This guide provides new users of Targeted Threat Protection - Impersonation Protect with what we consider an optimal configuration to protect you against whaling attacks. When configuring Targeted Threat Protection - Impersonation Protect, we recommend you:
-
-
- Define your requirements before starting any configuration.
- Create a group of users you'll use to test the configuration. See the Email Security Cloud Gateway - Managing Groups page for further details.
- Read the Email Security Cloud Gateway - Impersonation Protect Definitions and Email Security Cloud Gateway - Impersonation Protect Policies pages.
- Configure the definition with the required protection and applying it to your group of users.
- Test the configuration to meet your requirements.
- Apply the configuration to the wider audience only when you're happy that it meets your requirements.
-
It is important to recognize that the threat landscape is constantly evolving, but there is no one-size-fits-all all formula. What works perfectly for one customer may not for another. We recommend you regularly review your configuration to ensure it meets your requirements.
Due to the highly dynamic nature of phishing attacks, some phishing emails, sites, or attachments may not be identified, and some safe emails, sites, or attachments may be identified in error.
Impersonation Protect Definitions
In the initial phase, the following settings should be used to configure an Impersonation Protection definition.
Recommended settings for most customers to use initially are below.
| Field/ Option | Setting | Comments |
|---|---|---|
| Similar Internal Domain | Selected | This provides protection for inbound messages where the sender's domain is similar to any of your internal domains. This option is used in conjunction with the Similarity Difference option. |
| Similarity Monitored External Domains | Selected | This checks the sender's domain against your external domains. We recommend that both of the following options are also selected:
|
| Newly Observed Domain (Does not mean newly registered domains) | Selected | If selected, the sender's domain is checked against a list of domains we maintain to see if there's been an increase in it sending messages in the last week. This includes domains created at any time (e.g., those created but previously dormant). Additionally, as we don't see all email traffic, it's possible the list doesn't contain every potential threat. |
| Display Name | Selected | If selected, the All Internal User Names and Custom User Names fields are displayed. These allow you to control how a sender's display name is checked for a potential impersonation attack. |
| All Internal User Name | Selected | This identifies if the sender's display name (usually the first and last name) is the same as one of your internal user display names, excluding the recipient’s internal username. This ensures any threats that spoof an internal user are detected. For example, if a message is sent from User One to userone@.com, the recipient can tell if they are being spoofed because it's the same username as the recipient.
Users imported manually via a spreadsheet upload are considered for the Internal User Name check. Users created automatically by messages in transit are not considered for the check. Inbound messages from an external address extracted from a Directory Synchronization as a mail contact are not subjected to internal user name checks. This can be seen by the following icon next to an external address from External Directories. |
| Custom User Names | Specify all user nickname variations | Use this field to add nicknames for users that may otherwise get missed by the All Internal User Names option. |
| Reply to Address Mismatch | Unselected | Enable this option to identify if a mismatch has occurred between the sender’s email address (in either or both of the Header and Envelope) and the Reply To email address.
If selected, this option may return false positives if the Number of Hits option is left with the best practice setting below. Consider increasing that value to 3. |
| Targeted Threat Dictionary | Selected | This compares characteristics in the message's header, subject, and body against a dictionary of suspicious content. This ensures that attackers focus on financial gain or access to sensitive information are detected. |
| Number of hits | 2 | This ensures two or more of the four checks listed above must be triggered for any action to take place. One check by itself could cause false positive results. Exceptions to this rule can include high-profile targets (e.g., senior executives). See the Examples section below for further details. |
When enabling Targeted Threat Protection - Impersonation Protect, we recommend a phased approach for the actions taken on detected messages. Start with a notification to administrators. Once comfortable with the above settings, consider changing the following options to hold and tag suspicious messages.
| Field/ Option | Setting | Comments |
|---|---|---|
| Action | Hold for Review | This ensures the message is not delivered directly to the recipient but sent to the held queue instead. |
| Hold Type | User | If the Notify (Internal) Recipient option is selected by a user (recommended), this ensures a notification is sent to the message's recipient. It allows them to release the message if it is a false positive. |
| Tag Message Body | Selected | This adds the following message to the message's body: This message contains suspicious characteristics and has originated from outside your organization. |
| Tag Subject | Selected | This adds [SUSPICIOUS MESSAGE] into the message's subject. |
| Tag Header | Selected | This adds the following to the message’s header. |
Users can create rules in their email client based on the three tags (message body, subject, and header) to take action on the message (e.g., move messages to a Held Messages folder).
