This article contains information on Mimecast's Analysis and Response, including its features for threat detection, analysis, and response, prerequisites for access, detection categories, secure user actions, and tools like Browser Isolation and Malware Analysis. It is intended for Administrators.
Mimecast Analysis and Response provides a central place to view, analyze, and act on data and threat intelligence. It allows you to analyze threats, identify risks, and take action to secure your organization. As part of the overall project, Mimecast is working towards achieving the following five core objectives.
Prerequisites
You are logged in, as an Administrator of Mimecast Administration Console, with a custom role that has Application Permission for Analysis and Response Menu | Analysis and Response configured as required:
- Read: to view data in Mimecast Analysis and Response (not including message contents).
- Edit: to view data in Mimecast Analysis and Response, and take actions, e.g. Secure User action.
-
Content View: to view message content.
This is a protected permission, which only a Super Administrator will be able to assign to a custom role.
Content View is not available yet, and will be part of a future enhancement.
If the correct permissions are not assigned or are insufficient, your detection categories will display an Error fetching data status, as shown below:
To perform a Secure User action, you must have a role with Edit permission for Mimecast Analysis and Response, or one of the following roles:
- Super Administrator.
- Full Administrator.
- Basic Administrator.
- Partner Administrator.
Overview
The Overview provides a quick insight into detections in your environment.
You can view data over a period ranging from 24 hours to the last 90 days, by selecting from the Date range drop-down, or by selecting a custom range of up to 90 days via the Start Date - End Date date selector field.
The data displayed covers inbound detections made by the Cloud Gateway, over a maximum period of 90 days, and including the following events:
- Advanced Business Email Compromise detections.
- Anti-Spam detections.
- TTP Attachment Protection detections.
- TTP Impersonation Protection detections.
- TTP URL Protection blocked clicks.
Detection Categories
The threat statistic cards display counts of detections for the following threat categories:
- Malware.
- Phishing.
- Spam.
- Suspicious.
- Unwanted.
- Blocked Attachment.
- Blocked URL Clicks.
These threat categories are reflected in the Total Detections Overview donut chart and the timeline view. See Detection Subcategories for further information on threat subcategories.
The volumes of all the threat categories are displayed in the cards and timeline. When a threat is addressed to multiple recipients, the associated card on the Overview page is increased by the number of recipients it was sent to. However, on the Detections page, the same threat appears in a single row.
You can click on each threat statistic card to see a filtered list of Detections. Within the list of Detections, you can Search for detections over a period ranging from 24 hours to the last 90 days, by selecting from the Date range drop-down, or by selecting a custom range of up to 90 days via the Start Date - End Date date selector field.
The Detections list has the same columns, column customization and filtering functionality as for Recent Detections.
You can drill down to Detections from Top Malicious Senders or Top Targeted Users, by selecting an individual user.
Recent Detections
The exported data will include all attachments and recipients associated with each detection.
You can still search for data if the corresponding column is hidden.
Click on Filter to filter the detections by specific fields/values. Filters can be removed by clicking on Clear All Filters.
| Column Name | Description |
| Service |
The source of the detection. Currently, the source will always be email, but will include other communication and collaboration tools in the future. |
| Content |
Displays the subject line of the email and any malicious files or URLs detected. If there is more than one item, you will see how many more there are, e.g. "+3". You will need to click on the row to see details for all items. |
| Analysis | The high-level detection category.
|
| Details | Lower-level detection categories and information. |
| Summary | Detailed description of identified threat. |
| Status | Status of the message or URL.
|
| Recipient | The recipients of the threat. If there is more than one recipient, you will see how many more there are, e.g. "+3". You will need to click on the row to see details for all recipients. |
| Sender |
The sender of the threat. |
| Date/Time |
Date and time of the event. |
| Origin | Geolocation of the sender's IP address. |
| Direction |
The direction of the threat, e.g. internal or external. |
| Message ID |
The message ID associated with the detection. |
| IP |
The IP address associated with the detection. |
| Sha256 | Checksum or hash value associated with a file. If there is more than one item, you will see how many more there are, e.g. "+3". You will need to click on the row to see details for all items. |
Top Malicious Senders
The Top Malicious Senders table shows counts of detections by the sender to highlight those that pose a risk to your organization. Click View All Malicious Senders / Uploaders to see the full list of senders over 90 days, depending on the selected dashboard time frame. It is possible to search by a specific sender email address and export the results to a CSV file.
