This article covers Mimecast's Account takeover (ATO) feature, which is available for Email Security Cloud Gateway customers. It includes information on how to use the different detection features.
To access Account Takeover (ATO), customers must be on Advanced Protection Cloud Gateway, Critical Protection Cloud Gateway, or Premium Protection Cloud Gateway.
Overview
The purpose of the Account Takeover (ATO) feature is to detect risks to targeted internal user's by leveraging advanced analytics to detect and alert you about outbound malware, outbound phishing, and anomalous authentication or login activity. This helps mitigate the damage of Account takeover attacks. Account takeover attacks can lead to identity theft, fraud, and the loss of sensitive data. Account takeover allows organizations to protect their user's accounts by securing access to email and identity provider accounts within the ATO experience, as Activity details are displayed once detected, enabling efficient alert management and response.
Prerequisites
Incydr Tenant Access Only
An administrator gets automatic access to the customer’s Incydr tenant when they buy a new Email Security Plan (Critical, Advanced, or Premium). ATO permissions apply automatically based on their existing AdCon roles, with no separate role assignment needed.
- To access the ATO feature, one of the following Administrator roles is required:
- Sys Admin - SD Full / Cluster Admin
- Sys Admin - ProductManagementBasic / Cluster
- Sys Admin - SD Basic
- Sys Admin - Read Only CS / Cluster
- Sys Admin - Read Only Basic / Cluster
- Super Administrator
- Partner Administrator
- Full Admin
- SD Basic
Permissions for custom roles are supported. Administrator can create custom role within the Administration Console with any combination of the four ATO permissions below.
- Additionally, customers must enable read and write permissions in the following locations under Application Permissions | Services Menu | Account Take Over Alert & Account Take Over Rule. Without these permissions enabled, the hero stat will not render.
Considerations
Microsoft Entra signals are optional and serve to enhance the information that Mimecast processes for alerts. The ATO feature leverages Entra signals, and the type of signals used on a per-account basis is dependent on your Entra licensing. Please see this article for information on signals available based on Entra licensing.
To use Microsoft Entra signals, the integration must be configured in the Integrations Hub.
- External signal sources like Microsoft Entra are subject to that platform's SLA. Microsoft can be up to 24 hours or more in the worst case.
- Mimecast checks Microsoft Entra for new events every 15 minutes.
- Once received by Mimecast, the signal is processed and visible in the UI within 15 minutes.
-
For email-based ATO signals produced from Mimecast, they will be visible in the UI within 30 minutes of the time Mimecast handled the email.
For the Early Access release of Account takeover, you need to enable the Early Access option in the Mimecast Administration Console.
Accessing Account Takeover
To access the Account Takeover feature:
- Log in to the Mimecast Administration Console.
- Navigate to Analysis & Response and click Overview.
- You will see the Account Takeover tile that contains:
- The number of active alerts (if there are no active alerts, this will still be indicated as "0 active alerts").
- A link to "View Account Takeover".
- Click on the View Account Takeover option. The feature will open in a new tab.
Navigating to Account takeover redirects to Mimecast Incydr and changes the URL.
Account Takeover Alerts
The Account Takeover dashboard page contains a list of all alerts, where you can view and manage the alerts.
On this page, you can:
- Navigate back to the Analysis & Response Overview page.
- Configure an API to export data for further analysis. By selecting this option, you will be redirected to the API Clients tab, where you can configure these API clients.
- Configure Alert settings to receive emails when an Account Takeover threat is detected.
After clicking on Alert Settings, you will see two options:
- Rule Settings: You can Exclude Individual Users from generating Account Take Over alerts.
USE WITH CARE
Excluding a user permanently stops ALL ATO alerts for that email, including real future threats. It’s not for managing noisy or false alerts. Once excluded, Mimecast won’t alert on that account regardless of detected signals.
For false positive alerts on a specific address, use Closed False Positive instead.
|
WHEN TO USE AN EXCLUSION
|
WHEN NOT TO USE AN EXCLUSION
|
-
Notifications: You can add an email address to send a notification when Account Take Over threats are detected.
