This article contains information on Mimecast's Analysis and Response for Email Security - API, including its features for threat detection, analysis, and response, prerequisites for access, detection categories, Message Actions, and tools like and Malware Analysis. It is intended for Administrators.
Prerequisites
You are logged in as an Administrator of Mimecast Administration Console, with a custom role that has Application Permission for Analysis & Response Menu | Analysis & Response configured as required:
- Read: to view data in Mimecast Analysis & Response (not including message contents).
- Edit: to view data in Mimecast Analysis & Response, and take actions, e.g., Message actions.
-
Content View: to view message content.
This is a protected permission, which only a Super Administrator will be able to assign to a custom role.
Content View is not available yet and will be part of a future enhancement.
If the correct permissions are not assigned or are insufficient, your detection categories will display an Error fetching data status, as shown below:
To perform a Secure User action, you must have a role with Edit permission for Mimecast Analysis and Response, or one of the following roles:
- Super Administrator.
- Full Administrator.
- Basic Administrator.
- Partner Administrator.
Overview
The Overview provides a quick insight into detections in your environment.
You can view data over a period ranging from 24 hours to the last 90 days, by selecting from the Date range drop-down, or by selecting a custom range of up to 90 days via the Start Date - End Date date selector field.
The data displayed covers inbound detections made by Email Security - API-Based Protection, over a maximum period of 90 days, and includes the following events:
- Malware detections.
- Phishing detections.
- Spam detections.
Detection Categories
The threat statistic cards display counts of detections for the following threat categories:
- Malware
- Phishing
- Spam
Total Detections & Timeline
Analysis Tab
The threat categories are reflected in the Total Detections donut chart and the timeline view. See Detection Subcategories for further information on threat subcategories.
The volumes for all threat categories are displayed on the cards and timeline. When a threat is addressed to multiple recipients, the associated card on the Overview page is increased by the number of recipients it was sent to. However, on the Detections page, the same threat appears in a single row.
You can click on each threat statistic card to see a filtered list of Detections. Within the list of Detections, you can Search for detections over a period ranging from 24 hours to the last 90 days by selecting from the Date range drop-down, or by selecting a custom range of up to 90 days via the Start Date - End Date date selector field.
Analysis Tab showing Malware, Spam, and Volume of emails selected.
Details Tab
The Details tab in the Total Detections & Timeline chart indicates the trend of the Detection subcategories to provide insight into the types of attacks that are taking place in your organization. In this tab, you are also able to click on each statistic to see a filtered view.
Details tab showing BEC selected.
Top Attacks by Threat Details
The Top Attacks by Threat Details chart shows the top 10 detection subcategories, displaying the count and the percentage for each attack method/detection subcategory. Clicking one of the bars in this chart will take you to the Detections Page, filtered by the specific subcategory.
Impersonation Insights
The Impersonation Insights section shows the most impersonated brands targeting Your Organization (left) and Your Industry (right).
Top Insights Overview
Top Targeted Recipients
This table shows the counts of detections by user to help identify the most at-risk users. Click View All Targeted Users to see the full list of users over up to 90 days, depending on the dashboard time frame selected. You can also search by a specific user email address and export the results to a CSV file.
Top Malicious Senders
The Top Malicious Senders table shows counts of detections by the sender to highlight those that pose a risk to your organization. Click View All Malicious Senders / Uploaders to see the full list of senders over 90 days, depending on the selected dashboard time frame. It is possible to search by a specific sender email address and export the results to a CSV file.
Top Unsafe Domains
The Top Unsafe Domains table lists the top 5 domains hosting unsafe URLs.
You can also navigate to the Detections page from any of these charts by clicking View All Detections.
You can drill down to Detections from Top Targeted Users, Top Malicious Senders, or Top Unsafe Domains by selecting an individual user or domain.
Recent Detections
Detections
| Column Name | Description |
| Content | Displays the subject line of the email and any malicious files or URLs detected. If there is more than one item, you will see how many more there are, e.g. "+3". You will need to click on the row to see details for all items. |
| Service | The source of the detection. Currently, the source will always be email, but will include other communication and collaboration tools in the future. |
| Policy/Rule |
This will indicate the specific Policy that was triggered and the Action that has taken place. For example: Default Phishing Protection Policy Action: Monitor
|
| Analysis |
The high-level detection category.
|
| Details | Lower-level detection categories and information. |
| Status | The current status of the Action and whether this is complete. |
| Recipient | The recipients of the threat. If there is more than one recipient, you will see how many more there are, e.g. "+3". You will need to click on the row to see details for all recipients. |
| Sender | The Sender of the threat. |
| Date/Time | Date and time of the event. |
- The details filter is dynamic based on the detections shown on the screen.
