Chad 
Chile 
China 
Christmas Island 
Cocos (Keeling) Islands 
Colombia 
Comoros 
Congo 
Congo, Democratic Republic of the 
Cook Islands 
Costa Rica 
Côte d'Ivoire 
Croatia 
Cuba 
Curaçao 
Cyprus 
Czechia 
Denmark 
Djibouti 
Dominica 
Dominican Republic 
Ecuador 
Egypt 
El Salvador 
Equatorial Guinea 
Eritrea 
Estonia 
Eswatini 
Ethiopia 
Falkland Islands (Malvinas) 
Faroe Islands 
Fiji 
Finland 
France 
French Guiana 
French Polynesia 
French Southern Territories 
Gabon 
Gambia 
Georgia 
Germany 
Ghana 
Gibraltar 
Greece 
Greenland 
Grenada 
Guadeloupe 
Guam 
Guatemala 
Guernsey 
Guinea 
Guinea-Bissau 
Guyana 
Haiti 
Heard Island and McDonald Islands 
Holy See 
Honduras 
Hong Kong 
Hungary 
Iceland 
India 
Indonesia 
Iran (Islamic Republic of) 
Iraq 
Ireland 
Isle of Man 
Israel 
Italy 
Jamaica 
Japan 
Jersey 
Jordan 
Kazakhstan 
Kenya 
Kiribati 
Korea (Democratic People's Republic of) 
Korea, Republic of 
Kuwait 
Kyrgyzstan 
Lao People's Democratic Republic 
Latvia 
Lebanon 
Lesotho 
Liberia 
Libya 
Liechtenstein 
Lithuania 
Luxembourg 
Macao 
Madagascar 
Malawi 
Malaysia 
Maldives 
Mali 
Malta 
Marshall Islands 
Martinique 
Mauritania 
Mauritius 
Mayotte 
Mexico 
Micronesia (Federated States of) 
Moldova, Republic of 
Monaco 
Mongolia 
Montenegro 
Montserrat 
Morocco 
Mozambique 
Myanmar 
Namibia 
Nauru 
Nepal 
Netherlands, Kingdom of the 
New Caledonia 
New Zealand 
Nicaragua 
Niger 
Nigeria 
Niue 
Norfolk Island 
North Macedonia 
Northern Mariana Islands 
Norway 
Oman 
Pakistan 
Palau 
Palestine, State of 
Panama 
Papua New Guinea 
Paraguay 
Peru 
Philippines 
Pitcairn 
Poland 
Portugal 
Puerto Rico
Qatar 
Réunion 
Romania 
Russian Federation 
Rwanda 
Saint Barthélemy 
Saint Helena, Ascension and Tristan da Cunha 
Saint Kitts and Nevis 
Saint Lucia 
Saint Martin (French part) 
Saint Pierre and Miquelon 
Saint Vincent and the Grenadines 
Samoa 
San Marino 
Sao Tome and Principe 
Saudi Arabia 
Senegal 
Serbia 
Seychelles 
Sierra Leone 
Singapore 
Sint Maarten (Dutch part) 
Slovakia 
Slovenia 
Solomon Islands 
Somalia 
South Africa 
South Georgia and the South Sandwich Islands 
South Sudan 
Spain 
Sri Lanka 
Sudan 
Suriname 
Svalbard and Jan Mayen 
Sweden 
Switzerland 
Syrian Arab Republic 
Taiwan, Province of China 
Tajikistan 
Tanzania, United Republic of 
Thailand 
Timor-Leste 
Togo 
Tokelau 
Tonga 
Trinidad and Tobago 
Tunisia 
Türkiye 
Turkmenistan 
Turks and Caicos Islands 
Tuvalu
Uganda 
Ukraine 
United Arab Emirates 
United Kingdom of Great Britain and Northern Ireland 
United States Minor Outlying Islands 
United States of America 
Uruguay 
Uzbekistan
Vanuatu 
Venezuela (Bolivarian Republic of) 
Viet Nam 
Virgin Islands (British) 
Virgin Islands (U.S.)
Wallis and Futuna 
Western Sahara 
 Yemen
Zambia 
Zimbabwe
 
 
 

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.