Cloud Integrated - Detection Engine Settings

Updated

This article contains information on configuring Mimecast Email Security Cloud Integrated for advanced protection against URLs, phishing, impersonation, and file attachments, detailing detection engine settings and recommended configurations.

Scanning Hierarchy

When a detection occurs within Cloud Integrated, a message may trigger all of the configured inbound checks (such as Malware, Phishing, Spam Scanning etc.). In such scenarios, the following hierarchy is applied to determine the classification of the detection:

Configuration

To configure the protection offered by Email Security Cloud Integrated, administrators can specify the level of protection for each area using the Detection Engine Settings within Email, Instant Messaging and Collaboration policies.

New Mail Policy-s.jpg

You can configure any combination of the modes and apply them to all users or selected users/groups. For complete details, refer to the Attachment Protection Definitions and Attachment Protect Configuration pages.

Detection Engine Settings

Detection Engine Settings allow administrators to customize the level of protection for end users, achieving a balance between security and user experience. Below is a breakdown of each area of protection that can be configured through Detection Engine Settings.

URL

URL scanning within Cloud Integrated operates similarly to URL scanning in Email Security Cloud Gateway’s Targeted Threat Protection URL Protect, where the Mimecast URL Protection service rewrites the URL links found within messages.

When users click on a link from a message, a layered security check is performed on the destination site. In addition to the initial URL link check, Mimecast determines if the link downloads a file directly and scans for potentially malicious content in the file. If enabled, Mimecast checks to ensure there are no malicious URLs contained in emails and attachments; including Macros in office documents.

Below is a list of the Dangerous File Types that are searched for during URL scanning:

"a6p","ac","ace","acr","adp","air","apk","app","applescript","application","awk","bas","bat","bin","chm","cmd","command","cpl","crt","csh","dek","dex","dld","dll","dmg","drv","ds","ebm","elf","emf","esh","exe","ezs","fky","frs","fxp","gadget","gpe","gpu","hlp","hms","hta","icd","iim","inf","inf1","ins","inx","ipa","ipf","isu","jar","job","jse","jsx","kix","ksh","lib","lnk","mcr","mde","mel","mem","mpx","mrc","ms","msc","msi","msp","mst","mxe","obs","ocx","osx","out","paf","pcd","pex","pif","plsc","prc","prg","ps1","ps2","pvd","pwc","pyc","pyo","qpx","rbx","reg","rgs","rox","rpj","run","scar","scf","scpt","scr","script","sct","seed","sh","shb","shs","spr","sys","thm","tlb","tms","u3p","udf","vb","vbe","vbs","vbscript","vdo","vxd","wcm","widget","wim","wmf","workflow","wpk"," ws","wsc","wsf","wsh","xap","xll","xqt","zlq".

Additional URL Re-write Settings for Cloud Integrated

The additional URL Re-write Settings for Cloud Integrated closes the gap between Cloud Gateway (CG) and Cloud Integrated (CI) in terms of increased flexibility on how CI identifies message content to re-write and how aggressive URL scans are.

Behavior / Experience for Current Customers

For current customers up to May 9th, 2025:

  • The default policy configuration for Malware under Detection Actions is Block.

current CI Detection actions

  • The default policy configuration for Re-write URLs in Emails under Detection Engines is Disabled.
    CI permits only a limited range of options regarding the functionality of URL protection, primarily focusing on the location within a message where URLs are rewritten (Subjects, Attachments etc.).

current CI re-write URLs

Behavior / Experience for New Customers

For new customers from May 9th, 2025:

  • The default policy configuration for Malware under Detection Actions is Quarantine:

new CI detection actions

  • The default policy configuration for Re-write URLs in Emails under Detection Engines is Enabled.
    The default configuration for URL Rewrite Sensitivity and URL Scan Sensitivity are Moderate.
    You can configure these settings within Email Security policies, as required.

new CI re-write URLs

URL Rewrite Sensitivity

This option controls how aggressively CI looks for message content that could be considered a URL, meaning the more aggressive the configuration, the higher chances that CI will re-write content that is not considered a URL.

