This article outlines the key differences between Mimecast's two email security features: Impersonation Protect and Advanced Business Email Compromise (BEC) Protection. While both solutions combat email-based threats, they utilize distinct approaches and technologies to safeguard organizations against varying levels of sophisticated attacks.
Impersonation Protect offers a fundamental defense against direct impersonation attempts by monitoring domains, analyzing display names, and detecting suspicious keywords. Meanwhile, Advanced BEC Protection leverages AI-driven behavioral monitoring and social graphing to identify sophisticated attack patterns and evolving threats.
The table below highlights the key distinctions between the two products:
| Impersonation Protect | Advanced Business Email Compromise |
|
|
Detection Processing maximizes the effectiveness of both solutions; you should:
-
- Verify DMARC/DKIM/SPF configurations.
- Deploy Impersonation Protect as your baseline protection.
- Layer Advanced BEC Protection for enhanced security against sophisticated threats.
- Regularly review and update detection policies.
Use Cases Examples
CEO Impersonation Attack
Scenario: An attacker attempts to impersonate the company's CEO by sending an urgent email to the finance department requesting an immediate wire transfer to a new account for a confidential business deal.
How the attack is detected:
-
-
- Impersonation Protect utilizes advanced algorithms to analyze the sender’s email domain and display name. Mimecast detects anomalies such as a domain closely resembling the legitimate one (e.g., "company-global.com" instead of "company.com").
- Advanced BEC Protection: Using the Display Name, matching the CEO’s but originating from an unrecognized email address.
-
Vendor Impersonation in a Supply Chain Attack
Impersonation Protect can detect vendor impersonation when a list of custom-monitored external domains is configured.
Scenario: An attacker impersonates a trusted vendor and sends an email to the procurement team with an attached invoice disguised as a PDF file.
How the attack is detected: Impersonation Protect includes specialized features to combat supply chain impersonation. The system analyzes the sender’s domain to detect lookalike attempts (e.g., "vendor-invoices.com" instead of "vendor.com"). It also identifies the use of non-Western character sets that visually mimic Western characters which is a common tactic for disguising malicious links or domains. These features help detect fraudulent email addresses and attachment names designed to evade detection.
Vendor Impersonation Attack
Scenario: An attacker impersonates a trusted vendor, urgently requesting a change in payment details for an upcoming invoice. The email is crafted using advanced language models to perfectly mimic the vendor’s communication style, making it nearly indistinguishable from legitimate correspondence.
How the attack is detected: Mimecast’s social graphing technology analyzes the sender’s email against historical communication patterns between the organization and the vendor. Despite the realistic tone, the system flags BEC-style indicators such as urgency, payment requests, and bank detail changes. Additionally, while the domain may appear legitimate, the system detects that the email address used for this request does not match the vendor’s usual financial contact.
Multi-Stage Executive Impersonation Attack
Scenario: An attacker executes a sophisticated, multi-stage BEC attack targeting a company’s finance department. The attack begins with reconnaissance through social media, followed by a series of seemingly harmless emails impersonating a company executive. The final stage involves an urgent request for a confidential wire transfer to close a supposed acquisition deal.
How the attack is detected: The system applies sentiment analysis and natural language processing to extract common BEC phrases and analyze communication patterns.
Comments
Please sign in to leave a comment.