This guide provides new users of Targeted Threat Protection - URL Protect with what we consider an optimal configuration to protect you against whaling attacks.
When configuring Targeted Threat Protection - URL Protect we recommend you:
- Define your requirements before starting any configuration.
- Create a group of users you'll use to test the configuration. See the Managing Groups page for further details.
- Read the Configuring URL Protect Definitions and Policies pages.
- Configure the definition with the required protection, applying it to your group of users.
- Test if the configuration meets your requirements.
- Apply the configuration to the broader audience only when you're happy that it meets your needs.
- It is essential to recognize that the threat landscape is constantly evolving, and there is no one size fits all formula. What works perfectly for one customer may not for another. Therefore, we recommend you regularly review your configuration to ensure it meets your requirements.
- Due to the highly dynamic nature of phishing attacks, some phishing emails, sites, or attachments may not be identified, and some safe emails, sites, or attachments may be identified in error.
The URL Protection Definition is divided into the following sections:
Inbound Settings
| Field / Option | Setting | Comments |
|---|---|---|
| Enable Inbound Check | Enabled | If selected, the fields/options listed below are displayed. When setting up inbound checks, use a policy with the correct routing to activate this definition. |
| Rewrite Mode | Moderate | This setting ensures that links that look like a URL or contain formatting similar to a URL are rewritten. Protecting URLs that may not contain all URL scheme parts. |
| URL Category Scanning | Moderate | This option allows filtering particular web page categories using one part of the URL Protection service. For example, the moderate setting contains all the types commonly associated with phishing threats. |
| Action | Block | This setting ensures end users aren't able to access web pages that are deemed to be malicious. When a malicious link is clicked, the user is shown a block page that prevents them from accessing the destination. When setting up a URL Protection policy, using the Warn or Allow options is helpful. Remember to monitor the results to ensure the settings work well with your environment. |
| Message Subject Protection | Rewrite URLs | This option protects URLs found in a message's subject by ensuring they are scanned like any other URL. |
| Create Missing HTML Body | This option ensures plain text messages are subjected to further checks if they contain a URL. Enabling this option reformats the message as HTML. | |
| Force Secure Connection | Enabled | This option ensures all URLs are rewritten with an HTTPS:// prefix. |
| Set to Default | Enabled | This option signifies this is the default definition. |
| Ignore Signed Messages | Disabled | This option allows URLs found in digitally signed messages to be rewritten. |
| Display URL Destination Domain | Enabled | This option provides visibility of the destination domain for end users. |
| Strip External Source Mode | Disabled | If set to Aggressive, all external components are removed from a message, which may impact the format and readability. |
| File Protocol URL Handling (Inbound only) | Disabled | This setting can protect against Hash-jacking attempts by checking URLs using the file:// protocol. The options are:
|
| Block URLs Containing Dangerous File Extensions | Enabled | This setting protects URLs containing suspicious extensions (e.g., EXE) commonly used to spread malware. |
| Rewrite URLs Found in Attachments | Enabled | This setting enables the URL Attachment options. See the Attachment Parts section (see below). |
| URL File Download | Sandbox | This setting checks if the URL points to a file download for one of the specific file types. |
| Scan URLs in Attachments | Enabled |
The supported file types are as follows:
Considerations:
|
| Advanced Similarity Checks | Enabled | Checks for advanced attacks, where links appear similar to your internal and monitored external domains. We recommend selecting the Check Internal Domains, Check Mimecast Monitored External Domains, and Check Custom Monitored External Domains options and setting the Action to Warn. |
| Select Attachment Parts to Rewrite: HTML / Text / Calendar | Enabled | These options provide extended protection for URLs in attachments by allowing you to rewrite links in HTML, text, or calendar parts. These options are only available if the Rewrite URLs Found in Attachments option is selected. |
| Enable User Awareness | Enabled | User awareness allows a way of educating end users when clicking on a link. It also allows administrators to track users prone to clicking on malicious links and continuing to the destination site. |
| User Awareness Challenge Percentage | 5% | This setting controls the frequency that user awareness pages are displayed to end users when URLs in messages are clicked. |
| Disable User Awareness Dynamic Challenge Adjustment | Disabled | With this option left unselected, every time an end-user clicks on a malicious link and decides to continue to the site, the percentage of times they'll see the user awareness pages increases. |
| Enable Notifications | Enabled | The Notify Group and "Notification URL Format" fields ensure a group of administrators is notified when a message with a malicious link is received. See the Managing Groups page for full details. |
| Notify Group | See Comments | This field is displayed if the Administrator Notification field is selected. It allows you to choose a group of users, via the Lookup button, who'll be notified when a message with malicious content is received. |
| Notification URL Format | Safe URL with Preview | This field is displayed if the Administrator Notification field is selected. It allows the specified group of users to open a web page with details of the original URL. |
Outbound Settings
| Field / Option | Setting | Comments | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Block URLs Containing Dangerous File Types | Enabled | Specifies whether URLs containing file extensions that commonly have malware are blocked | ||||||||||||||
| Enable Notifications | Enabled | Enables a group of users to be notified and the internal sender/recipient when an unsafe URL is found. | ||||||||||||||
| Enable Outbound Check | Enabled | If selected, the fields/options listed below are displayed. When setting up outbound checks, use a policy with the correct routing to activate this definition. | ||||||||||||||
| Gateway Action | Hold | If an unsafe URL message is detected, it is sent to the hold queue and not delivered to the recipient. | ||||||||||||||
| Gateway Fallback Action | Hold | This option is only applied if we are unable to check a URL. | ||||||||||||||
| Internal Recipient | Enabled | Notifies the message's internal recipient if there is an unsafe URL. | ||||||||||||||
| Internal Sender | Enabled | Notifies the message's internal sender if there is an unsafe URL. | ||||||||||||||
| Notify Group | Select the appropriate group of users via the Lookup button. | Notifies the selected group of administrators of any unsafe URLs. | ||||||||||||||
| Scan URLs in Attachments | Enabled | If this option is enabled, you can select one or more of the following options:
|
Journal Settings
| Field / Option | Setting | Comments | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| User Mailbox Fallback Action | None | This option is only applied if we are unable to check a URL. | ||||||||||||
| User Mailbox Action | None | No action is taken to the user's mailbox, and messages are delivered to the recipients. This setting should be reviewed periodically. | ||||||||||||
| URL Mode | Moderate | Checks only when the URL contains a valid URL or path (e.g., www.domain.com). | ||||||||||||
| URL Category Scanning | Moderate | Specifies how aggressively the URL categorization engine operates on dangerous URL categories. Other detection capabilities are not altered when changing this setting. | ||||||||||||
| Scan URLs Found in Attachments | Enabled | If this option is enabled, you can select one or more of the following options:
|
||||||||||||
| Notification Group | Select the appropriate group of users via the Lookup button. | Notifies the selected group of administrators of any unsafe URLs. | ||||||||||||
| Internal Sender | Enabled | Notifies the message's internal sender if there is an unsafe URL. | ||||||||||||
| Internal Recipient | Enabled | Notifies the message's internal recipient if there is an unsafe URL. | ||||||||||||
| Enable Notifications | Enabled | Enables a group of users to be notified and the internal sender/recipient when an unsafe URL is found. | ||||||||||||
| Enable Journal Check | Enabled | If selected, the fields/options listed below are displayed. These can be used to protect against malicious URLs in journaled traffic. | ||||||||||||
| Block URLs Containing Dangerous File Extensions | Enabled | Specifies whether URLs containing file extensions that commonly have malware are blocked. |
Comments
Please sign in to leave a comment.