Top Targeted Users
This table shows the counts of detections by user to help identify the most at-risk users. Click View All Targeted Users to see the full list of users over up to 90 days, depending on the dashboard time frame selected. You can also search by a specific user email address and export the results to a CSV file.
Secure User Action
The Secure User action lets you disable login permissions to the Mimecast platform or force a password reset the next time a user attempts to log in. Choose Secure User from the options menu for an individual user, or select multiple users and click the Secure User button to perform actions in bulk. Please note this does not impact mail flow. Once an account has been disabled, the option to undo this action becomes visible from the kebab menu.
Any actions taken are logged and available for review under the User Account and Role audit logs.
Analysis Details
When drilling down from a specific event, the analysis details page provides more information to aid understanding of the threat and what actions have been taken. The summary box displays an overview of the threat classification and status. Since a single message can have multiple recipients and given policies can be applied at the user/recipient level, the summary will group the status by several recipients to an action that has been applied. For example, a message sent to five recipients could be rejected for two and held for three, depending on policy configuration. The analysis panel provides detailed information about the message, attachments, and blocked URL clicks.
Emails are classified at the time of delivery based on pre-delivery scans of their content, URLs, and attachments. Post-delivery, URL clicks trigger a deeper scan, and any detections are updated in real-time within the Analysis and Response (A&R) dashboard, reflecting the specific URL threat rather than the email as a whole.
Mimecast will include more detection details, particularly for URL and file detections, and also highlight the hierarchy of attachments and URLs, e.g. to illustrate whether a URL was in the body of an email vs an attachment.
Browser Isolation
Customers with the Browser Isolation package can safely view and interact with URLs displayed on the Analysis Details page and the detection results table via the Mimecast isolated browser.
Malware Analysis
Forensic reports for malicious file detections that have undergone dynamic analysis in the sandbox. The Download Report option will only be visible when a report is available, which, on average, takes less than one minute after a sandbox detection has been made.
API Endpoints for Detection Statistics
To retrieve Mimecast Analysis and Response data over API, see the Mimecast Developer Portal.
Detection Subcategories
The table below shows the detection subcategories for Mimecast Analysis and Response.
| Analysis Category | Details Subcategory | Description |
| Malware | ADWARE | A type of malicious software that displays unwanted advertisements. It is often disguised as legitimate software or installed silently alongside legitimate software. |
| CVE | A detection associated with a publicly known security vulnerability. The full CVE identifier is provided. | |
| DOWNLOADER | Malware that is designed to download other malicious files. | |
| DROPPER | A file that is designed to install malware. | |
| EXPLOIT | An attack that takes advantage of known vulnerabilities. | |
| MALICIOUS FILE | A malicious attachment or file detection. | |
| MALSPAM | An email that delivers malware and was detected by the anti-spam engine. | |
| RANSOMWARE | A type of malware that prevents access to data, usually through encryption, until a ransom is paid. Additionally, attackers will often exfiltrate the data and threaten to release or sell it. | |
| TROJAN | Malware that is hidden inside a legitimate application and installed without the user’s knowledge. | |
| WORM | Malware that can replicate or propagate to infect other systems. | |
| Phishing | ADVANCED FEE FRAUD | A form of fraud and one of the most common types of confidence tricks. The scam typically involves promising the victim a significant share of a large sum of money, in return for a small up-front payment, which the fraudster requires in order to obtain the large sum. Examples include 419 and loan scams. |
| BANKING FRAUD | Phishing attempts using bank-themed mail with the aim of getting the target to reveal their login information for their bank account. | |
| BEC - WHALING | A highly targeted type of business email compromise (BEC) attack aimed at senior leaders or executives to trick them into transferring a significant sum of money or sharing valuable data. | |
| CREDENTIAL HARVESTING | An attack is designed to steal login data, usually usernames and passwords. | |
