This page provides a list of frequently asked questions and answers relating to the following areas of Targeted Threat Protection.
Targeted Threat Protection
| Q: |
Are there any assets I can use to inform our users about TTP functionality? |
| A: |
Yes. Visit our Asset Library for Targeted Threat Protection assets. |
| Q: |
Do you have any recommended configurations? |
| A: |
Targeted Threat Protection can be used to protect you from a number of different use cases. As a result, you can configure it in a number of different ways. We do provide a list of the optimum settings for those configuring TTP for the first time. See the following pages:
|
| Q: |
Can I specify which user groups are moderators and administrators? |
| A: |
Yes, but this isn’t controlled by Targeted Threat Protection definitions. It is controlled by assigning each user group with a moderator or administrator role. See the Managing Groups and Managing Administrator Roles pages for further detail. |
| Q: |
Can we run Targeted Threat Protection in “monitor mode” to see the effect it has without taking any action? |
| A: |
Yes. Set the definition to take no action, but notify a group of users when a message triggers the policy. |
| Q: |
Does a Permitted Sender automatically bypass Targeted Threat Protection policies? |
| A: |
No. Permitted senders only bypass greylisting checks. To bypass Targeted Threat Protection checks, the relevant Targeted Threat Protection bypass policy must be configured. |
| Q: |
Can more than one URL Protection, Attachment Protection, or Impersonation Protection policy be applied to the same message? |
| A: |
Yes. Targeted Threat Protection policies (like Content Examination policies) don't stop processing a message once a policy is triggered. Take the example where there's a group of users for whom you want an Attachment Protection policy that converts attachments to a safe file PDF and an Impersonation Protection policy that holds the message for review. Should a message trigger an Impersonation Protection policy, the message is held, and the attachment is converted to a safe file PDF. |
Attachment Protection
| Q: |
How long is the delay for preemptive sandboxing for a typical message? |
| A: |
The delay is dependent on the attachment size but can vary from a few seconds to a few minutes. |
| Q: |
What's the difference between an Attachment Management and Targeted Threat Protection - Attachment Protection policy? |
| A: |
An Attachment Management policy allows you to block all file attachments you consider dangerous (e.g. .EXE). Targeted Threat Protection - Attachment Protection blocks file attachments that aren’t necessarily considered dangerous, but which could include a macro or malicious code. |
| Q: |
We have an Attachment Management policy that blocks all Microsoft Office files containing macros. This conflicts with our Targeted Threat Protection - Attachment Protection policy (blocking before it can be sandboxed). Should we remove the Attachment Management policy? |
| A: |
This depends on how you want to handle these files. You can continue to block Microsoft Office documents with macros. However to get the most value out of Targeted Threat Protection - Attachment Protection, consider letting them through and allowing the Targeted Threat Protection - Attachment Protection functionality to scan the files. |
| Q: |
Does Targeted Threat Protection affect DMARC, DKIM, or SPF? |
| A: |
No. Targeted Threat Protection is separate from DNS Authentication policies that address DMARC, DKIM, or SPF checks. Targeted Threat Protection checks are performed after SPF / DKIM / DMARC checks. |
| Q: |
Can we sandbox all inbound attachments instead of selecting the “Safe File with On-Demand Sandbox” action? |
| A: |
Yes. The “Safe File with On-Demand Sandbox” option is typically used for more specific use cases, where the user base does not need to edit documents (e.g. HR departments dealing with resumes). |
| Q: |
Our Targeted Threat Protection - Attachment Protection policy has resulted in corrupted files. How can this be solved? |
| A: |
Read Mimecast Customer Care - Raising a Case and raise a Mimecast Support Case, providing the original and corrupted versions of the files. If possible, place them in a password-protected zip. |
| Q: |
Certain messages are delayed after Targeted Threat Protection - Attachment Protection checks. What could be the problem? |
| A: |
Read Mimecast Customer Care - Raising a Case and raise a Mimecast Support Case, providing the message and attachment details, so we can investigate. |
| Q: |
Why have some attachments being blocked that appear legitimate? |
| A: |
You can check the reason why attachments have been blocked in the Targeted Threat Protection - Attachment Protection logs. See the Targeted Threat Protection - Attachment Protection Dashboard page for further details. |
| Q: |
Why have certain attachments gone undetected? |
| A: |
Check the Targeted Threat Protection - Attachment Protection logs to verify that the message was scanned and if a policy was applied. See the Targeted Threat Protection - Attachment Protection Dashboard page for further details. If the attachment was scanned and a policy applied, read Mimecast Customer Care - Raising a Case and raise a Mimecast Support Case, complete with details and examples. |
URL Protection
| Q: |
How can I test a policy for bad URLs without having something malicious on the back end? |
| A: |
We recommend that you add a fake URL to your block list for testing. |
