Allowlisting in Mimecast

Mimecast has multiple security tools to help protect your organization from outside threats. While a valuable service, it will require several updates to your settings to make sure Infosec IQ emails are being delivered to your learner’s inbox and not get blocked or mark your learner as phished in the process. The sections below will cover each of the policies that will need to be created to run successful campaigns with minimal interference from this security tool.

Table of Contents

• Permitted Senders Policy
• URL Protection Bypass Policy
• Anti-Spoofing Policy
• Impersonation Protection Bypass Policy
• Attachment Protection Bypass Policy
• Targeted Threat Protection - Managed URLs
• Auto-Allow Policy
• Block sender policy

Permitted Senders Policy

For our Infosec IQ emails to be delivered successfully, the Permitted Senders Policy needs to be configured. DO NOT EDIT YOUR DEFAULT POLICY. A new policy should be created specifically for Infosec IQ. Please follow the steps below:

1. Log on to your Mimecast Administration Console.
2. Click the Administration toolbar button.
3. Select the Gateway | Policies menu item.
4. Select Permitted Senders from the list of policies displayed.

5. Click the New Policy button.
6. configure the policy settings with the following options:

Options

• Policy Narrative: Infosec IQ Permitted Senders Policy
• Select Notifications Set: Permit Sender

Emails From

• Addresses Based On: Both
• Applies From: Everyone
• Specifically: Applies to all Senders

Emails To

• Applies To: Internal Addresses
• Specifically: Applies to all Internal Recipients

Validity

• Enable / Disable: Enable
• Set policy as perpetual: Always On
• Date Range: All Time
• Policy Override: Checked
• Bi-Directional: Unchecked
• Source IP Ranges (n.n.n.n/32): see your account settings for the list of IPs to include

7. Save your changes

Return to Table of Contents

URL Protection Bypass Policy

Mimecast’s URL Protection service scans and checks links in emails upon delivery. This can sometimes result in false positives for your phishing security tests. Follow the steps below to create a URL Protection Bypass Policy for accurate phishing security test results.

1. Log in to your Mimecast Administration Console
2. Click on the Administration toolbar button.
3. Click the Gateway | Policies menu item.
4. Select URL Protection Bypass from the list of policies displayed.
5. Click the New Policy button.
6. configure the policy settings with the following options:

Options

• Policy Narrative: Infosec IQ URL Protection Bypass
• Select Notifications Set: Disable URL Protection

Emails From

• Addresses Based On: Both
• Applies From: Everyone
• Specifically: Applies to all Senders

Emails To

• Applies To: Internal Addresses
• Specifically: Applies to all Internal Recipients

Validity

• Enable / Disable: Enable
• Set policy as perpetual: Always On
• Date Range: All Time
• Policy Override: Checked
• Bi-Directional: Unchecked
• Source IP Ranges (n.n.n.n/32): see your account settings for the list of IPs to include

7. Save your changes

Return to Table of Contents

Anti-Spoofing Policy

To allow phishing simulations where the sender’s domain is spoofed an Anti-Spoofing Policy must be created. Spoofing is a common methodology to hide the sender’s true identity and using these examples as a teachable moment in your phishing campaigns as valuable experiences for your learners and reveals opportunities for training. Follow the steps below to allow spoofing from Infosec IQ PhishSim messages.

1. Log on to your Mimecast Administration Console.
2. Click the Administration toolbar button.
3. Click the Gateway | Policies menu item.
4. Select Anti-Spoofing from the list of policies displayed.
5. Click the New Policy button.
6. configure the policy settings with the following options:

Options

• Policy Narrative: Infosec IQ Anti-Spoofing Bypass
• Select Option: Take no action

Emails From

• Addresses Based On: Both
• Applies From: Everyone
• Specifically: Applies to all Senders

Emails To

• Applies To: Everyone
• Specifically: Applies to all Internal Recipients

Validity

• Enable / Disable: Enable
• Set policy as perpetual: Always On
• Date Range: All Time
• Policy Override: Checked
• Bi-Directional: Unchecked
• Source IP Ranges (n.n.n.n/32): see your account settings for the list of IPs to include

7. Save your changes

Return to Table of Contents

Impersonation Protection Bypass Policy

Impersonation Protection Bypass Policy - Part 1

** To send out phishing simulations where you are impersonating a member of your own organization, such as your CEO, known as whaling attacks an additional Impersonation Protection Bypass Policy must be made. Follow the steps below to create this policy.**

1. Log on to your Mimecast Administration Console.
2. Click the Administration toolbar button.
3. Select the Gateway | Policies menu item.
4. Select the Impersonation Protection option from the list of definitions displayed.
5. Select the New Definition button.
6. Name your Name the definition something easy to identify such as “InfosecIQ Impersonation Protection Bypass Definition.”
7. configure the policy settings with the following options:

Identifier Settings

• Description: InfosecIQ Impersonation Protection Bypass Definition
• Similar Internal Domain: Checked
• Similar Monitored External Domains: Checked
  • Check Mimecast Monitored External Domains: Checked
  • Check Custom Monitored External Domains: Unchecked
• Newly Observed Domain: Unchecked
• Display Name: Unchecked
• Reply-to Address Mismatch: Checked
• Targeted Threat Dictionary: Checked
  • Mimecast Threat Dictionary: Checked
  • Custom Threat Dictionary: Select Custom Threat Dictionary
• Number of Hits: 2
• Enable Advanced Similar Domain Checks: Unchecked
• Ignore Signed Messages: Unchecked
• Bypass Managed & Permitted Senders Unchecked

Identifier Actions

• Action: None
• Tag Message Body: Unchecked
• Tag Subject: Unchecked
• Tag Header: Unchecked

General Actions

• Mark All Inbound Items as “External”: Unchecked’

Notifications

• User preference

8. Save this definition so you can use it in part 2

Impersonation Protection Bypass Policy - Part 2

1. Log on to your Mimecast Administration Console.
2. Click the Administration toolbar button.
3. Select the Gateway | Policies menu item.
4. Select the Impersonation Protection Bypass from the list of policies displayed.
5. Select the New Policy button.
6. Select the policy settings under the Options, Emails From, Emails To, and Validity sections as defined below.

