Targeted Threat Protection - Attachment Protect Definitions

This article contains information on configuring an Attachment Protect definition in Mimecast, including steps to enable protection for inbound, outbound, and journaled emails, set delivery options, manage notifications, and apply policies for enhanced email security.

Targeted Threat Protection - Attachment Protect is an advanced service that protects customers from the growing risk of spearphishing and other targeted attacks using email attachments.

See the Knowledge Hub for detailed information on configuring, optimizing, integrating, and troubleshooting. For the Mimecast recommended Default settings for Inbound, Outbound, and Internal (Journal) Attachment Protect definitions, see Configuring Your First Attachment Protection Definition and Policy.

Configuring an Attachment Protect Definition

You can configure an Attachment Protect definition by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Policies | Gateway Policies and select Attachment Protect from the Definitions drop-down.
3. Select either:

• • • •  New Definition button to create a definition.
      • Definition to be changed.

4. Provide a definition description in the Definition Narrative field. This is kept in the archive for messages that have this definition applied.
5. Complete the Inbound, Outbound, and Journal Settings as required. Then, if the setting applies, a 'Y' will show in the appropriate column below:

   Outbound and Journal settings are only displayed if you have Targeted Threat Protection: Internal Email Protect enabled on your account.

   Enable Inbound / Outbound / Journal Check	Y	Y	Y	Select this option to enable Attachment Protect for Inbound / Outbound / or Journal mail. Some additional fields/options are displayed if selected, as listed below. These can protect against malicious attachments found in the email.
   Attachment Protect Delivery Options	Y	N	N	Specify a delivery option for the definition. The options are: • Safe File: Transcribes vulnerable file types to a different file format to ensure they're safe. If selected, the Administrator Notification and Admin Review Group fields are not displayed. • Safe File with On-Demand Sandbox: Transcribes vulnerable file types to a different file format to ensure they are safe but allows users to request the original versions via the on-demand Sandbox. • Preemptive Sandbox: Checks all vulnerable file types in the Pre-emptive Sandbox before delivering the mail and attachments to the user. This is the only option for Metadata Only customers. • Dynamic Configuration: This takes the onus away from the administrator by giving control to users to decide if individual users are added to a trusted list. By default, Safe File with On-Demand Sandbox is used, but for users on the trusted list, Preemptive Sandbox is used.
   	• You must also enable the Enable Attachment Protect Dynamic Configuration Mode in the Gateway Settings section of all applicable application settings.  • Safe file creation has a limit of 700 columns for spreadsheets. If this threshold is exceeded, Mimecast will not produce a Safe File. • Safe File has a max size of 15MB. It will also fail if the converted file is larger than 30MB after the conversion or if it is 5 times the original file size. • Safe File will hold all attachments if one of the files fails to complete safe file conversion.
   Ignore Signed Messages	Y	N	N	If selected, attachment protection is not applied to digitally signed messages. This ensures the message signature remains intact but means attachments are not security checked. This option is not displayed if the "Attachment Protect Delivery Options" field is set to a "Preemptive Sandbox" value.
   Sandbox Fallback Action	Y	N	N	Specify the action to take if the Sandbox cannot process an attachment. This option is only displayed if the Attachment Protect Delivery Options field is set to a value of Preemptive Sandbox. The options are: • Hold for Administrator Review: The message and attachment are placed in the held queue. • Bounce: The message and attachment are accepted but bounced with a notification to the sender.
   Release Forwarded Internal Attachment	Y	N	N	Dictates if an internally forwarded attachment can be released from the Sandbox.
   Strip and Link Encrypted Attachments	Y	N	N	A link is provided to a Decryption Portal where encrypted files can be analyzed, decrypted, and released if they are deemed to be safe. Attachment Management should be set to Allow Encrypted Files for this functionality.
   	• The Decryption Portal is not supported for Distribution lists. • To automatically allow decrypted and non-malicious archives and/or documents through, customers must configure their Attachment Management Definition options for Encrypted Archives or Encrypted Documents to the Hold setting and then enable the checkbox option to Allow if decrypted and not malicious.
   Enable Notifications	Y	Y	Y	Enables a group of users to be notified when an attachment is unsafe. If selected, the "Administrator Group" field is displayed. See Managing Groups.
   Administrator Group / Notify Group	Y	Y	Y	Select a group of administrators via the Lookup button to receive notifications of any unsafe attachments.
   Internal Sender	Y	Y	Y	Sends a notification to the message's internal sender if an unsafe attachment is found.
   Internal Recipient	Y	N	Y	Sends a notification to the message's internal recipient if an unsafe attachment is found.
   External Sender	Y	N	N	Sends a notification to the message's external sender if an unsafe attachment is found.
   Default Transcribed Document Format	Y	N	N	Specify the default file format to be used for safe file document transcription: • PDF • TIFF: This is used if Mimecast cannot transcribe the document to the selected format. • Original Format • HTML
   Default Transcribed Spreadsheet Format	Y	N	N	Specify the default file format to be used for safe file spreadsheet transcription: • CSV: The 'Spreadsheet Worksheet Options' field is displayed if selected. • PDF • TIFF: This is used if the spreadsheet cannot be transcribed to the selected format. • Original Format • HTML • HTML Multi-Tab: This provides a .zip file that must be extracted. This value is used if the spreadsheet cannot be transcribed to the selected format.
   Gateway Action	N	Y	N	Select the action (or fallback action) to take when a message containing an unsafe attachment is detected. The Gateway Fallback Action is only applied if we cannot check a message's attachment. • None: The message is delivered to the recipients. • Hold: The message is sent to the hold queue and not delivered to the recipients. • Bounce: The message is rejected and not delivered to the recipients.
   Gateway Fallback Action	N	Y	N
   User Mailbox Action	N	Y	Y	Enter a description for the definition that allows you to identify it at a later date quickly. •None: No action is taken on the user's mailbox. The message is delivered to the recipients. • Remove Message: The message is removed from the user's mailbox. • Remove Attachment: The message is delivered to the user's mailbox with the attachment removed. In non-Exchange environments, automatic remediation isn't supported. However, you can leverage detection with a journal connector and, through these alerts, perform manual remediation. Only Microsoft O365 and on-prem exchange are fully supported. Everything else will only receive notifications.
   User Mailbox Fallback Action	N	Y	Y
   Field / Option	Inbound	Outbound	Journal	Description

6. Click on the Save and Exit button.
7. Apply the Definition to an Attachment Protect Policy.

See Also...

• • • Knowledge Hub
    • Targeted Threat Protection - Attachment Protect - Configuration
    • Targeted Threat Protection Attachment Protection - Your First Policy