| CRYPTOCURRENCY EXTORTION | Attacks that threaten to release sensitive or personal information about users or organizations unless a payment is made in cryptocurrency. | |
| FAKE LOGIN | Web pages that impersonate genuine login portals to steal credentials. | |
| FRAUD | Attacks designed to trick a victim into performing an action, such as transferring money or sharing sensitive data. | |
| IMPERSONATION | A threat where the sender is impersonating another entity or organization. | |
| PHISHING URL | The detected phishing attack was delivered via a link. | |
| ROMANCE FRAUD | Occurs when strangers pretend romantic intentions, gain the affection of victims, and then use that goodwill to gain access to their victims' money, bank accounts, credit cards, passports, and/or national identification numbers or by getting the victims to commit financial fraud on their behalf. | |
| SCAM | Attacks designed to obtain money through fraud. | |
|
Spam |
BACKSCATTER | Backscatter occurs when malicious emails are sent with a spoofed sender address and bounced by the receiving mail server. This generates an automated non-delivery report to the spoofed sender address. In high volumes, this can lead to denial of service. |
| SNOWSHOE | Snowshoe is a spamming detection evasion technique that uses a large number of IP addresses to spread out the spam load. Thus making it harder to identify and block the malicious emails. | |
| GRAYMAIL | Graymail is typically defined as, "Mail I want, but just not in my inbox right now". Examples include newsletters/ marketing emails that you've subscribed to, but which are not person-to-person email communication. | |
| UNSOLICITED BULK MAIL | The formal name for spam emails that users have not subscribed to and do not want in their inbox. | |
| ADULT SPAM | Spam emails that may include pornographic content or links to pornographic sites. | |
| PHARMACY SPAM | Spam emails that advertise the sale of medications or medical products. | |
| RECRUITMENT SPAM | Unsolicited messages that advertise job opportunities. | |
| RELIGION | Spam messages associated with religious organizations or beliefs. | |
| RETIREMENT SPAM | Unsolicited messages related to pensions, retirement planning, or investments. | |
| DDOS | The aim of a Distributed Denial of Service (DDOS) attack is to take down a system by overwhelming it with requests. Huge volumes of emails are sent to a victim’s email address or service, utilizing a network of attacker-controlled devices (botnet) to spread the volume and reduce the chance of detection. | |
| EMAIL VALIDATION | Validation spam is sent to validate email addresses exist. It is usually sent from freemail addresses with very little body content to avoid getting blocked. | |
| LOW REPUTATION | An element of the message has previously been identified as malicious. | |
| SENDING MTA DETECTION | An MTA that has handled the message in the transmission chain considers it likely to be spam. (e.g. Microsoft has marked the message as spam in the headers). | |
|
Suspicious |
ABUSED LEGITIMATE SERVICES | Legitimate services that can be used in everyday business mail but which are often used in malicious campaigns or used to hide the attacker's intent. e.g., Dropbox-hosted PDFs, Office forms asking for passwords, etc. |
| BEC - COMPROMISED ACCOUNT | The message is suspicious and may have been sent from a legitimate business account that has been compromised | |
| FORGED HEADERS | Fraudulently added headers in a message to make the message appear to have been sent or received from a system that it did not pass through. | |
| LOW REPUTATION | An element of the message has previously been identified as malicious. | |
| SUSPICIOUS BODY CONTENT | The message body contains suspicious content. | |
| SUSPICIOUS HEADER CONTENT | The message headers exhibit a suspicious pattern not usually seen in legitimate mail. | |
| SUSPICIOUS HEADER STRUCTURE | Bad structure in the message headers which is often caused by a mailing script or poorly configured message transfer agent. | |
| SUSPICIOUS MESSAGE CONTENT | The message has suspicious characteristics. | |
| SUSPECTED SPAM | The message is likely to be spam. | |
|
Unwanted |
BLOCKED URL |
The detection was triggered by a managed URL. |
Coming Soon
We are working on the following improvements and new features.
Data Improvements
- More detection sources.
- User reported message view, for Mimecast Email Incident Response customers.
The following data improvements are now available:
URL Detections
The Detection for URLs details are in the following format:
-
- Summary
- Verdict
- Original URL
- Detected URL
- Action on click
- User
- User IP
- User Agent
- File Detections have summary details, as shown in the image below:
Comments
Please sign in to leave a comment.