Mimecast Impersonation Protection not working

Recently a email came in from a third party which wasn’t blocked by the Impersonation Protection

Administration > Gateway > Policies > Impersonation Protection Definitions  

Default Impersonation Protection for Mimecast 

  • Similar Internal Domain (Similarity Distance 2 ) 
  • Newly Observed Domain ( Checked ) 
  • Internal User Name ( Checked ) 
  • Reply-to Address Mismatch ( Uncheck ) 
  • Targeted Threat Dictionary ( Checked ) 
  • Mimecast Threat Dictionary ( Checked ) 
  • Number of Hits : 2
  • Ignore Signed Messages ( Unchecked ) 

For executives, particularly those who are disclosed on the company website I recommend implementing a hit score of 1 on emails with their name as a display name. 

Exec Impersonation Protection

  • Similar Internal Domain  ( Checked ) 
  • Newly Observed Domain  ( Checked ) 
  • Internal User name  ( Checked ) 
  • Number of Hits: 1 

Administration > Gateway > Policies > Impersonation Protection > New Policy 

Selection Option: Choose the new definition that was just created 
Addresses based on: Both 
Applies from: Header Display Name 
Specifically: INSERT NAME 
Applies To: Internal Addresses 
Save and Exit 

I would advise that display name checks are in place all high profile targets, particularly those disclosed on the company website or other public sources. You also may want to consider alternative spellings. An individual policy is required for each display name. 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Tags: Impersonation Protection, mimecast, policy

Trackback from your site.