- You can still search for data if the corresponding column is hidden.
Click on Filter to filter the detections by specific fields/values. Filters can be removed by clicking on Clear All Filters.
Message Actions
From the Detections page and the Analysis Details page, you can take the following actions directly on individual messages without navigating to another product area. Actions are logged in the Audit Log with administrator details, timestamp, and message identifiers.
| Action | Description |
| Release | Releases a quarantined message to the recipient's mailbox, and you can optionally add comments. |
| Remove | Removes a delivered message from the recipient's inbox. |
| Delete | Deletes a message from the quarantine queue without delivering it to the mailbox. This action is not reversible. |
| Restore | Restores a previously removed message to its original location. Status updates to Manually Restored. |
| Report | Reports a message to Mimecast. You must select a category (Safe, Malware, Phishing, or Spam) and you can optionally add comments. |
Bulk Actions
You can perform actions on multiple messages simultaneously from the Detections page. Select the messages you want to action using the checkboxes, then choose an action from the Bulk Action menu
Before any bulk action is applied, a confirmation dialog summarises the messages that will be affected. These are only messages meeting the status criteria for the selected action.
Analysis Details
When drilling down from a specific event, the analysis details page provides more information to aid understanding of the threat and what actions have been taken, and allows you to take actions on the individual item. The following information is visible in the analysis details page:
- The Analysis panel displays an overview of the Analysis (Threat Classification), Status, and Recipients.
- The Policy panel indicates the Policy Name and the corresponding Action that has been taken.
- The Analysis Overview panel displays Email Authentication check results. (Graymail, SPF, DKIM, DMARC)
- The Message panel contains the following:
- Toggle to enable or disable Display content and Show extractions options.
- Subject, Sender, Recipient, Direction, Date/Time, Message ID, Message Size.
- Options to View Original Email Headers or Download .EML.
- Body: This is disabled by default and can be enabled using the Display Content button.
A single message corresponds with a single user.
Emails are classified at the time of delivery based on scans of their content, URLs, and attachments. Mimecast will include more detection details, particularly for URL and file detections, and also highlight the hierarchy of attachments and URLs, e.g., to illustrate whether a URL was in the body of an email vs an attachment.
Malware Analysis
Forensic reports for malicious file detections that have undergone dynamic analysis in the sandbox. The Download Report option will only be visible when a report is available, which, on average, takes less than one minute after a sandbox detection has been made.
API Endpoints for Detection Statistics
To retrieve Mimecast Analysis and Response data over API, see the Mimecast Developer Portal.
Detection Subcategories
The table below shows the detection subcategories for Mimecast Analysis and Response.
| Analysis Category | Details Subcategory | Description |
| Malware | ADWARE | A type of malicious software that displays unwanted advertisements. It is often disguised as legitimate software or installed silently alongside legitimate software. |
| CVE | A detection associated with a publicly known security vulnerability. The full CVE identifier is provided. | |
| DOWNLOADER | Malware that is designed to download other malicious files. | |
| DROPPER | A file that is designed to install malware. | |
| EXPLOIT | An attack that takes advantage of known vulnerabilities. | |
| MALICIOUS FILE | A malicious attachment or file detection. | |
| MALSPAM | An email that delivers malware and was detected by the anti-spam engine. | |
| RANSOMWARE | A type of malware that prevents access to data, usually through encryption, until a ransom is paid. Additionally, attackers will often exfiltrate the data and threaten to release or sell it. | |
| TROJAN | Malware that is hidden inside a legitimate application and installed without the user’s knowledge. | |
| WORM | Malware that can replicate or propagate to infect other systems. | |
| Phishing | ADVANCED FEE FRAUD | A form of fraud and one of the most common types of confidence tricks. The scam typically involves promising the victim a significant share of a large sum of money, in return for a small up-front payment, which the fraudster requires in order to obtain the large sum. Examples include 419 and loan scams. |
| BANKING FRAUD | Phishing attempts using bank-themed mail with the aim of getting the target to reveal their login information for their bank account. | |
