Email Security - API - Phishing Protection Policy

Updated

This article provides information on the Phishing Protection Policy configuration for Email Security - API.

Overview

The Phishing Protection policy can be configured for Email Security - API with an Action set to either 'Monitor' or 'Protect' to detect and manage credential theft, brand impersonation, and deceptive emails targeting information.

Considerations

  • Every threat family policy will have a default policy defined and accessible. It is not possible to delete the default policy; however, there will be no restrictions on its actions, e.g., it could be configured to monitor for any subsequent detections.

Microsoft 365 API Dependency: API-Based Protection relies on Microsoft 365 APIs for: (i) event ingestion and notifications (i.e., to trigger scanning), and (ii) enforcement actions (e.g., moving messages to Junk / Quarantine). If Microsoft APIs are unavailable, delayed, or fail to execute an action, this may impact the timeliness or effectiveness of the service.

  • Customer Responsibilities: To ensure optimal performance of API-Based Protection, customers are responsible for: (i) maintaining valid Microsoft 365 licenses with the required permissions and API access enabled; and (ii) ensuring configuration and permissions remain accurate and up to date.
  • Mimecast's Boundaries of Responsibility: Mimecast's responsibility for Customer Data begins when that data enters the Mimecast environment. Mimecast is not responsible for any delays, failures, or other outcomes attributable to Microsoft API unavailability, non-performance, or third-party service issues.

Default Phishing Protection Policy

The Phishing Protection Policies page contains a default policy at the bottom of the list, which acts as a ‘catch-all’ policy in the event that a recipient is not included in any of the policies listed above this policy.

The default policy will be created when an account is provisioned with a specific configuration, which is scoped from Everyone to Everyone and provides a default level of protection.

In the policy list view, it will not be possible for a customer to delete or re-order the default policy. It will always be pinned at the bottom of the policy list. The ‘Order’ of the policy will always be set to the (number of customer policies in the list +1 ), and it will be evaluated last.

In the policy view, it will not be possible to change the Policy Details, Configuration, and Target sections. It will be possible for a customer to change the Actions or Notifications sections (if provided) of the policy.

Default Policy Configuration

The default policy will be configured as follows:

Column Description
Policy Name and Description Default Phishing Policy; This is the default phishing protection policy created by Mimecast.
Activate Policy Enabled.
Target

Sender: Everyone

Recipient: Everyone

Phishing Protection Sensitivity Moderate (Recommended): This setting provides a balance between protection and the chance of false positives occurring. This is the recommended setting for most customers.
Banners Configuration Disabled: Banners are used to warn users of potential threats in emails
Block Custom Display Names Disabled: Enable checks for custom display names to help prevent impersonation attacks.
Actions Monitor

Policy List and Evaluation Order Page

The Policy List page provides a view of all the Phishing Protection policies created, with columns providing key information.

phishingevaluationorderpage.png

Evaluation Order

Policies are listed in descending order of evaluation. The policy at the top of the list (Numbered 1) will be evaluated first (if relevant), and so on. If a policy is set to ‘No Action’, then that will allow a bypass for the defined sender/recipient.

Phishing Protection Policies can be ordered based on the priority of users to be protected, for example: 

  1. Policy 1: Executives and other high-risk individuals. 
  2. Policy 2: Additional Departments 
  3. Policy 3: Default Policy

In addition to there being a policy evaluation order configurable per threat family, there is also a Mimecast-defined hierarchy based on the risk of the family. The order for the new policies will be 

  1. Malware
  2. Phishing
  3. Spam

Policy Creation, Update, and Deletion

Creating a Policy

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Phishing Protection Policies.
  3. Select Create New Policy.
PhishingProtectionCreate.png
  1. Complete the fields as follows:
Section Description
Policy Details Enter a Policy Name and Description (Optional) that will help to easily identify the policy.
Activate Policy Toggle this to active or deactivate the Policy.
Target

The policy is applied based on either the sender From (Header) and/or Return (Envelope) Address. Select from:

  • Everyone
  • Domain
  • Address Group
  • Email Address
Phishing Protection Sensitivity

Adjust the sensitivity level to control how strictly phishing attempts are detected:

  • Relaxed: This setting reduces false positives by being less strict when identifying phishing attempts, helping to minimize disruption while still providing basic protection.
  • Moderate (Recommended): This setting provides a balance between protection and the chance of false positives occurring. This is the recommended setting for most customers.
  • Aggressive: This setting offers the highest level of protection from phishing protection but may result in more false positives.
Banners Configuration Option to Enable banners: Banners are used to warn users of potential threats in emails.
Block Custom Display Names Option to Enable checks for custom display names to help prevent impersonation attacks.
Actions

Select an action to be applied:

  • Quarantine: Action will be taken upon discovery of a threat.
  • Monitor: Evaluate the policy and record the result for Analysis & Response. Take no action.
  • None: Bypass the policy. Don't record results or take an action. Default value.
Notifications (Optional)

Choose who will be notified when this policy is applied. You can choose from:

  • Groups
  • Internal Recipient
  1. Click Create Policy.

You will see a confirmation that the policy has been successfully created: 

PolicyCreatedToast.png

Editing a Policy 

To edit an existing Policy:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Phishing Protection Policies
  3. Click the appropriate three-dot icon next to the policy and select Edit:

You can edit the policy order by selecting Edit.

phishingmustchangeaction.png

Note

  • If policies are not configured with a Quarantine or Monitor action, a banner will appear indicating that a policy must be created or that Actions must be updated to ensure protection.
  • The Duplicate option can be selected to create a duplicate version of the selected policy.

 

  1. Make any required changes and click Save.
editphishingsave.png

The Duplicate option can be selected to create a duplicate version of the selected policy.

Edit Order can be used to reorder the Policy List.

phishingeditorder.png

Deleting a Policy

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Policies | Phishing Protection Policies.

  3. Click the appropriate three-dot icon next to the policy and select Delete:

PhishingDelete.png
  1. Confirm by clicking Delete.
phishingdeleteconfirm.png

You will see a confirmation that the policy has been successfully deleted:

PolicyDeletedToast.png

 

 

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.