-
View all Open, In progress, and Closed alerts.
Click on the chevron next to any individual alert in the list to view the alert details.
Alerts can be filtered by:
- Status: Any status, Open, In progress, Closed - True positive, Closed - False positive
- Date range: All dates,
- Risk severity: Any severity, Critical (score = 9+), High (score = 7-8), Moderate (score = 4-6), Low (score = 1-3), No risk indicated (score = 0)
- Username or actor: Enter a user's email address.
-
Alert Feedback
This enables administrators to provide feedback on whether a user was mistakenly flagged as compromised or overlooked during the scanning process.
Navigate to Account Takeover | View Account Takeover, and click on Report Undetected Account Takeover. Complete the Account Takeover Feedback fields | Select Send feedback once all the fields have been completed.
Alert Details
Once you have selected an alert, the alert details pane will open, showing a timeline of activity and details that generated alerts, and eventually an Account takeover detection.
In the Alert Details pane, you can:
- Change status: The status can be changed to Open, In progress, Closed - True positive, Closed - Benign (Personal or legitimate business activity) or Closed - False positive (Incorrect detection).
- Learn more about response options: This provides actions that you can take to secure your environment during an Account takeover.
Actions: Provides manual response capabilities for compromised accounts. Administrators can access the compromised user's profile in either Microsoft Entra or Okta to take additional action, dependent on 3rd party configuration. (Allows administrators to apply response actions within the Mimecast platform.)
Deep Linking into Entra from ATO Alerts
Direct linking from ATO alerts to M365 Entra ID Entry for compromised users. Enables admins to access the user in Entra ID to review security details and secure the account.
Human Risk Command Centre: This option will link directly to the user profile in the Human Risk Command Center.
- Add note: You can add notes into the Alert notes field of up to 2000 characters.
- Investigate in Forensic Search: This will take you to the Forensic Search page.
Forensic Search
You can navigate to the Forensic Search page by clicking the Investigate in Forensic Search option within alert details or by clicking the Forensic Search tab in the toolbar.
On the Forensic Search page, you can use the following actions to search:
- Reset search, Update search, add filter block, remove filter block, Export results.
You can perform a search using the following filters:
- Time: Select a date range.
- Filter: Select a filter.
- Operator: Select an operator.
- Value: Select a value.
- Search term: Enter a search term.
You can search using multiple filter groups, which can be added or removed as required.
Once you have searched using the filters, you can choose an view the Event details for a specific item in the list.
Event Details
The Event details pane contains information about the event:
| Item | Description |
Risk: This section shows the overall risk severity for the event, the PRISM score, and trusted activity. | |
| Risk severity |
The file event's overall risk severity, based on the following scoring ranges:
|
| PRISM Score |
The PRISM score is based on the sum of all risk indicators applied to an event. A higher score denotes higher risk severity.
|
| Trusted activity | Trusted activity will always reflect as False for account takeover events. |
| Event: This section provides summary information about the event, including date observed, event type, and event source. | |
| Date observed | When the system generated the detection. |
| Event action |
|
| Event observer |
The data source that captured the file event:
|
| User: This section provides details about the user associated with the event. | |
| Username | Indicates the user associated with the event. |
| User ID | Unique identifier for the user. |
| Source: provides details about the origin of a file. Source details vary based on the event type. For example, the Source name for an upload event indicates the hostname of the user's device, while the Source name for a download event indicates the location where the download originated (for example, "Dropbox"). | |
| Email sender | The address of the entity responsible for transmitting the message. In many cases, this is the same as Email from, but it can be different if the message is sent by a server or other mail agent on behalf of someone else. |
| Email from | The display name of the sender, as it appears in the "From" field in the email. In many cases, this is the same as Email sender, but it can be different if the message is sent by a server or other mail agent on behalf of someone else. |
|
Destination: This section provides details about where a file was sent or moved. Destination details vary based on the event type.
| |
| Subject | The subject of the email message. |
| Total Recipients | The total number of email recipients. |
Comments
Please sign in to leave a comment.