Targeted Threat Protection - Attachment Protect - How It Works

Updated

This article contains information on Targeted Threat Protection - Attachment Protect, including delivery methods, configuration steps, supported file types, handling unsafe attachments, and dynamic configuration options for advanced email security.

Targeted Threat Protection - Attachment Protect provides advanced security protection for file attachments in emails. It uses a definition that can be configured to deliver messages using one of the following methods:

 

Delivery Option Description
Safe File Users are provided with a safe, transcribed version of the attachment.
Safe File with On-Demand Sandbox Users are provided with a safe, transcribed version of the attachment and an option to request the original attachment via the sandbox. When an original attachment is requested, a detailed security analysis is performed before it is provided to the user.

The original attachment can only be released within your data retention time frame. For example, you receive the safe file and confirm it’s what you want, but don’t request the original file. If there is a 30-day retention period and you request the original file on the 31st day, you won’t be able to release it.

Files inside zipped archives will not be transcribed using this option; Pre-Emptive sandboxing would better protect against these file types.
Pre-Emptive Sandbox Files are submitted to the sandbox during the email delivery process. All vulnerable file types are analyzed in the sandbox. The message and its attachments are only delivered to the user if considered safe.

One-Note files are excluded from the all Microsoft Office Files option. The.ONE file extension must be configured manually.
Dynamic Configuration Allows users to specify the delivery option for individual senders by adding them to their trusted user list. The delivery option depends on whether the sender is on the user's trusted sender list.
  • Users not on their trusted list use the Safe File With On-Demand Sandbox delivery option.
  • Users on their trusted list use the Pre-Emptive Sandbox delivery option.

See the Dynamic Configuration section below for further details.

Configuration

To use Targeted Threat Protection - Attachment Protect, you must configure definitions and attach them to policies for the different attachment scenarios. You can configure any combination of the modes and apply them to all users or selected users/groups. For full details, view the Attachment Protection Definitions and Attachment Protect Configuration pages.

When configuring Targeted Threat Protection - Attachment Protect, we recommend:

      • Knowledge Hub for optimal definitions and policy settings. You must log on to Mimecaster Central to access this page.
      • Setting up the configuration for a small group of users until the settings work for you.

Considerations

      • The message is held for Administrator review if files are unreadable, encrypted, or greater than 100MB in size. You can use an Attachment Management policy to hold encrypted, unreadable, or large files. No safe file is created if either of the following conditions is met. The file:
        • Can't be larger than five times the original size; this rule only applies if the converted file size is greater than 10 MB.
        • Can never exceed 30 MB.
      • The maximum file size that Targeted Threat Protection - Attachment Protect can be transcribed is 15 MB.

        We recommend you create attachment policies to handle these files. Failure to do so means these files are held. See the Attachment Management Overview page for further details.

        When a pre-emptive sandbox is applied, an attachment subjected to this option may encounter a 40-minute delay while processing. If this process takes more than 40 minutes, contact Mimecast Support for troubleshooting.

        If the original conversion fails, it will use a fallback for pdf. The current fallback mechanism is TIFF format.

Dynamic Configuration

If an attachment protection definition's delivery method is set to Dynamic Configuration, the following process is used:

  1. A check is made to see if the sender's email address is on the end user's managed senders list.
  2. If the sender is:
      • The message and attachments are not delivered on the end user's blocked senders list.
      • Not on the end user's blocked senders list, regardless of whether it is on their permitted senders or auto-allow list; see the notification below.

How Does Targeted Threat Protection Attachment Protect Work_3

  1. The user can click either:
      • Request Files: Safe versions of the files are released and sent to the end user.
      • Request and Trust: The original files are released and sent to the end user if they are considered safe, and the sender's email address is added to the end user's trusted list.
        •  
        How Does Targeted Threat Protection Attachment Protect Work_4
  1. If:
      • If the sender is on the end user's permitted senders list or has an auto-allow policy, an auto-allow policy is automatically created.
      • There is an auto-allow policy for the sender, and a flag is added to ensure it is not purged after 120 days.

        If an unsafe attachment is received from a trusted sender after sandboxing, the sender's email address is automatically removed from the recipient's trusted list.

Supported File Types

Targeted Threat Protection - Attachment Protect protects the following file types:

      • All Microsoft Office file formats.

        Visio file types are excluded from the sandboxing and transcription services for Targeted Threat Protection - Attachment Protect.

      • All Open Office file formats.
      • .PDF
      • Archived files in .ZIP, .BZIP, .GZIP, .7ZIP, .JS, .RAR, .TAR, .LHA, .LZH, and .XZ formats.
      • Additional file types include:
        bat hta msi udf
        chm jar pif url
        cmd js pl vb
        com jse pm vbe
        cpl jsp wsf vbs
        crt lnk scr vbscript
        dll mcr sys  
        exe ms    

Requesting a Blocked Attachment

When a message containing an attachment has been put on hold due to an Attachment Protect policy finding it unsafe, the recipient receives a message detailing what has happened. If they wish, the recipient can request the administrator to release the original attachment to the user.

Malicious Code in the Original Attachment

How Does Targeted Threat Protection Attachment Protect Work_5

If an email attachment is found to contain malicious code, it is blocked and not sent to the recipient. Instead, the recipient receives a notification informing them of the block and displaying details of:

      • Message
      • Attachment
      • The policy that blocked it.

Handling Messages Held as Spam

A message with the attachment immediately goes into the Targeted Threat Protection - Attachment Protect sandbox for immediate scanning. If it's to be held, it is sent to the spam hold for release. Depending on your Attachment Protect definition, you can download the original file from the sandbox once the message has been released along with the attachment.

Safe or Unsafe Files

The administrator has full control over what happens to blocked attachments. While the recipient can request for an attachment to be released, it is the administrator's ultimate responsibility to allow this. They can release the following:

      • Message to the recipient.
      • Attachment to the recipient.
      • Attachment to the sandbox.

Frequently Asked Questions / Troubleshooting

Q: I’m receiving a newsletter or mailing from Mimecast, and I do not wish to receive them. What can I do?
A:
  • If the message is a newsletter from a mimecast.com address, you can unsubscribe using the Unsubscribe link in the message.
  • If the From address is not a mimecast.com address, it could be from an organization that uses Mimecast’s services to send emails. You may be able to unsubscribe, but otherwise, contact the sending organization.
Q: I received a message that contains a link going to protect-(xx)-mimecast.com, and I cannot access the link, or I’m asked to log in. What should I do?
A: A customer may have accidentally used the copy/paste function to send you a link protected by Mimecast’s Targeted Threat Protection - URL Protection service. This can only be utilized by Mimecast customers. Contact the sender, and ask them to resend the message with a link to the actual destination rather than the Mimecast-protected link.

Related to

Was this article helpful?
4 out of 5 found this helpful

Comments

2 comments
Date Votes
  • Avatar
    Louis Reedijk

    The compressed file protection from Mimecast should be equal to “other” cloud services like Office365 in terms of file size. Now Mimecast is a limiting factor, this is undesirable.

     

    0
  • Avatar
    Admin - KP

    Hi Louis, 

    Thank you for the comment! In order to get you the best solution possible, would you please post it into our Community? Not only will it be addressed by Cybersecurity peers, but the Mimecast team as well. Once you receive a solution, it can be bookmarked for easy retrieval.

    0

Please sign in to leave a comment.