This article contains information on locating and reporting false positives in Mimecast, including gathering details, and submitting reports for investigation, to improve email security settings and defenses.
Overview
Reporting false positives to Mimecast enables the Mimecast Security Operations Center (MSOC) to analyze why these messages weren't blocked by your security policies. This investigation process helps identify whether adjustments are needed to your anti-spoofing, Impersonation Protection, Advanced BEC detection, spam and malware filters, or other security settings. By reporting false positives, you contribute to continuous improvement of your organization's email security defenses and help maintain the effectiveness of your Mimecast security filters.
Prerequisites
- You are a Mimecast Administrator, with permissions to view Message Tracking data, and the ability to export or copy message headers and metadata.
Locating Messages
Begin by finding the specific message deemed to be a false positive, via Message Tracking:
- Log in to the Mimecast Administration Console.
- Navigate to Message Center | Message Tracking.
- Search for the message using one or more of the following criteria:
- Sender email address.
- Recipient email address.
- Date and time the email was received.
- Locate and select the specific message from the search results.
Gathering Message Information
To ensure a thorough investigation, collect the following detailed information about the message:
| Information to Collect | Details |
| Sender email address | The "From" address shown in the message. |
| Recipient email address | Who received the email within your organization. |
| Date and time received | The exact timestamp when the email arrived. |
| Originating IP address | The source IP where the email originated. |
| Full message headers | Complete header information if available. |
| Message metadata | Any additional relevant information from the message record. |
You can obtain this information from several locations in the Mimecast Administration Console; Message Tracking, Rejected and Deferred Messages, or Held Messages. Export or copy the message headers and metadata to include in your report to Mimecast Support.
Submitting the Report
Once you've gathered all necessary information, submit the message for investigation using one of the following methods:
Option 1: Submit Through Message Tracking
- Log in to the Mimecast Administration Console.
- Navigate to Message Center | Message Tracking.
-
Select the message you want to report and select the appropriate Report action, to submit the sample for investigation by MSOC.
See Spam / Phishing - Reporting Spam Malware and Phishing for further information.
Option 2: Raise a Support Case
-
Raise a case with Mimecast Support, including all the collected information:
- Sender and recipient email addresses.
- Date and time received.
- Originating IP address.
- Full message headers and metadata.
Investigation and Resolution
After you submit the report, MSOC will conduct a thorough investigation that includes:
- Analysis: Security analysts will examine why the message bypassed your security policies.
- Root cause identification: They'll determine whether the false positive was due to configuration issues, policy gaps, or detection engine limitations.
- Recommendations: Mimecast Support will provide insights and work with you to identify necessary configuration changes.
- Prevention guidance: You'll receive guidance on adjusting your security settings to prevent similar incidents in the future.
The investigation will specifically assess your anti-spoofing policies, Impersonation Protection settings, Advanced BEC detection configurations, spam and malware filters, and other relevant security controls.
Comments
Please sign in to leave a comment.