Detections - Per Policy Detection Engines

Updated

This article contains information on configuring Detection Engines in Mimecast Email Security Cloud Integrated, including setting policies, Detection actions, and user identification settings.  

Configuring Detection Engines

You can configure a Detection Engine, by using the following steps:

  1. Log in to Mimecast Email Security Cloud Integrated.
  2. Click on the Menu icon Screenshot 2022-08-12 at 03.15.41.png.
  3. Click on New Policy or select an existing policy.
  4. Complete the policy properties as follows:
Properties
Name Give the policy a name.
Description Optionally enter a description for the policy.
Target
Sender (From) Select a Target scope for the senders the policy should apply to:
  • All.
  • External.
  • Internal.
Recipient (To) Select a Target scope for the senders the policy should apply to:
  • All.
  • External.
  • Internal.
Select a target for the recipients the policy should apply to:
  • All users
  • Email - Specify the email address(es) the policy should be applied to.
  • Groups - Specify the group(s) the policy should be applied to.
Exceptions Select who the policy should not apply for:
  • None - The policy will be applied to the specified sender and recipient.
  • Email - Specify the email address(es) to exclude from the policy.
  • Groups - Specify the group(s) of users to exclude from the policy.
Address Matched On Select the address type the policy should apply to:
  • From and/or Return.
  • From.
  • Return.
Mode
Protect The specified Detection Actions will be taken when a threat is detected.
Disabled The specified Detection Actions will NOT be taken when a threat is detected.
Detection Actions
Malware Select what action should be taken when Malware is detected.
Phishing Select what action should be taken when Phishing is detected.
Untrustworthy Select what action should be taken when Untrustworthy mail is detected.
Spam Select what action should be taken when Spam is detected.
Detection Engines Click the Detection Engines links to configure detection properties.
Alerts
  • Select the Threat Type for which you would like to receive an alert for.
  • These alerts can be sent to all administrators, groups, specific email addresses, or any combination of these options.
Rewrite URLs in Emails  This controls whether Mimecast will rewrite URLs within emails. Upon clicking a rewritten link, Mimecast performs a deep scan on the URL to determine if the destination is safe. If safe, the user proceeds; if malicious, Mimecast follows the configured URL Detection Action [fade in detection actions].
Rewrite URLs in Subject Line
  • This will allow deep threat scanning to be performed when a user clicks on a link within a subject.
  • If Rewrite URLs in Emails is disabled, the Rewrite URLS in Subject Lines option will be disabled and hidden, as this feature is linked to URL rewriting being enabled. See Additional URL Re-write Settings for Cloud Integrated for more information.
  • Fully Qualified Domain Names (FQDN) are required for rewriting URLs in the subject line due to limitations imposed by mail providers. Since most email clients handle subject lines as plain text, Email Security Cloud Integrated relies on the presence of an FQDN to accurately identify and rewrite these URLs.
Scan URLs in Attachments This will extend the same URL protection to URLs within attachments.
User Identification Settings

  • Basic - When basic identification is enabled, Mimecast logs URL clicks as if the recipient of the email had clicked it. This works well for inbound emails with a single user but becomes more complex with distribution lists. For instance, if users from a distribution list click rewritten URLs and basic identification is enabled, Mimecast will log each of those clicks as if the distribution list itself clicked it, rather than a specific member.  

  • Advanced Device Enrollment / M365 Authentication (Recommended) - With advanced device enrollment / M365 authentication enabled, users must authenticate against Mimecast the first time they click a rewritten link. This allows Mimecast to accurately associate URL clicks with the correct user.   

Browser Isolation for Unclassified URLs When enabled, users will be able to view potentially malicious webpages through the Browser Isolation service. This provides a safe viewing experience without exposing the user.  
  • Enter Text: Allows users to enter text into a webpage when using Browser Isolation
  • Paste Text: Allows users to paste text into a webpage when using Browser Isolation and is only visible when enter text is enabled. 
  • Copy Text: Allows users to copy text from a webpage when using Browser Isolation
Any restriction will not apply to administrators viewing a URL from Message Details. 
Phishing & Impersonation (Panel in CI)

The phishing and untrustworthy sensitivity settings can be adjusted between Moderate and Aggressive levels.Examples of phishing include emails involving Social Engineering, Malicious URLs, and Weaponized Attachments.

