This article outlines how to report phishing and spam emails that bypass Mimecast filtering through the Mimecast Administration Console. What information to include, and why reporting False Negatives is critical for improving threat detection across your organization.
Overview
A False Negative occurs when a malicious or spam email bypasses Mimecast's filtering system and is delivered to users' inboxes instead of being blocked. Reporting these emails through the Mimecast Administration Console helps the Threat Detection team update threat signatures and improve protection for your organization and the broader Mimecast customer base. This process is essential for administrators and security team members who manage email security.
Considerations
- You must use the Mimecast Administration Console to report False Negatives rather than forwarding the email manually. Forwarded emails can be altered or lose critical header information needed for analysis.
- Using the Mimecast Administration Console ensures the security team receives the authentic message version exactly as Mimecast received it, prior to any local processing or delivery.
- There is no timeframe for when signature updates will be deployed; however, reporting False Negative is essential for refining your organization's phishing protection capabilities.
- If you suspect an email represents an active security threat requiring immediate action, report it to your organization's security team for incident response alongside your Mimecast report.
Prerequisites
- Administrator access to the Mimecast Administration Console.
- The ability to locate the original email through Message Tracking or Archive Search features.
- Access to full email headers from the email.
Reporting Process
- Access the Mimecast Administration Console
Log in to the Mimecast Administration Console with your administrator credentials. - Locate the Original Email
Use one of the following features to find the email:
- Message Tracking: Search for messages by sender, recipient, date range, or subject line.
- Archive Search: Search the email archive for the specific message.
You must report the original email as Mimecast received it, not a forwarded copy.
- Report the Email
- Once you've located the email in Message Tracking or Archive Search, select it.
- Choose the option to report the email through the Mimecast Administration Console interface.
- Categorize the email as Phishing.
- In the comments section, explicitly note False Negative so the security team understands this email should have been blocked but was delivered.
- Include your Case Number if you have one.
- Retrieve and Include Email Headers
Obtain the complete email headers from the same sample you reported. Headers can be retrieved directly from Message Tracking or Archive Search. These headers are critical for the security team to analyze how the email bypassed detection. If you're reporting multiple related samples (such as similar phishing emails from the same sender), provide headers for each sample to give the team a complete picture of the attack pattern.
Information to Include in Your Report
To help the Mimecast Threat Detection team analyze the False Negative effectively, organize your report with the following information:
| Information Category | Details to Include |
| Technical Details | Complete email headers from Message Tracking or Archive Search; Sender address (the actual From address); Subject line; Domain information used in the sender address; Authentication protocol results (SPF, DKIM, DMARC) if visible; Attachments present in the email (if you can safely identify them); URLs included in the email body (if you can safely access them) |
| Contextual Information | Suspicious characteristics you've identified; Social engineering tactics employed (urgency, fee requests, impersonation of known services, etc.); Attack patterns if you've noticed multiple similar emails; Any other relevant context that might help with analysis |
What Happens After You Report
After you submit your report through the Mimecast Administration Console, the Mimecast Threat Detection team takes the following actions:
- Reviews the email to understand how it bypassed detection.
- Analyzes the headers and content for malicious indicators.
- If confirmed as phishing, updates threat signatures and detection rules.
- Deploys improvements to prevent similar attacks from reaching users in your organization and across the broader Mimecast customer base.
When to Contact Your Security Team
If you believe the email represents an active security threat requiring immediate action, report it to your organization's security team for incident response alongside your Mimecast report. This is especially important if:
- Users may have already clicked on malicious links or downloaded attachments.
- The email appears to target specific individuals or departments.
- The attack seems coordinated or part of a larger campaign.
- Sensitive information may have been compromised.
Recommendations
- Report Promptly: Submit False Negative reports as soon as you identify them to enable faster protection updates.
- Never Forward Manually: Always use the Mimecast Administration Console to preserve the original email integrity.
- Be Thorough: Include as much detail as possible to help the analysis process.
- Report All Instances: If you see multiple similar phishing emails, report each one with its own headers.
- Educate Users: Train your users to recognize phishing attempts and report suspicious emails to IT.
| Q: | Why can't I just forward the suspicious email to the security team? |
| A: | Forwarded emails can be altered or lose critical header information needed for analysis. The Mimecast Administration Console preserves the authentic message version exactly as Mimecast received it, prior to any local processing or delivery. This is essential for the security team to understand how the email bypassed detection. |
| Q: | How long does it take for signature updates to be deployed after I report a False Negative? |
| A: | There is no timeframe for when signature updates will be deployed. However, reporting False Negatives is essential for continuously refining your organization's phishing protection capabilities and helping to protect the broader Mimecast customer base. |
| Q: | What if I've received multiple similar phishing emails from the same sender? |
| A: | Report each email individually with its own headers. Providing headers for each sample gives the security team a complete picture of the attack pattern and helps them develop more effective detection rules. |
Comments
Please sign in to leave a comment.