This article covers Mimecast's Account takeover (ATO) feature, which is available for Email Security Cloud Gateway customers. It includes information on how to use the different detection features.
To access Account Takeover (ATO), customers must be on Advanced Protection Cloud Gateway, Critical Protection Cloud Gateway, or Premium Protection Cloud Gateway.
Overview
The purpose of the Account Takeover (ATO) feature is to detect risks to targeted internal users by leveraging advanced analytics to detect and alert you about outbound malware, outbound phishing, and anomalous authentication or login activity. This helps mitigate the damage of Account takeover attacks. Account takeover attacks can lead to identity theft, fraud, and the loss of sensitive data. Account takeover allows organizations to protect their users' accounts by securing access to email and identity provider accounts within the ATO experience, as Activity details are displayed once detected, enabling efficient alert management and response.
Prerequisites
- To access the ATO feature, one of the following Administrator roles is required:
- Basic Admin
- Super Admin
- Full Admin
Custom roles are currently not supported.
Considerations
Microsoft Entra signals are optional and serve to enhance the information that Mimecast processes for alerts. The ATO feature leverages Entra signals, and the type of signals used on a per-account basis is dependent on your Entra licensing. Please see this article for information on signals available based on Entra licensing.
To use Microsoft Entra signals, the integration must be configured in the Integrations Hub.
- External signal sources like Microsoft Entra are subject to that platform's SLA. Microsoft can be up to 24 hours or more in the worst case.
- Mimecast checks Microsoft Entra for new events every 15 minutes.
- Once received by Mimecast, the signal is processed and visible in the UI within 15 minutes.
-
For email-based ATO signals produced from Mimecast, they will be visible in the UI within 30 minutes of the time Mimecast handled the email.
For the Early Access release of Account takeover, you need to enable the Early Access option in the Mimecast Administration Console.
Accessing Account Takeover
To access the Account Takeover feature:
- Log in to the Mimecast Administration Console.
- Navigate to Analysis & Response and click Overview.
- You will see the Account Takeover tile that contains:
- The number of active alerts (if there are no active alerts, this will still be indicated as "0 active alerts").
- A link to "View Account Takeover".
- Click on the View Account Takeover option. The feature will open in a new tab.
Navigating to Account takeover redirects to Mimecast Incydr and changes the URL.
Account Takeover Alerts
The Account Takeover dashboard page contains a list of all alerts, where you can view and manage the alerts.
On this page, you can:
-
- Navigate back to the Analysis & Response Overview page.
- Configure an API to export data for further analysis. By selecting this option, you will be redirected to the API Clients tab, where you can configure these API clients.
- Configure Notification settings to receive emails when an Account takeover threat is detected.
-
-
View all Open, In progress, and Closed alerts.
Click on the chevron next to any individual alert in the list to view the alert details.
Alerts can be filtered by:
-
Status: Any status, Open, In progress, Closed - True positive, Closed - False positive
Date range: All dates,
Risk severity: Any severity, Critical (score = 9+), High (score = 7-8), Moderate (score = 4-6), Low (score = 1-3), No risk indicated (score = 0)
Username or actor: Enter a user's email address.
-
-
Alert Details
Once you have selected an alert, the alert details pane will open, showing a timeline of activity and details that generated alerts, and eventually an Account takeover detection.
In the Alert details pane, you can:
- Change status: The status can be changed to Open, In progress, Closed - True positive (Identified a valid risk), or Closed - False positive (Did not present a risk).
- Learn more about response options: This provides actions that you can take to secure your environment during an Account takeover.
- Add note: You can add notes into the Alert notes field of up to 2000 characters.
- Investigate in Forensic Search: This will take you to the Forensic Search page.
Forensic Search
You can navigate to the Forensic Search page by clicking the Investigate in Forensic Search option within alert details, or by clicking the Forensic Search tab in the toolbar.
On the Forensic Search page, you can use the following actions to search:
- Reset search, Update search, add filter block, remove filter block, Export results.
You can perform a search using the following filters:
- Time: Select a date range.
- Filter: Select a filter.
- Operator: Select an operator.
- Value: Select a value.
- Search term: Enter a search term.
You can search using multiple filter groups, which can be added or removed as required.
Once you have searched using the filters, you can choose an view the Event details for a specific item in the list.
Event Details
The Event details pane contains information about the event:
|
Item |
Description |
|
Risk: This section shows the overall risk severity for the event, the PRISM score, and trusted activity. |
|
| Risk severity |
The file event's overall risk severity, based on the following scoring ranges:
|
| PRISM Score |
The PRISM score is based on the sum of all risk indicators applied to an event. A higher score denotes higher risk severity.
|
| Trusted activity | Trusted activity will always reflect as False for account takeover events. |
| Event: This section provides summary information about the event, including date observed, event type, and event source. | |
| Date observed | When the system generated the detection. |
| Event action |
|
| Event observer |
The data source that captured the file event:
|
| User: This section provides details about the user associated with the event. | |
| Username | Indicates the user associated with the event. |
| User ID | Unique identifier for the user. |
| Source: provides details about the origin of a file. Source details vary based on the event type. For example, the Source name for an upload event indicates the hostname of the user's device, while the Source name for a download event indicates the location where the download originated (for example, "Dropbox"). | |
| Email sender | The address of the entity responsible for transmitting the message. In many cases, this is the same as Email from, but it can be different if the message is sent by a server or other mail agent on behalf of someone else. |
| Email from | The display name of the sender, as it appears in the "From" field in the email. In many cases, this is the same as Email sender, but it can be different if the message is sent by a server or other mail agent on behalf of someone else. |
|
Destination: This section provides details about where a file was sent or moved. Destination details vary based on the event type.
|
|
| Subject | The subject of the email message. |
| Total Recipients | The total number of email recipients. |
Comments
Please sign in to leave a comment.