The phishing detection engine also utilizes the following impersonation checks: 

  • Mimecast threat dictionary.
  • Reply to address mismatch.
  • Payloadless message checks (Messages containing plain text without attachments and URLs).
  • FreeMail domain checks .
  • Internal user checks.

Messages flagged by Mimecast as untrustworthy may originate from known bad sources or contain content we cannot be sure is safe. 

Dynamic Banners When Mimecast performs a security scan on an email, colored banners may be inserted into those deemed 'suspicious' before delivery to the end user. These banners provide recipients with information about the nature of the threat, helping them make informed decisions when interacting with potentially dangerous emails. Dynamic Banners can be enabled, disabled, or set to learning mode. In learning mode, Mimecast will not display banners within emails but will continue to learn our customers' communication patterns. This enables Mimecast to better apply banners when moving away from learning mode to enabled
Attachment

The Attachment Detection Engine includes a toggle for the Sandbox feature. When enabled, Mimecast will scan all vulnerable file types for threats within a secure sandbox environment before delivering them to the user.  
The Sandbox can be enabled or disabled. When enabled, all vulnerable file types are checked in a sandbox before being delivered to the recipient. 

Vulnerable file types include the following: 
Graymail Filtering

Graymail Filtering allows for greater control over what happens when unwanted/unsolicited emails are received.

You can configure the following actions within email policies:

Additionally, you will see the Graymail category within the Detections details page (Graymail does not have any sub-categories).

The Cloud Integrated search feature also includes Graymail as a search filter.

While an email may carry the Graymail tag, it is important to recognize that the status of Untrustworthy takes precedence. This distinction is important because Untrustworthy highlights characteristics that suggest the email could be spam or potentially harmful. Therefore, even if an email is classified as Graymail, the Untrustworthy status will override this classification.

Understanding this hierarchy is essential for effective email management and security, as it helps users prioritize their responses and actions towards emails that may pose potential risks.

  1. Detection engine settings are now contained with policies for Email, Microsoft SharePoint & OneDrive and Microsoft Teams.
  2. Click Save.

 

Additional URL Re-write Settings for Cloud Integrated

The additional URL Re-write Settings for Cloud Integrated closes the gap between Cloud Gateway (CG) and Cloud Integrated (CI) in terms of increased flexibility on how CI identifies message content to re-write and how aggressive URL scans are.

Current Behavior/Experience

Currently, CI permits only a limited range of options regarding the functionality of URL protection, primarily focusing on the location within a message where URLs are rewritten.(Subjects, Attachments etc.).

 

 

New Behavior/Experience

 

Customers will have the default URL Re-write and URL Scan Settings of Moderate configured within their Email security policies. As this is the current configuration that is applied to all CI customers at present. Customers can choose to edit these setting as they see fit.

 

CI will allow Administrators to configure new URL protection settings within Email Security policies. The new options are:

 

 

URL Re-write Sensitivity

This option controls how aggressively CI looks for message content that could be considered a URL, meaning the more aggressive the configuration, the higher chances that CI will re-write content that is not considered a URL.

An example use case for this option would be customers looking to stop CI re-writing IP addresses found within message bodies, where they could move from the default Moderate setting to Relaxed.

 

URL Scan Sensitivity

This option determines how strict our URL scanning should be, as the higher the sensitivity the more URL categories are considered when making a detection.

 

Increasing the URL Re-write setting will cause more message content to be considered as a URL, it is recommended that Administrators test this with a small group of users before rolling out more widely.

 

An example use case for the URL Scan Aggressiveness setting would be a customer that is seeing URL based threats pass through CI due to the Moderate scan aggressiveness being used by default. Increasing this setting will allow customers to test whether the reported threats are now picked up.

 

Increasing Scan sensitivity can introduce a higher rate of False Positives, so we recommend testing this setting with a small group of users to determine the impact.

 

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.