Email Security - API - Block Rules

Updated

This page outlines Block Rules that can be configured for Email Security - API-Based Protection

Overview

Block Rules provide proactive, organization-wide threat prevention by taking action when a phishing campaign or emerging threat is detected, by enforcing a deny-first approach. These rules allow you to specify and filter who or what is allowed into your environment, and can be applied to:

  • Sender Email Addresses.
  • Sender Email Domains.
  • URLs.

Considerations

  • Block Rules apply to emails only (Teams, OneDrive, and SharePoint files are not included.)

  • When integrating Mimecast with your third-party tools for threat sharing, additional blocked sender rules will be created.

  • Single block rules are applied to all policies.

  • Individual policy block lists are not supported.

Block Rules will override your Policy detection actions, as well as any allowlists.

Supported Blocking Categories

The API-based Email Security deployment option supports blocking actions across two categories:

  • By URL (domain-level or explicit URL blocking).

  • By sender (domain-level or explicit sender blocking).

Blocking by Sender can be done by configuring a single Blocked Senders policy, with the addresses added to a local group.

  • The API endpoints that support this capability use public API 2.0.

URL Exception Types

There are two ways to add URL exceptions: by domain or by exact URL.

Domain-Level Exceptions

Domain-level exceptions support wildcard notation to control whether subdomains are included. The following formats are supported: 

Format Scope
https://domain.com Exact domain only.
https://*.domain.com All subdomains of the specified domain.

When using wildcards, a single asterisk (*) is permitted, but only at the start of a domain and must be followed by a period (.). For example, http://*.domain.com and https://*.subdomain.com are valid. The following formats are not supported: domain.*, *.domain.com*, subdomain.*, www.*.com.

Exact URL Exceptions

Exact URL exceptions require the full URL, including the protocol, for example, https://app.vendor.com/login/callback. The rule applies only to that specific URL.


Microsoft Teams URLs: Entering a Teams URL such as https://teams.microsoft.com/l/meetup-join/ will allow that URL and anything appended after the specified path, providing broader support for Teams collaboration links.

URL Allowlists are useful for the following scenarios:

  • Legitimate business applications and services.
  • Third-party vendor portals and tools.
  • Internal company resources and applications.
  • Known safe marketing and communication platforms.
  • Microsoft Teams meeting URLs and collaboration tools.

Block Rules Application Workflow

When a Block Rule is triggered, the following will happen:

  1. The message is scanned. All scan engines evaluate the email completely.
  2. The Block Rule is applied if there is a match. Scan results are available in Analysis & Response (A&R).
  3. The email is quarantined, and the end user cannot access it. Block rules are applied afterwards and override any policy actions.
  4. The Action and the detection (Spam, Malware, or Phishing) are logged in Analysis & Response (A&R).

Block rules are organized in a single ordered list, evaluated top-down with the first matching rule taking effect. This list applies universally across all policies — per-policy block lists are not supported.

Multi-Threat Email Handling

Example Scenario: Email contains two URLs:

  • If blocked.com (shared from CrowdStrike) has a block rule.

  • If domain.com (benign) does not have a block rule.

The Processing Result is as follows: 

  • The message will be quarantined as it has two URLs.

  • Whilst  domain.com is benign, and no policies apply, the Block Rule for the other domain will apply.

Viewing, Editing & Deleting Rules

Viewing Rules

You view your current list of Block/Allow rules in the Mimecast Administration Console by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Allow & Block Rules.
Allow&BlockRules1.png

From here, you can view a list of rules with the following heading criteria.

  • Action
  • Source
  • Reason
  • Comments
  • Created
  • Last Modified: You can sort the list by oldest-newest or newest-oldest
Allow&BlockRulesList.png

Editing Rules

To Edit an existing rule entry, select the specific rule (Sender or URL Rule) from the Allow & Block Rules list by clicking on the entry itself and then making any necessary changes on the Edit Sender/Edit URL rule screen.
Alternatively, click the three-dot options button on the far right-hand side of the column list and select Edit.

EditBlockRule.png
EditorDelete.png

Deleting Rules

To Delete an existing rule entry, select the specific rule (Sender or URL Rule) from the Allow & Block Rules list by clicking the entry itself and selecting the Delete button at the top of the View/Edit screen.
Alternatively, click the three-dot options button on the far right-hand side of the column list and select Delete.

EditOrDelete-Delete.png

Deleting a rule will trigger a confirmation pop-up box, asking you to confirm the action, as deleted rules cannot be recovered.

Creating a Sender-Based Rule

You can create an Allow/Block list based on a sender's email address or domain by using the following steps: 

  1. Log in to Mimecast Administration Console.
  2. Navigate to Policies | Allow & Block Rules.
  3. Select the Sender tab. (This tab is selected by default when you land on this page.)
  4. Click Create New Rule.
Allow&BlockRulesCreateSender.png
  1. Complete the Sender Rule Details page as follows:
CreateSenderRuleBlock.png

Use the Comments section to document the rule's purpose, ticket references, and other relevant details.

  1. Select the Block Action.
  2. In the Criteria field, use the Select Group button to choose one or more local Groups to which the Allow Rule should be applied. 
Block Rules are designed to support multiple email addresses within a single Rule.
CreateSenderBlockGroups.png
  1. Click Select Group in the bottom-right corner of the popout to confirm your choice. 
selectgroup2.png

You can create a new Group by navigating to Users & Groups | Profile Groups.

  1. Click Create Rule.

 

Creating a URL-Based Rule

You can create a URL-based Rule for the Allow/Block list by using the following steps:

  1. Log in to Mimecast Administration Console. 
  2. Navigate to Policies | Allow & Block Rules.
  3. Select the URLs tab.
  4. Click Create New Rule.
CreateBlockURL.png
  1. Complete the Sender Rule Details page as follows:
CreateURLBlock.png

Use the Comments section to document the rule's purpose, ticket references, or other relevant details.

  1. Select the Block action.
  2. In the Criteria field, select Domain or Explicit, then enter the domain(s) or URL(s) to which the Block  Rule should be applied. 
  3. Click Create Rule.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.