This article explains how to configure & customize end-user feedback in MEIR. Notifications inform end users of the outcome of their report and encourage continued reporting. This article is intended for Administrators.
Overview
When an end user reports a suspicious email, MEIR sends notifications at two points in the workflow:
An immediate acknowledgment confirming the report was received (sent regardless of MEIR configuration).
A classification notification is sent once the report has been investigated and a classification outcome reached. This notification is classification-specific - the message the user receives reflects the actual outcome of their report.
Classification notifications are disabled by default and must be enabled by an administrator. Once enabled, each classification type (Malicious, Benign, Simulated, and Under Review) has its own pre-built template that can be customised independently.
Considerations
- End user feedback informs the end user on the outcome and engages them to continue to report messages.
- When reporting a message from the Mimecast Administration Console, administrators may receive a feedback email
- When reporting a message, end users always receive (near) direct confirmation (regardless of MEIR).
- Mimecast Essentials provides direct in-line confirmation.
- Outlook end-user reporting provides email-based confirmation.
- Depending on your configuration options, the end user will receive the notification when MEIR classifies the reported email.
- By default, the end user notification is disabled and will require an Administrator to enable it in the Mimecast Administration Console. Once enabled, the end users will receive the notifications.
Classification notification types
Classification |
When it is sent |
Default behaviour |
|---|---|---|
Malicious |
When a reported email is confirmed malicious |
Sent to reporter. Remediation is triggered across all affected mailboxes. |
Benign |
When a reported email is confirmed safe |
Sent to reporter. No remediation action is taken. |
Simulated |
When a reported email is identified as a phishing simulation (Mimecast Awareness Training or 3rd party simulation) |
Sent to reporter. Confirms the email was a training simulation. |
Under Review |
When a reported email cannot be immediately classified |
Sent immediately. The email is automatically removed from the reporter's inbox while under investigation. |
Under Review Urgent |
When a reported email cannot be immediately classified |
Sent immediately to the Additional Recipient mailbox with a Zendesk ID. |
Enabling Classification Notifications
Log in to the Mimecast Administration Console.
Navigate to Users & Groups, then Applications.
Click New Application Settings or open default Application Setting to edit.
Navigate to the Common Applications section and view Email Incident Response Settings.
Select the checkbox (Admin and End User) for each classification type you want to trigger a notification for: Benign, Indeterminate (Under Review), Malicious, Simulated.
Click Save and Exit.
Note:
Enabling a classification here activates the default template for that classification. The notification will be sent to the end user automatically once a classification outcome is reached. Each classification can be enabled or disabled independently.
To enable Admins to receive notifications when they report from the Administration Console, the Admin notification had to be enabled as well; otherwise, they will only receive notifications when they report as end users (from their mailbox)
Under Review - how it works
When a reported email cannot be immediately classified, MEIR places it Under Review. The following happens:
The email is remediated as a precaution.
The reporter receives an Under Review notification informing them that the email is being investigated.
At the same time, a notification is sent to the additional recipient mailbox configured by your administrator. This mailbox is a distribution list address designated by your organisation to receive copies of reported emails. It includes a Zendesk case ID for tracking. If your administrator does not respond to the case within 48 hours, the case is automatically closed.
Once the investigation concludes, a second notification is sent to the reporter. If the email is safe, it is restored to their inbox. If confirmed malicious, remediation is applied across all affected mailboxes.
Note: The 48-hour response window begins from the time the Under Review case is created. If no response is received from the administrator within that window, the case is automatically closed. The automatic inbox removal and restore actions for the end user require no administrator intervention regardless. Status of Under Review cases can be monitored in Analysis and Response.
Configuring the additional recipient mailbox
To receive Under Review case notifications, an additional recipient mailbox must be configured in the Administration Console:
Log in to the Mimecast Administration Console.
Navigate to Users & Groups, then Applications.
Go to the Gateway Settings group.
Select the Allow Report Spam/Phishing/Malware Recipient checkbox.
Enter the distribution list address in the Additional Report Spam/Phishing/Malware Recipient field.
Click Save and Exit.
Customising notification templates
Each classification has its own notification template that can be customised with your own subject line, message body, and branding. To customise a template:
Log in to the Mimecast Administration Console.
Navigate to Policies, then Gateway Policies, then Notification Sets.
Create or open a Notification Set Definition and ensure you select the Email Incident Response - End-user Notification option.
Customise the subject line and message body for each classification as required.
Save the Notification Set and apply it via a Notification Set Policy.
Note: For further information on Notification Sets and branding, see Configuring Notification Set Definitions and Policies and Branding Introduction.
Admin notifications
In addition to end-user notifications, administrators can receive a notification each time a classification outcome is reached. To configure admin notifications:
Navigate to Analysis & Response in the Mimecast Administration Console.
Open Notifications and select Admin Notification Settings.
Add the email addresses of the administrators who should receive notifications.
Select which classification outcomes trigger an admin notification.
Click Save.
Admin notifications are independent of end-user notifications. Enabling or disabling one does not affect the other.
Audit Log
Every sent notification is logged automatically. Each log entry includes the notification type and classification, the recipient email address, the message ID of the reported email, the timestamp the notification was sent, and the delivery status. Audit log data is available in the Administration Console under Analysis & Response and is accessible via the MEIR API for SIEM and SOAR integration.
Example notification
The default notification the end user receives is as shown below:
Customization options
The end user notification can be customized and branded using the Notification Set Definition:
- Log in to the Mimecast Administration Console.
- Navigate to Policies | Gateway Policies | Notification Sets.
- Create or configure a Notification Set Definition and Policy, ensuring you select the Email Incident Response - End-user Notification option.
More information on Notification Sets and Branding can be found on the Configuring Notification Sets Definitions and Policies and Branding Introduction pages.
Comments
Please sign in to leave a comment.