For some of our enterprise customers we monitor all adverse endpoint activity, and whilst investigating malicious software detection on a windows 10 machine we found a file had been downloaded from a third party website and this had in turn attempted to infect the endpoint. Further investigations and an interview with the EU identified that they had received an email with a link from a known sender and despite the training the EU was not suspicious and followed the link, used a password that was also sent by email and downloaded a file, thus circumventing email protection and presenting a clear threat to the PC and wider infrastructure.

We immediately added this URL to the Global TrendMicro Blacklist, and blocked it on our mail routers and customer's site gateways as well as adding a spam filter rule to strip the URL from any email's that come through.

blacklisting via your own SpamAssassin

In the local.cf configuration file (usually in /etc/mail/spamassassin) simply add the following lines

uri LOCAL_MIMECAST_CIRCUMVENTION /protect-eu\.mimecast\.com/
score LOCAL_MIMECAST_CIRCUMVENTION 10

We STRONGLY suggest you do the same, protecting your infrastructure from this deliberate attempt to circumvent email scanning and protection should be considered a priority. In the case above TrendMicro caught the infection attempt and blocked it, but no matter how good it is, its not infallible.