I am a big fan of Mimecast’s Email security product, when configured correctly it does a fantastic job. However, from time to time I have found the need to hold emails from a domain or specific address.
The most common reason I have found to do this is when a known supplier of contact has had a security issue, and mails are potentially coming from their account or domain that they did not knowingly send.
In these situations, it is good to have the option available and pre-prepared to hold emails for manual review and release.
Below I will detail a method for holding emails for review from either an entire domain or a specific sender.
- Creating a Content Definition
- Creating a Content Examination Policy
- How to Find, Review and Release Emails
- You may also like these posts
First, we will need to create a Content Definition.to match and hold any email for review. After that we will create Content Examination policy to define the scope of what the definition will apply to.
Creating a Content Definition
- Logon to your Mimecast Admin Console
- Navigate to Administration => Gateway => Policies
- Hover over the Definitions drop-down and select Content Definitions
- Open an existing folder or create a new one using the plus on the root folder icon.
- Click New Content Definition
- Create a definition with the following settings
- Description: Hold All Emails
- Activation Score: 1
- Word/ Phrase Match List: *
- Scan Subject Line: Selected
- Scan Message Body: Selected
- Enable Inbound and Outbound Check: Selected
- Policy Action: Hold for Review
- Hold Type: if this is in response to a security issue, I like to set this to Administrator, but you could set to User if you are happy with you r user awareness training
- Notification Groups: Set as required, I like to just notify the intended internal recipient, if there were expecting the message, they can contact a Mimecast administrator to review and release.
- Save and Exit
Creating a Content Examination Policy
Now we need to create a policy to define the scope of our new definition.
In this example I will hold all emails for review from the domain test.com to any internal address. But you could change the “Applies From” option to be an Individual Email Address rather than a whole domain. Or change the Applies to only hold emails to a specific person.
- Navigate to Gateway => Policies => Content Examination
- Click New Policy and create a policy with the following settings.
- Policy Narrative: Provide a name I like to include a ticket/change reference number
- Select Content Definition: Select the new Definition created “Hold All Emails”
- Addresses Based On: Both
- Applies From: Email Domain
- Specifically: test.com Change as required
- Applies To: Internal Addresses
- Policy Override: Selected
- Save and Exit
How to Find, Review and Release Emails
With the above policy in place all emails matching the scope of the policy will be held for review. If you set the Hold Type to administrator as I did in this example, a Mimecast administrator will need to manually review and release any emails.
Below is how to find and release them after review.
- Navigate to Message Center => Held Messages
- Click Held Queue
- Search for the message using the from, to pr subject
- Tick the required message(s) and click Release
Thanks! Needed to hold vendor emails quickly due to them sending phishing emails.
I’m glad it helped! Been in that situation a few times myself. Never fun!
Phil
Hi, thank you for this, it works well.
Is there a way that I can have this check against a list of safe senders and and have those bypass the hold? would i just uncheck the “Policy Overide” option?
cheers
Glad it helped.
You should be able to leave “Policy Override” enabled, this will protect you from something other than the content examination policy bypassing your hold.
You could add another “Content examination” policy with a definition that will permits by not matching any content, again enabling “Policy Override”.
As you then have two policies of the same type, both of which have Override enabled, the more specific rule will win. Not sure if it will work with a content examination bypass rule.
As per the Mimecast info on Policy Override “This option will override the order in which policies are applied, and forces it to be applied first if there are multiple policies unless more specific policies of the same type have been configured with an override as well”
Thanks Phil, I will have a play around with this and see how it goes.
Cheers