| Q: |
Where can I customize our user awareness notification? |
| A: |
Click on the "User Awareness Page Sets" button from the Services | URL Protection menu item in the Administration Console. See the Configuring User Awareness page for further details. |
| Q: |
Where do I enter my user awareness percentage value? |
| A: |
Ensure the “Enable User Awareness” option is enabled in the Targeted Threat Protection - URL Protection definition. This displays the “User Awareness Challenge Percentage” field where you can specify the required value. |
| Q: |
Can I send a URL for someone to use without it being re-written? |
| A: |
We don’t rewrite URLs in outbound messages sent externally or internally. For inbound messages, you can select the “Display URL Destination Domain” option in the Targeted Threat Protection - URL Protection definition. This appends the URL's destination domain at the end of the rewritten link. |
| Q: |
How long is a rewritten link valid for? |
| A: |
Forever. Mimecast always performs a fresh scan when a URL is clicked. |
| Q: |
If a user wants us to release a message with a blocked URL, can we check why it was blocked before doing so? |
| A: |
Yes. The logs on the URL Protection dashboard provides additional insight into what we discovered in our scan of the destination (e.g. whether it was a phishing or fraudulent site). |
| Q: |
Why are users experiencing timeout issues when clicking on certain links? |
| A: |
Check that the destination URL is known to be legitimate and safe. If it is, test the connectivity from another browser. |
| Q: |
Why are users being blocked from URLs that appear legitimate? |
| A: |
Check the URL Protection logs against the URL Checker tool available from the URL Protection dashboard. Make a note of the category and escalate if it's a false positive. See the URL Protection Logs and Check & Decode URL's pages for further details. |
| Q: |
What can we do about an unsafe URL that went undetected? |
| A: |
Check the URL Protection logs and verify the user actually clicked the link and it was allowed. If so, escalate to Support with details. |
| Q: |
What happens to rewritten links if I leave Mimecast? |
| A: |
Mimecast will not scan the rewritten links and end-users will be taken directly to the original URL. |
Impersonation Protection
|
Q:
|
If our employees use their personal email, the “Reply To” address can be different. If the “Internal User Name” option is selected, this results in the policy being activated. Is there a workaround?
|
| A: |
In this scenario, we recommend the Targeted Threat Protection - Impersonation
Protection definition’s action is to “Hold for Review” rather than
“Bounce” or “None”.
|
|
Q:
|
Where does the tag display if the "Mark All Inbound Items as External" option is selected in a Targeted Threat Protection - Impersonation Protection definition?
|
| A: |
The tag is displayed at the beginning of the message’s body, subject,
or header.
|
|
Q:
|
Is the tag added to all messages or just ones that meet the activation score?
|
| A: |
Only those messages that have met the activation score are tagged.
However, you can tag all external emails as "external" in Impersonation
Protection.
|
|
Q:
|
Will a tag be applied multiple times on email exchanges between the same sender/recipient pair?
|
| A: |
No, the tag will only be applied once in this scenario. |
|
Q:
|
Does Targeted Threat Protection - Impersonation Protection allow Google group messages?
|
| A: |
Yes. Targeted Threat Protection - Impersonation Protection works
on all inbound messages that come through the Mimecast Gateway. They
can also be bypassed based on the sender or recipient characteristics.
|
|
Q:
|
Why doesn’t allowlisting work for Targeted Threat Protection - Impersonation Protection?
|
| A: |
A
Permitted Senders Policy
bypasses our spam scoring, reputation, and greylisting checks. If
Targeted Threat Protection - Impersonation Protection Bypass policies
aren’t working, there may be a configuration issue. Contact our Support
Desk who’ll help rectify the settings.
|
|
Q:
|
A Targeted Threat Protection - Impersonation Protection definition gets triggered every time a former staff member emails our firm, despite them being on our permitted senders list. Is there a way to stop the definition from triggering?
|
| A: |
Adding a user to your permitted sender list does not bypass Impersonation
Protection. Create an Impersonation Protection Bypass policy for
the specific email address. See the
Impersonation Protection Bypass Policy
page for further details.
|
|
Q:
|
How can we optimally configure Targeted Threat Protection - Impersonation Protection for users?
|
| A: |
Try the following:
-
Check the Internal User Name match by comparing the
user's Global Name in Internal Directories to the display
name of the message.
- Ensure the user is synchronized in your Active Directory.
-
Check the Impersonation Protection logs if you need to further
troubleshoot message details.
|
Internal Email Protect
| Q: |
How can we check our Connectors to ensure Internal Email Protect policies work correctly? |
| A: |
Check your server connectivity under the Services | Connectors menu item in the Administration Console. For On-Premise exchanges, ensure the master mailbox has appropriate permissions. See the Managing Connectors page for further details. |
For detailed information on how to configure, optimize, integrate and troubleshoot, see the Knowledge Hub.
Comments
Please sign in to leave a comment.