Mimecast Email Incident Response - Mimecast Threat Response Operations (TRO) Actions

Updated

This article describes the classifications that are used for reported messages in Mimecast Email Incident Response (MEIR) and the actions that are taken based on these classifications. It is intended for Administrators.

Reported Message Classifications

The table below lists classifications that are used for reported messages and their meanings:

TRO & end user Classification Definition Analysis & Response Column Analysis & Response Details column 
Benign – Legitimate A legitimate safe business email that the end user likely should take action on. N/A N/A
Benign – Spam A safe email that the end user was not expecting and does not want to receive. N/A N/A
Benign – Mimecast Awareness training A phishing simulation created by Mimecast Awareness Training. N/A N/A
Benign – 3rd party Awareness training A phishing simulation created by a third-party awareness training tool. N/A N/A
Malicious – Malware Attachment Email with a malicious file attached. Phishing  Malicious File
Malicious – Malware URL Email with a URL that leads to a malicious file. Phishing Malicious File
Malicious – Phishing Attachment Email with an attachment that leads to a phishing attack. This could be a benign PDF attachment that includes a link to a phishing page. Phishing Malicious File
Malicious – Phishing URL Email with a URL that leads to a phishing page. Phishing Phishing URL 
Malicious – Whaling/Spear Phishing An email directly targeting the reporting organization. Almost always an impersonation of staff. Phishing BEC - Whaling
Malicious – Scam/Fraud Catch-all for Malicious emails that don't fall into Whale/Spear, Malware and Phishing categories. Usually payloadless. An example could be an advance-fee scam Phishing Fraud
Malicious – Other Email is or was malicious due to context and infrastructure clues, but the threat is no longer active. This most commonly occurs with URL-based attacks where the URL no longer resolves Phishing Payload offline
Indeterminate

Everything about the email looks safe and legitimate, but MEIR does not have the context to determine this with 100% confidence. The analyst doesn't see anything wrong with the email, but something may look suspicious. An example could be an invoice. There is no way for a MEIR to know if the customer purchased the product or service in the invoice.

Suspicious 

Missing Context

Actions 

Regardless of the classification, the message will always be moved to junk or deleted items. This depends on whether the user selected the "reported as junk" or "reported as phishing" option. If you have a single reporting button, it moves it to junk.

The actions that are taken based on the reported message classifications are as follows:

Message Classification  Action 

Benign – Legitimate and Awareness Training
  • In both cases, the sender does NOT get added to the blocklist.

Benign – Spam and Malicious
  • The sender DOES get added to the blocklist.
Malicious
  • The message and all similar messages will be removed (remediated) by MEIR in Mimecast remediation incidents.
  • Detection updates are created at all applicable scanning layers, improving security posture for all Mimecast customers.
  • The dashboard in Analysis and Response is updated, showing malicious indicators, URL clicks, threat details and remediated messages.

For all reported messages, depending on the configuration described in End User Feedback, feedback is sent to the user who reported the message.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.