The examples below are not necessarily specific to integrations, and many require manual initial set up within Mimecast. These are meant to show the potential benefits that external intelligence can help Mimecast better protect customers.
For information on group management API endpoints, you can visit the Directory Endpoints documentation.
Assumptions
This document uses terms and phrases that may be specific to Mimecast. To learn more about Mimecast terminology and capabilities (policies, groups, etc.), please refer to Mimecaster Central.
Mail Flow
Mail flow actions are organized in proactive and reactive groups:
- Proactive groups are commonly professional service organizations and financial institutions, where protecting intellectual property, finances and reputation are key factors.
- Reactive groups are commonly healthcare, where failure to communicate timely could affect the well-being of a person.
Outbound and internal
Proactive actions:
| Proactive Action |
Example |
Prevention Type |
More Information |
| Block a user from sending to the customer's top-10 client or vendor group | High-risk user is not able to represent the company | Supply-chain attack, Insider threat | Using a group that contains a high-risk user and another group that contains the "Top-10" list, a Blocked Sender Policy can be created to prevent the first group from communicating with the second group |
| Block a user from sending any email outbound | User is not able to use email as a point of data-exfiltration to their personal account | Insider threat, Potential leaver | A Blocked Sender Policy can be applied using the group |
| More strict scanning is applied to URLs (e.g., questionable, but not outright malicious) in all outbound email from a user, to identify attempted supply-chain attack or insider threat | High-risk user is not able to send a link to a domain similar to their own or a client's domain | Supply-chain attack, Insider threat |
An alternate URL Protection policy can be applied |
| Prevent a user from being allowed to send specific attachment types, regardless of their scan results |
high-risk user is not allowed to send out zipped or password-protected zip files |
Supply-chain attack, Insider threat, Potential leaver |
An alternate Attachment Management policy can be applied |
| Hold all outbound emails for a user |
High-risk user is not able to represent the company at all, and messages must be reviewed before going out |
Supply-chain attack, Insider threat |
A Content Examination policy can be applied, using the hold action |
| Flag or hold a user's outbound messages which contain some less confident phrases indicating supply-chain attack or insider threat |
High-risk user is not able to send emails with phrases or words of urgency sent outbound, and generate an alert if internal |
Supply-chain attack, Insider threat |
A Content Examination policy can be applied, using the Hold or Stationery actions |
| A user’s ability to send outbound emails can be throttled altogether, or based on specific patterns in the message |
High-risk user is not allowed to send emails at a pace that could resemble a spray-and-pray attack |
Supply-chain attack, Insider threat, Potential leaver |
A Recipient Limitation policy can be applied |
Reactive actions:
| Action |
Example |
More Information |
| Outbound messages can be sent as Secure Messages, where we retain chain of custody and can revoke access to those message after-the-fact |
High-Risk user's outbound emails can effectively be 'recalled' regardless of the recipient's mail platform |
A Secure Messaging policy can be applied |
| All User's outbound and internal messages are copied to a security team for manual review |
High-risk user's messages are BCC'd to a mailbox for review |
A Group Carbon Copy policy can be applied |
| User's outbound and internal messages matching specific words or phrases alert a security team for review |
High-risk user's messages containing words or phrases of urgency are BCC'd to security mailbox for review |
A Content Examination policy can be applied, with the Group Carbon Copy action |
| Alerts are generated for any lower-confidence scan on outbound emails |
High-risk user sending PDF, Office or zip files outbound alert the security team |
An alternate Attachment Management policy can be applied |
| Outbound emails have a banner applied indicating that the sender's communication should be confirmed via a known alternative communication method |
High-risk user's outbound emails have a "Does this communication seem out of the ordinary? Please call our main office and ask to be transferred to this user for verification." banner applied |
A Stationery policy can be applied |
Inbound
Proactive actions:
| Action | Example |
More Information |
| Low-confidence phishing emails are administratively held for high-risk users, where they would have been otherwise held at a user level or had a banner apply |
High-risk user cannot receive emails with only one or two suspicious indicators |
An Impersonation Protection policy can be applied, using the Hold action at an administrative level |
| Remove some of all of attachments from emails, regardless of their scan result |
High-risk user is not allowed to receive password-protected zip files that cannot be brute-forced for scanning by Mimecast | An alternate Attachment Management policy can be applied |
| Apply more strict URL scanning |
High-risk user is not allowed to click on links in a message that are similar to the top-10 vendor/client domains | An alternate URL Protection policy can be applied |
Reactive actions:
| Action | Example |
More Information |
| Smart tags can be applied where recipient is a high-risk user and the message contains low-confidence indicators |
Messages to a high-risk user with words or phrases of urgency are flagged for review out-of-band |
A Smart Tag Assignment policy can be applied |
| Low-confidence phishing emails to high-risk users generate an alert | Security team is alerted with a high-risk user receives an email that matched only a single phrase |
An Impersonation Protection policy can be applied, with the notification option configured |
Interaction
Access to Mimecast
Users added to a group can have a reduced experience, removing access to features like:
| Feature | Information |
More Information |
| Searching the archive |
We retain up to 99 years of customers' emails outside of M365 and Google Workspace, which may contain company confidential or proprietary information |
An alternate Application Setting can be applied, with search options restricted to disabled |
| Sending or receiving emails through Mimecast (as an alternative to M365 or Google Workspace) |
Mimecast have a continuity product, where a customer can continue to send/receive through Mimecast in the event of an issue accessing M365 or Google Workspace |
An alternate Application Setting can be applied, with the option to send emails disabled |
Access restrictions can be applied, such as:
| Restriction | Example | More Information |
| Restrict access based on IP ranges |
Access to Mimecast's archive, continuity, and hold queues can be restricted to physical office locations for potentially compromised users |
An alternate Application Setting can be applied, which uses an alternate Authentication Profile |
| Restrict access to web, mobile apps, Outlook plugin altogether or individually |
High-risk users are unable to use Mimecast's mobile app to send/receive email |
An alternate Application Setting can be applied, which has specific or all methods of accessing Mimecast disabled |
| Remove the ability to manage held queue items |
High-risk user cannot be trusted to release messages held by Mimecast as spam or graymail (also known as bulk mail) |
An alternate Application Setting can be applied, which has queue management options disabled |
| Remove access to Large File Send (LFS), which can be used to send large files or directories outbound |
High-risk user cannot try to use LFS as a point of data-exfiltration |
An alternate Application Setting can be applied, which has LFS options disabled |
Awareness Training
Users classified as high risk can be scheduled for additional targeted training, either generally or based on specific risk types, such as:
- Phishing
- BYOD
- Social Media
- Passwords
- Inadvertent Disclosure
- Insider Threat
- Shadow IT
- Storage Devices
- Reporting Threats
- Tailgating
In each case, a Scheduled Campaign will be applied to a group of users. The group membership can be modified via API.