Mimecast Impersonation Protection

What’s happening: We are adding additional checks to incoming email to reduce the number of impersonation emails that are getting through, with particular attention being paid to Senior Management and other people with financial delegation
What will I notice? Depending on the level of risk, messages will either be held or delivered with the tag [SUSPICIOUS] added to the subject line.
What if I have questions? Please contact the Service Desk in the normal way
Tell me more
Mimecast’s Impersonation Protection is an additional layer of security, which scans email looking for a number of criteria commonly used by Phishers to impersonate users within an organisation. The following criteria are used to determine how risky the email is:
Similar domain: e.g. lincoln.org.nz, lincolnuni.org.nz, lincolnuni.nz ……
New or recently created domain: e.g. sharepoint-lincoln.com registered 24 hours ago.
Internal username: first and last name is the same as an internal display name. e.g. royston.boot@lincoln-uni.weebly.com (would flag my genuine royston.boot@gmail.com)
Reply-to mismatch: e.g. from: royston.boot@lincoln.ac.nz (reply to: sjeree443@hotmail.com)
Target Threat Dictionary: header/subject/message body scans for suspicious words like: invoice, urgent payment etc
Messages are either passed through, marked up or placed on administrative hold depending on how many of the criteria are met and whether the user has financial delegation

For recipients with financial delegation: a message that meets two or more criteria will be marked [SUSPICIOUS] and delivered to the Inbox. For everyone else a message that meets three or more criteria will be placed on Administrative hold, and will appear in the held message digest report. Administratively held messages must be released by the IT Service Desk.