An example use case for this option would be customers looking to stop CI re-writing IP addresses found within message bodies, where they could move from the default Moderate setting to Relaxed.

URL Scan Sensitivity

This option determines how strict our URL scanning should be, as the higher the sensitivity the more URL categories are considered when making a detection.

Increasing the URL Re-write setting will cause more message content to be considered as a URL, it is recommended that Administrators test this with a small group of users before rolling out more widely.

An example use case for the URL Scan Aggressiveness setting would be a customer that is seeing URL based threats pass through CI due to the Moderate scan aggressiveness being used by default. Increasing this setting will allow customers to test whether the reported threats are now picked up.

Increasing Scan sensitivity can introduce a higher rate of False Positives, so we recommend testing this setting with a small group of users to determine the impact.

Below is a list of available options for URL protection:

Option Description

Recommended Configuration

 
Rewrite URLs in Emails It enables URL rewriting in messages so that deep threat scanning can be performed when a user clicks on an email. Enabled: This allows for any inbound URLs to be security scanned on delivery or user click.
Rewrite URLs in Subject Lines It enables URL rewriting in subject lines so that deep threat scanning can be performed when a user clicks on a link within a subject. Optional: URLs found within subject lines will be very long, resulting in end users not being able to determine the original URL.
Scan URLs in Attachments Deep scan URLs within supported attachment types that are no more than 100 MB in size. Enabled
User Identification

Specify how you want users who click on a rewritten URL to be identified:

Basic: Users who click on rewritten URLs are identified as the recipients of the email.

Advanced Device Enrollment/M365 Authentication (Recommended): The user must be authenticated so that URL clicks can be correctly attributed. If M365 Authentication is enabled, we will use that, otherwise, we will use device enrollment.

 Advanced: This allows for clearer identification of internal users clicking on malicious links, even if they have been forwarded internally.
Browser Isolation This allows end users to view URLs that cannot be classified as safe or malicious within an environment that is isolated from the device accessing the URL.
URL re-writing must be enabled for Browser Isolation to be active.		 Enabled
Browser Isolation: Enter Text Users can Enter Text into fields displayed on the website Optional
Browser Isolation: Copy Text Users can Copy Text from the browser fields to their device's clipboard Optional

Phishing and Impersonation

Option Description Recommended Configuration
Phishing

Messages that are classified as Phishing show high confidence indicators that the sender was being impersonated.

Moderate: This option requires three or more indicators within a message to trigger a Phishing detection.

Aggressive: This setting reduces the detection threshold to two, resulting in the possibility of more false positives.

Moderate: This is the best setting for most customers and will result in the fewest false positives.
Untrustworthy

Messages that are classified as Untrustworthy show low confidence indicators of containing malicious content.

Moderate: This is the best setting for most customers and will result in the fewest false positives.

Aggressive: This setting reduces the detection threshold, which may result in more false positives.

Moderate: This is the best setting for most customers and will result in the fewest false positives.
Dynamic Banners

Utilizes Artificial Intelligence (AI) to protect from the most evasive and hard-to-detect email threats, limiting attacker reconnaissance and mitigating human error.

Learning Mode: Don't show any banners, but allow us to learn your users' communication patterns.

Enabled: Show contextual, real-time warning banners in suspicious emails.

Disabled: Don't show banners in suspicious emails.

Enabled (Recommended): Show contextual, real-time warning banners in suspicious emails.

Attachment

Option Description  Recommended Configuration

Sandbox

 Checks all vulnerable file types for threats in the sandbox.

All Microsoft Office file formats.

  • All Open Office file formats.

  • .PDF.

  • Archived files in .ZIP, .BZIP, .GZIP, .7ZIP, .JS, .RAR, .TAR, .LHA, .LZH, and .XZ formats.

  • Additional file types:

    • bat, chm, cmd, com, cpl, crt, dll, exe, hta, jar, js, jse, jsp, lnk, mcr, ms, msi, pif, pl, pm, wsf, scr, sys, udf, url, vb, vbe, vbs, vbs script.

 Enabled

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.