Insider Impersonation Protection (IIP) was released in Q4 2019 for Exchange and O365 journaling customers. This feature allows you to view Internal and Outbound messages, in addition to the Inbound Messages you are already receiving. As internal and outbound messages cannot be domain spoofs, or most of any other default attack classification, they do not warrant normal message scoring, and only messages with Malicious URIs and Attachments are scored currently.
There are a number of benefits to this feature such as:
Detecting Malicious URLs and Attachments sent from an internal employee to another internal employee.
- Monitor (but not take action) on internal users sending malicious attachments and URLs to external users. (outbound)
Being able to search all messages globally in your environment.
Being able to take action on all messages in your environment globally.
Without IIP, you could receive a malicious email, then send it around internally, and you would only be able to take action on the first message, but none of the ones sent internally.
To enable this feature, first ensure your journal rule is configured to send all messages to Agari, and then contact your account rep or support team to enable the feature.
Note: By default, there are no out-of-the-box policies for Internal or outbound messages. Once enabled you will need to create new policies for the new types of messages being ingested.
Here is a screenshot of O365 configuring to send all messages. Other versions of exchange will vary.