Under the Hood: Our New Email Attachment Sandbox

Malicious email attachments are a critical threat to businesses as they can easily bypass existing defences as part of sophisticated spear-phishing attacks. For example, a macro in a Word document could run when the file is opened and deploy malware onto targeted systems or attempt to download content from a malicious website. Attackers are using this weakness to infiltrate organizations in order to achieve their goals, that may include stealing data, staging ransomware demands or even a springboard attack on another company.

To counter this threat, sandboxing has become a vital technical defense. Attachment Protect offers this critical protection - incoming mail is held by the Mimecast gateway while we establish if there is any hidden code in the attachment by security checking the file in our sandbox. The sandbox spins up a virtual environment, opens the file and performs a deep security analysis on the contents. If the file is deemed safe, we deliver the mail to the recipient.

But sandboxing does have its limitations. It delays external emails and this can frustrate employees and impact their productivity. It can also be expensive. So organizations often limit who they protect to keep costs under control. That is clearly not ideal as it gives attackers a potential back door into an organization.

Mimecast Targeted Threat Protection - Attachment Protect makes it cost effective and easier to protect the whole organization.

It does this by replacing inbound email attachments that could contain malicious code (e.g. PDF or Microsoft Office files) with safe, transcribed versions – neutralizing any malicious code. Mails passing inbound through our gateway that contain potentially vulnerable attachments are processed by our Message Transfer Agent where they are transcribed to a different file format. For instance, a Word document is converted to a PDF file. The PDF file format visually renders the content in the same way to the reader. The difference is that the execution environment has changed and so any malicious macros or code are rendered inactive as part of this process.

Most employees only need to view attachments, so no further action is needed. In fact, our research shows that approximately 51% of attachments are read-only PDF files, followed by 17% Word, 9% Excel and 3% PowerPoint.* However, if employees need to edit a file, a link in the email can be used to request the original file on-demand via our sandboxing service.

It’s a fresh approach to attachment sandboxing. Administrators can choose the best mix of safety, performance and functionality for their organiziation. In addition, granular reporting allows for end-to-end, real-time threat analysis.

For comprehensive zero-hour threat protection, customers can combine Mimecast Targeted Threat Protection – Attachment Protect, with our URL Protect service. Now, in addition to link rewriting, URL Protect includes innovative user awareness capabilities so IT teams can raise the security awareness of employees.

Want to learn more?  Check out this Cyber Resilience for Email Deep Dive.

*Source: Analysis of 1 terabyte of Mimecast platform data, 2015