This article contains information on using Targeted Threat Protection - Impersonation Protect to safeguard against whaling attacks, including setup considerations and configuration of definitions and policies.
The increasing number of "whaling" attacks, usually targeting an organization's senior management, means additional protection is required against email threats that do not contain attachments or URLs. Traditional spam filtering systems are unable to detect these as suspicious due to their minimal content. Targeted Threat Protection—Impersonation Protect solves this by looking for combinations of key identifiers commonly found in these attacks.
Considerations
Consider the following when using Targeted Threat Protection—Impersonation Protect:
- To use Targeted Threat Protection—Impersonation Protect, you must have another product from the Targeted Threat Protection suite (e.g., Attachment Protection Overview or URL Protection Overview).
- Targeted Threat Protection—Impersonation Protect is unable to process messages where the body exceeds 10 MB. In this instance, the message is held with an "Unable to tag—Max Size exceeded" error.
Introducing Impersonation Protect
Read the following pages for information introducing Impersonation Protect:
- Targeted Threat Protection - Impersonation Protect Overview
- Impersonation Protect - Impersonation Protect Logs
Configuring Impersonation Protect Definitions and Policies
You can manage Impersonation Protection settings in the Mimecast Administration Console. Impersonation Protection policies can be reviewed under Policies | Gateway Policies | Impersonation Protection, and you can create Impersonation Protection Bypass policies under Policies | Gateway Policies | Impersonation Protection Bypass.
For best results, Mimecast recommends enabling two primary Impersonation Protection policies:
- Default Impersonation Protect Definition.
- VIP Impersonation Protect Definition.
These policies cover the 'hit 3' and 'hit 1' scenarios for Inbound Email checks. It's also advised to remove any additional Impersonation Protection policies, to keep the configuration organized and easy to manage.
Read the following pages for more information on configuring Impersonation Protect:
- Targeted Threat Protection - Impersonation Protect - First Policy
- Targeted Threat Protection - Impersonation Protect - Bypass Policy
- Impersonation Protect - Impersonation Protect Definitions
- Targeted Threat Protection - Impersonation Protect Overview
For detailed information on how to configure, optimize, integrate, and troubleshoot, see the Knowledge Hub.
Comments
Please sign in to leave a comment.