Email Security - API - URL Scanning Configuration for Malware and Phishing Protection Policies

Updated

This article provides information on URL Scanning Configuration for API-Based Email Security's Malware and Phishing Protection Policies. 

Overview 

The URL Scanning Configuration can be configured for Email Security - API to enable real-time URL and QR code scanning to identify malware, phishing, and other threats.

Considerations 

  • A Higher URL Scanning Sensitivity setting will identify more threats, but may block legitimate sites; while a Lower URL Scanning Sensitivity setting reduces disruption but may increase risk. Moderate sensitivity is the recommended setting for most organizations.

  • Consider creating a 'Do Not Scan' configuration for phishing simulation emails to prevent false positives and avoid triggering alerts on controlled security testing.  

  • The URL scanning level cannot be configured for individual threat policies. 

  • The URL configuration will apply to all URLs scanned for the defined user/groups, whether that is for malware or phishing detection.

  • When a URL with either a malware or phishing payload is detected, then the relevant policy, e.g., malware or phishing, for that user will be triggered and the associated action applied.

  • The configuration does not currently allow for URL rewriting.

Microsoft 365 API Dependency: API-Based Protection relies on Microsoft 365 APIs for: (i) event ingestion and notifications (i.e., to trigger scanning), and (ii) enforcement actions (e.g., moving messages to Junk / Quarantine). If Microsoft APIs are unavailable, delayed, or fail to execute an action, this may impact the timeliness or effectiveness of the service.

  • Customer Responsibilities: To ensure optimal performance of API-Based Protection, customers are responsible for: (i) maintaining valid Microsoft 365 licenses with the required permissions and API access enabled; and (ii) ensuring configuration and permissions remain accurate and up to date.
  • Mimecast's Boundaries of Responsibility: Mimecast's responsibility for Customer Data begins when that data enters the Mimecast environment. Mimecast is not responsible for any delays, failures, or other outcomes attributable to Microsoft API unavailability, non-performance, or third-party service issues.

Overview

A URL scanning configuration is required for the threat detection of Malware and Phishing. The URL Scanning Configuration allows you to control how aggressively emails are scanned for Malicious URLs, so that they can be identified and blocked from reaching your organization. 

The Mimecast URL scanning engine is capable of detecting URL payloads that are Malware and Phishing. The centralised URL Scanning Configuration page allows the URL scanning level to be set for individual users or groups of users. 

Default URL Scanning Configuration

The URL Scanning Configuration page contains a default configuration at the bottom of the list, which acts as a ‘catch-all’ in the event that a recipient is not included in any of the configurations listed above this.

This default configuration is created when an account is provisioned. The configuration will be scoped from Everyone to Everyone and provide a default level of protection. For more information, see the individual policies articles listed below.

In the configuration list view, it is not possible to delete or re-order the default configuration. It will always be pinned at the bottom of the configuration list. The ‘Order’ of the configuration will always be set to the (number of customer configurations in the list +1 ), and it will be evaluated last.

  • In the configuration view, it is not possible to change the Configuration Details and Target sections. However, you are able to change the URL Scanning Sensitivity setting.

Default Configuration

The default URL Scanning Configuration will be configured as follows:

Column Description
Policy Name and Description Default URL Scanning Configuration; This is the default URL scanning configuration created by Mimecast.
Activate Configuration Enabled.
Target

Sender: Everyone

Recipient: Everyone

Configuration Determine the sensitivity level for the URL categorization when the engine handles potentially dangerous categories.
URL Scanning Sensitivity Moderate (Recommended): This setting provides a balance between protection and the chance of false positives occuring. This is the recommended setting for most customers.

Policy List and Evaluation Order Page

The configuration list page provides a view of all the URL Scanning Configurations created, with columns providing key information.

urlscanningconfigevaluationorderpage.png

Evaluation Order

Policies are listed in descending order of evaluation. The policy at the top of the list (Numbered 1) will be evaluated first (if relevant), and so on. If a policy is set to ‘Do Not Scan, then that will allow a bypass for the defined sender/recipient.

URL Scanning Configuration can be ordered based on the priority of users to be protected, for example: 

  1. Policy 1: Executives and other high-risk individuals. 
  2. Policy 2: Additional Departments 
  3. Policy 3: Default Policy

In addition to a policy evaluation order configurable per threat family, there is a Mimecast-defined hierarchy based on the family's risk. The order for the new policies is:

  1. Malware
  2. Phishing
  3. Spam

URL Scanning Configuration Creation, Update, and Deletion

Creating a Configuration 

To Create a new URL Scanning Configuration

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Policies | URL Scanning Configuration.

  3. Select the Create New Configuration button.

CreateURLScanningConfigPolicy1.png
  1. Complete the fields as follows: 
Section Description
Configuration Details Enter a Configuration Name and Description (Optional) that will help to easily identify the policy.
Activate Policy Toggle this to active or deactivate the Configuration Policy.
Target

The policy is applied based on either the sender From (Header) and/or Return (Envelope) Address. Select from:

  • Everyone
  • Domain
  • Address Group
  • Email Address
URL Scanning Sensitivity

Determine the sensitivity level for URL categorization when the engine handles potentitally dangeours categories, by selecting one of the following four levels:

  • Relaxed: This setting is for organizations with a higher risk tolerance and may reduce the occurrence of false positives for malicious URLs.
  • Moderate (Recommended): This setting provides a balance between protection and the chance of false positives occurring. This is the recommended setting for most customers.
  • Aggressive: This setting offers the highest level of protection from malicious URLs in emails but may result in more false positives.
  • Do Not Scan: This setting disables URL scanning for emails matching this configuration.
  1. Click Create Configuration.

You will see a confirmation that the policy has been successfully created: 

PolicyCreatedToast.png

Editing a Configuration Policy 

To edit an existing configuration policy: 

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Policies | URL Scanning Configuration 

  3. Click the appropriate three-dot icon next to the policy and select Edit:

EditURLScanningConfig.png
  1. Make any required changes and click Save.

The Duplicate option can be selected to create a duplicate version of the selected policy.

The Edit Order option can be used to reorder the Policy List.

urlscanningeditorder.png

Deleting a Policy 

To edit an existing URL Scanning Configuration policy:

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Policies | URL Scanning Configuration.

  3. Click the appropriate three-dot icon next to the policy and select Delete:

URLscanningdelete.png
  1. Confirm by clicking Delete.
deletepolicygeneric.png

You will see a confirmation that the policy has been successfully deleted:

PolicyDeletedToast.png

See Also...

 

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.