| BEC - WHALING | A highly targeted type of business email compromise (BEC) attack aimed at senior leaders or executives to trick them into transferring a significant sum of money or sharing valuable data. | |
| CREDENTIAL HARVESTING | An attack is designed to steal login data, usually usernames and passwords. | |
| CRYPTOCURRENCY EXTORTION | Attacks that threaten to release sensitive or personal information about users or organizations unless a payment is made in cryptocurrency. | |
| FAKE LOGIN | Web pages that impersonate genuine login portals to steal credentials. | |
| FRAUD | Attacks designed to trick a victim into performing an action, such as transferring money or sharing sensitive data. | |
| IMPERSONATION | A threat where the sender is impersonating another entity or organization. | |
| PHISHING URL | The detected phishing attack was delivered via a link. | |
| ROMANCE FRAUD | Occurs when strangers pretend romantic intentions, gain the affection of victims, and then use that goodwill to gain access to their victims' money, bank accounts, credit cards, passports, and/or national identification numbers or by getting the victims to commit financial fraud on their behalf. | |
| SCAM | Attacks designed to obtain money through fraud. | |
| Spam | BACKSCATTER | Backscatter occurs when malicious emails are sent with a spoofed sender address and bounced by the receiving mail server. This generates an automated non-delivery report to the spoofed sender address. In high volumes, this can lead to denial of service. |
| SNOWSHOE | Snowshoe is a spamming detection evasion technique that uses a large number of IP addresses to spread out the spam load. Thus making it harder to identify and block the malicious emails. | |
| GRAYMAIL | Graymail is typically defined as, "Mail I want, but just not in my inbox right now". Examples include newsletters/ marketing emails that you've subscribed to, but which are not person-to-person email communication. | |
| UNSOLICITED BULK MAIL | The formal name for spam emails that users have not subscribed to and do not want in their inbox. | |
| ADULT SPAM | Spam emails that may include pornographic content or links to pornographic sites. | |
| PHARMACY SPAM | Spam emails that advertise the sale of medications or medical products. | |
| RECRUITMENT SPAM | Unsolicited messages that advertise job opportunities. | |
| RELIGION | Spam messages associated with religious organizations or beliefs. | |
| RETIREMENT SPAM | Unsolicited messages related to pensions, retirement planning, or investments. | |
| DDOS | The aim of a Distributed Denial of Service (DDOS) attack is to take down a system by overwhelming it with requests. Huge volumes of emails are sent to a victim’s email address or service, utilizing a network of attacker-controlled devices (botnet) to spread the volume and reduce the chance of detection. | |
| EMAIL VALIDATION | Validation spam is sent to validate email addresses exist. It is usually sent from freemail addresses with very little body content to avoid getting blocked. | |
| LOW REPUTATION | An element of the message has previously been identified as malicious. | |
| SENDING MTA DETECTION | An MTA that has handled the message in the transmission chain considers it likely to be spam. (e.g. Microsoft has marked the message as spam in the headers). | |
| Suspicious | ABUSED LEGITIMATE SERVICES | Legitimate services that can be used in everyday business mail but which are often used in malicious campaigns or used to hide the attacker's intent. e.g., Dropbox-hosted PDFs, Office forms asking for passwords, etc. |
| BEC - COMPROMISED ACCOUNT | The message is suspicious and may have been sent from a legitimate business account that has been compromised | |
| FORGED HEADERS | Fraudulently added headers in a message to make the message appear to have been sent or received from a system that it did not pass through. | |
| LOW REPUTATION | An element of the message has previously been identified as malicious. | |
| SUSPICIOUS BODY CONTENT | The message body contains suspicious content. | |
| SUSPICIOUS HEADER CONTENT | The message headers exhibit a suspicious pattern not usually seen in legitimate mail. | |
| SUSPICIOUS HEADER STRUCTURE | Bad structure in the message headers which is often caused by a mailing script or poorly configured message transfer agent. | |
| SUSPICIOUS MESSAGE CONTENT | The message has suspicious characteristics. | |
| SUSPECTED SPAM | The message is likely to be spam. | |
| Unwanted | BLOCKED URL | The detection was triggered by a managed URL. |
The following data improvements are now available:
URL Detections
The Detection for URLs details are in the following format:
-
- Summary
- Verdict
- Original URL
- Detected URL
- Action on click
- User
- User IP
- User Agent
- File Detections have summary details, as shown in the image below:
Comments
Please sign in to leave a comment.