In addition to the actions above, the following notifications should be set up to ensure messages detected as suspicious are highlighted immediately.
| Field/ Option | Setting | Comments |
|---|---|---|
| Notify Group | Selected | This ensures a group of users (e.g., Administrators) are notified when a malicious message is received. Use the Lookup button to select a group. See the Managing Groups page for full details. |
| Notify (Internal) the Recipient | Selected | This ensures the recipient is notified that a message destined for them has been detected as suspicious. This enables them to take any necessary action. |
Custom Dictionary Example
To help you understand how the Word / Phrase Match List works in a custom dictionary, we've provided the following example for a dictionary with an Activation Score of 3:
If a message is received containing the phrases company confidential (score 2) AND either invoice OR payment (score 1), the total score equals 3. As this equals the activation score, a threat is detected. If a message only contains the phrase urgent (score 2), the total score is below the activation score, and no threat is detected.
Impersonation Protection Policies
The following settings should be used to configure an Impersonation Protect policy.
| Field/ Option | Setting | Comments |
|---|---|---|
| Select Option | See "Comments" | The options in the dropdown list are your Impersonation Protection Definitions. Select the definition you want to use for the policy. |
| Emails From: Addresses Based On | Both | Specify the email address characteristics the policy is based on. |
| Emails From: Applies From | External Addresses | This ensures all inbound traffic is taken into account.
When creating the policy for External and Internal Addresses, apply it to a group of users first via the Address Groups option. This ensures the configuration works as expected in your environment. |
| Emails To: Applies To | Internal Addresses | |
| Enable / Disable | Enable | This activates the policy. |
Depending on your organizational requirements, it may be beneficial to create Impersonation Protect policies to protect specific user groups (e.g., Senior Management). The Emails From: Applies From option has two additional options not available in other policies that offer extra flexibility to target phishing messages:
-
-
- Header Display Name: Use this option for messages purporting to come from a specific name. The name is specified in the Specifically field.
- Freemail Domains: Use this option to hold messages from a freemail domain (e.g., gmail.com).
-
Example: Company Executives / High Profile Targets
For executives, particularly those disclosed on your company website, it is recommended to implement a hit score of 1 on messages with their name as a display name and consider alternative spellings. For example, "John Smith" (with a lowercase "I" in "Smith") and John Smlth (with a lowercase "L" in "Smith").
To configure an Executive/High Profile Target definition:
-
Navigate to Gateway | Policies | Definitions | Impersonation Protection.
-
Click on New Definition.
-
Populate the field options as follows:
| Field / Option | Recommended Setting |
| Description | Give the definition a description that defines its purpose. |
| Display Name | Check the Display Name checkbox. |
| Custom Display Names | Enter the VIP / High Profile Target display names: Example: |
| Number of hits | Set as 1 |
| Identifier Actions |
There are 3 Actions to choose from depending on your desired outcome:
|
- Click Save and Exit.
To configure an Executive/High Profile Target policy:
-
Navigate to Gateway | Policies | Impersonation Protection.
-
Click on New Policy.
-
Populate the field options as follows:
|
Field / Option |
Recommended Setting |
|---|---|
|
Policy Narrative |
Give the policy a narrative that describes its purpose. |
|
Select Option |
Click on the Lookup button, then Click Select the Executive/High Profile Target definition. |
|
Addresses Based on |
Both. |
|
Applies From |
External Addresses. |
|
Specifically |
Applies to all Senders. |
|
Applies To |
Internal Addresses. |
|
Specifically |
Applies to all Recipients. |
-
Click on Save and Exit.
Some VIP/ Executive Team Members may be sending work emails via their personal email address. A VIP Impersonation Protect Bypass Policy will need to be enabled if this is the case. You will need to create a Profile Group to hold the VIP Personal Email Addresses for this.
To configure an Executive/High Profile Target Bypass:
-
Navigate to Gateway | Policies | Impersonation Protection Bypass.
-
Click on New Policy.
-
Populate the field options as follows:
|
Field / Option |
Recommended Setting |
|---|---|
|
Policy Narrative |
Give the policy a narrative that describes its purpose. |
|
Select Option |
Click on the Lookup button, then Click Select the Executive/High Profile Target definition to Bypass. |
|
Addresses Based on |
Both. |
|
Applies From |
External Addresses. |
|
Profile Group |
Click on the Lookup button and then select the Profile Group that contains the external email addresses to bypass. |
|
Applies To |
Internal Addresses. |
|
Specifically |
Applies to all Recipients. |
-
Click on Save and Exit.
See Also...
-
-
- TTP - Frequently Asked Questions
-
For detailed information on how to configure, optimize, integrate and troubleshoot, see the Knowledge Hub.
-
Comments
Please sign in to leave a comment.