This article covers Mimecast's Account takeover (ATO) feature, which is available for Email Security Cloud Gateway customers. It includes information on how to use the different detection features.
To access Account Takeover (ATO), customers must be on Advanced Protection Cloud Gateway, Critical Protection Cloud Gateway, or Premium Protection Cloud Gateway.
Overview
The purpose of the Account Takeover (ATO) feature is to detect risks to targeted internal user's by leveraging advanced analytics to detect and alert you about outbound malware, outbound phishing, and anomalous authentication or login activity. This helps mitigate the damage of Account takeover attacks. Account takeover attacks can lead to identity theft, fraud, and the loss of sensitive data. Account takeover allows organizations to protect their user's accounts by securing access to email and identity provider accounts within the ATO experience, as Activity details are displayed once detected, enabling efficient alert management and response.
Prerequisites
- To access the ATO feature, one of the following Administrator roles is required:
- Basic Administrator
- Super Administrator
- Full Administrator
Custom Roles are currently not supported.
Considerations
Microsoft Entra signals are optional and serve to enhance the information that Mimecast processes for alerts. The ATO feature leverages Entra signals, and the type of signals used on a per-account basis is dependent on your Entra licensing. Please see this article for information on signals available based on Entra licensing.
To use Microsoft Entra signals, the integration must be configured in the Integrations Hub.
- External signal sources like Microsoft Entra are subject to that platform's SLA. Microsoft can be up to 24 hours or more in the worst case.
- Mimecast checks Microsoft Entra for new events every 15 minutes.
- Once received by Mimecast, the signal is processed and visible in the UI within 15 minutes.
-
For email-based ATO signals produced from Mimecast, they will be visible in the UI within 30 minutes of the time Mimecast handled the email.
For the Early Access release of Account takeover, you need to enable the Early Access option in the Mimecast Administration Console.
Accessing Account Takeover
To access the Account Takeover feature:
- Log in to the Mimecast Administration Console.
- Navigate to Analysis & Response and click Overview.
- You will see the Account Takeover tile that contains:
- The number of active alerts (if there are no active alerts, this will still be indicated as "0 active alerts").
- A link to "View Account Takeover".
- Click on the View Account Takeover option. The feature will open in a new tab.
Navigating to Account takeover redirects to Mimecast Incydr and changes the URL.
Account Takeover Alerts
The Account Takeover dashboard page contains a list of all alerts, where you can view and manage the alerts.
On this page, you can:
- Navigate back to the Analysis & Response Overview page.
- Configure an API to export data for further analysis. By selecting this option, you will be redirected to the API Clients tab, where you can configure these API clients.
- Configure Alert settings to receive emails when an Account Takeover threat is detected.
After clicking on Alert Settings, you will see two options:
-
Rule Settings: You can Exclude Individual Users from generating Account Take Over alerts.
-
Notifications: You can add an email address to send a notification when Account Take Over threats are detected.
-
View all Open, In progress, and Closed alerts.
Click on the chevron next to any individual alert in the list to view the alert details.
Alerts can be filtered by:
- Status: Any status, Open, In progress, Closed - True positive, Closed - False positive
- Date range: All dates,
- Risk severity: Any severity, Critical (score = 9+), High (score = 7-8), Moderate (score = 4-6), Low (score = 1-3), No risk indicated (score = 0)
- Username or actor: Enter a user's email address.
-
Alert Feedback
This enables administrators to provide feedback on whether a user was mistakenly flagged as compromised or overlooked during the scanning process.
Navigate to Account Takeover | View Account Takeover, and click on Report Undetected Account Takeover. Complete the Account Takeover Feedback fields | Select Send feedback once all the fields have been completed.
Alert Details
Once you have selected an alert, the alert details pane will open, showing a timeline of activity and details that generated alerts, and eventually an Account takeover detection.
In the Alert Details pane, you can:
- Change status: The status can be changed to Open, In progress, Closed - True positive, Closed - Benign (Personal or legitimate business activity) or Closed - False positive (Incorrect detection).
- Learn more about response options: This provides actions that you can take to secure your environment during an Account takeover.
Actions: Provides manual response capabilities for compromised accounts. Administrators can access the compromised user's profile in either Microsoft Entra or Okta to take additional action, dependent on 3rd party configuration.
- Add note: You can add notes into the Alert notes field of up to 2000 characters.
- Investigate in Forensic Search: This will take you to the Forensic Search page.
Forensic Search
You can navigate to the Forensic Search page by clicking the Investigate in Forensic Search option within alert details or by clicking the Forensic Search tab in the toolbar.
On the Forensic Search page, you can use the following actions to search:
- Reset search, Update search, add filter block, remove filter block, Export results.
You can perform a search using the following filters:
- Time: Select a date range.
- Filter: Select a filter.
- Operator: Select an operator.
- Value: Select a value.
- Search term: Enter a search term.
You can search using multiple filter groups, which can be added or removed as required.
Once you have searched using the filters, you can choose an view the Event details for a specific item in the list.
Event Details
The Event details pane contains information about the event:
| Item | Description |
Risk: This section shows the overall risk severity for the event, the PRISM score, and trusted activity. | |
| Risk severity |
The file event's overall risk severity, based on the following scoring ranges:
|
| PRISM Score |
The PRISM score is based on the sum of all risk indicators applied to an event. A higher score denotes higher risk severity.
|
| Trusted activity | Trusted activity will always reflect as False for account takeover events. |
| Event: This section provides summary information about the event, including date observed, event type, and event source. | |
| Date observed | When the system generated the detection. |
| Event action |
|
| Event observer |
The data source that captured the file event:
|
| User: This section provides details about the user associated with the event. | |
| Username | Indicates the user associated with the event. |
| User ID | Unique identifier for the user. |
| Source: provides details about the origin of a file. Source details vary based on the event type. For example, the Source name for an upload event indicates the hostname of the user's device, while the Source name for a download event indicates the location where the download originated (for example, "Dropbox"). | |
| Email sender | The address of the entity responsible for transmitting the message. In many cases, this is the same as Email from, but it can be different if the message is sent by a server or other mail agent on behalf of someone else. |
| Email from | The display name of the sender, as it appears in the "From" field in the email. In many cases, this is the same as Email sender, but it can be different if the message is sent by a server or other mail agent on behalf of someone else. |
|
Destination: This section provides details about where a file was sent or moved. Destination details vary based on the event type.
| |
| Subject | The subject of the email message. |
| Total Recipients | The total number of email recipients. |
Comments
Please sign in to leave a comment.