Options

• Policy Narrative: Infosec IQ Impersonations
• Select Option: Infosec IQ Impersonation Protection Bypass Definition

Emails From

• Addresses Based On: Both
• Applies From: External Senders
• Specifically: Applies to all Senders

Emails To

• Applies To: Internal Addresses
• Specifically: Applies to all internal Recipients

Validity

• Enable/Disable: Enable
• Set policy as perpetual: Always On
• Date Range: All time
• Policy Override: Checked
• Bi-Directional: Unchecked
  Source IP Ranges: Enter in the Infosec IQ IP addresses found in the account settings

7. Save your changes.

For more information on these settings, see Mimecast’s Configuring an Impersonation Protection Bypass Policy article.

Return to Table of Contents

Attachment Protection Bypass Policy

By configuring a Attachment Protection Bypass Policy it will increase the chance of attachment emails being delivered. Mimecast will evaluate the risk of an attachment and may still stop the delivery. Our Infosec IQ’s attachments contain a script that will allow for the reporting of who opened the attachments and enabled macros which are often deemed as suspicious. For this reason, testing to make sure the delivery of these is successful before sending out a campaign to your entire organization is required.

1. Log on to your Mimecast Administration Console
2. Click the Administration toolbar button.
3. Select the Gateway | Policies menu item.
4. Select Attachment Protection Bypass from the list of policies displayed.

5. Click the New Policy button.
6. configure the policy settings with the following options:

Options

• Policy Narrative: Infosec IQ Attachment Protection Policy
• Select Notifications Set: Disable Attachment Protection

Emails From

• Addresses Based On: Both
• Applies From: Everyone
• Specifically: Applies to all Senders

Emails To

• Applies To: Internal Addresses
• Profile Group: Applies to all Internal Recipients

Validity

• Enable / Disable: Enable
• Set policy as perpetual: Always On
• Date Range: All Time
• Policy Override: Checked
• Bi-Directional: Unchecked
• Source IP Ranges (n.n.n.n/32): see your account settings for the list of IPs to include

7. Save your changes.

Return to Table of Contents

Targeted Threat Protection - Managed URLs

Mimecast can re-write the links in emails including our phishing simulation messages. Doing it will present the learner a different link than what was set in the Phishing email template. By adding Infosec IQs domains as permitted URLs in Mimecast the emails delivered will not have any changes made to the URLs being used. Your learners may or may not be accustomed to seeing URLs that are not re-written so making this change is considered optional. Check out Mimecast’s article on Targeted Threat Protection: Managed URLs for more information.

Return to Table of Contents

Auto-Allow Policy

Auto Allow policies allow inbound mail to be processed more efficiently and effectively by circumventing spam checks. External email addresses that internal end users have previously sent emails to are stored in an ‘Auto Allow database’. When the external address sends a message to the internal user, Mimecast checks the database to see if the address is present. If so, the message bypasses the usual spam checks applied to inbound mail.

1. Log on to your Mimecast Administration Console
2. Click the Administration toolbar button.
3. Select the Gateway | Policies menu item.
4. Select Auto-Allow Policy from the list of policies displayed.
5. Click the New Policy button.
6. configure the policy settings with the following options:

Options

• Policy Narrative: Infosec IQ Auto Allow Policy
• Select Notifications Set: Apply Auto Allow

Emails From

• Addresses Based On: Both
• Applies From: Everyone
• Specifically: Applies to all Senders

Emails To

• Applies To: Internal Addresses
• Profile Group: Applies to all Internal Recipients

Validity

• Enable / Disable: Enable
• Set policy as perpetual: Always On
• Date Range: All Time
• Policy Override: Checked
• Bi-Directional: Unchecked
• Source IP Ranges (n.n.n.n/32): see your account settings for the list of IPs to include

Return to Table of Contents

Block sender policy

A Blocked Senders policy restricts messages to or from specific email addresses or domains. It can apply to inbound or outbound messages, although is typically used to block inbound messages. This policy is used by Infosec IQ to create an exception to this rule.

1. Log on to your Mimecast Administration Console
2. Click the Administration toolbar button.
3. Select the Gateway | Policies menu item.
4. Select Blocked Senders Policy from the list of policies displayed.

5. Click the New Policy button.
6. configure the policy settings with the following options:

Options

• Policy Narrative: Infosec IQ Blocked Senders Policy
• Select Notifications Set: Take no action

Emails From

• Addresses Based On: Both
• Applies From: Everyone
• Specifically: Applies to all Senders

Emails To

• Applies To: Internal Addresses
• Profile Group: Applies to all Internal Recipients

Validity

• Enable / Disable: Enable
• Set policy as perpetual: Always On
• Date Range: All Time
• Policy Override: Checked
• Bi-Directional: Unchecked
• Source IP Ranges (n.n.n.n/32): see your account settings for the list of IPs to include

Return to Table of Contents