Configure Secure Email for Message Content

mxHERO Secure Email can be configured to automatically protect sensitive attachments leaving your network through email. Automatic protection relieves users from the burden of constant vigilance and protects the organization from inadvertent or malicious security and compliance breaches.

mxHERO can be very nuanced and prescriptive in applying security to email content. Organizations can protect all content moving in a certain direction, e.g., outside the company, or only certain content  based on sender, recipient, content of files or message, etc.

In this article we will configure mxHERO to search for social security numbers in attachments sent outside the organization. If found, the attachment will be delivered through a 3 day, self-expiring password protected link. This type of protection meets the requirements of a number of regulations, e.g., HIPAA, etc. as well as the general benefits of moving sensitive content away from unprotected email.

Here is a diagram of the end result of this configuration:


The user sends a file with a social security number through email to an external recipient. In transit mxHERO detects the social security number, uploads it to the user's clouds storage. The original attachment is replaced with a self-expiring, password protected link. mxHERO sends the randomly generated password to the recipient in a separate communication.


Configuration steps

In summary, we will create an outbound Fusion rule and add a security policy informing mxHERO to scan for a social security number in email attachments. If found, secure them with an expiring password protected link.

Step 1: Create a Fusion Rule

Secure email is a feature of mxHERO's Fusion application. You should create a Fusion rule acting on emails leaving your organization. For more on creating a Fusion rule see this article.

Step 2: Create a Security Definition

An mxHERO Security Definition is a configuration instruction that tells mxHERO "how" it should apply security.

From the mxHERO dashboard go to "Auto Filing > Security Policies



In Security Policies click on "Security Definitions"



Click on "Create a Definition"



Configure your Security Definition


Set all fields the way you would like to secure content. Make sure that you create a name for your definition. This configuration sets the following:

  1. Box cloud storage (unlocks the widest range of options)
  2. Public links (these links will require passwords, but don't require users to have a Box account)
  3. Enable auto-expiration of the link
  4. Set expiration to 3 days
  5. Allow file download (if "prevent file downloads" is enabled, recipients will only be able to view the contents in their browser, i.e., not have the actual file)
  6. Password protect (mxHERO will automatically generate a random password per recipient and send it in another communication to the receiver)
  7. Confirm and save your configuration!

Note you may need to refresh the Security Definition page to list your newly created security definition.

Navigate to Security Policies either through Auto Filing > Security Policies or directly to the Policies List in the following screen ...


Step 3: Create a Security Policy

An mxHERO security policy is a configuration instruction that tells mxHERO when to trigger a security action (security definition). An mxHERO security policy is the "when" of a security configuration. In this case, the "when" is when a social security pattern is detected in the contents of an attachment.

If you are not already at the Security Policies screen, go there from the mxHERO dashboard, "Auto Filing > Security Policies"



Then "Create A Policy"



Configure your policy ...


The following creates a pattern match to detect social security numbers:

  1. Give your policy a name
  2. Select your cloud storage
  3. Select the type of matching algorithm, "regex"
  4. Enter the regular expression:
  5. Click in the next field to indicate to mxHERO where it should look for social security numbers
    1. In this case we would like to trigger our security definition if the pattern is found in body of the email or in any attached files.
  6. Select "apply Security Definition"
  7. Select the name of the Security Definition we created above.
  8. Confirm and Save Policy!

Note, you might have to refresh the following page to list your newly created policy.

If you want a default security to be applied if the pattern does not match you can set in below. Here we are indicating that there is no default. In other words, don't apply default security.

IMPORTANT: if your security policy does not match and you have no default definition, then Fusion will not upload the attachment to cloud storage. This allows you to "turn off" Fusion when it is not desired. In other words, "No default" is synonymous with "no Fusion linking". If you are applying a security policy and want to always move attachments into your cloud storage regardless, even if only as unprotected, open links, then set the default for this.

Step 4: Apply your security policy to your Fusion rule

In your Fusion rule for outbound messages, enter the "Security Options"



Go to the "Moved Attachments" section of Security Options.


Turn on "Use a security policy" and in the drop down, select your newly created security policy. In this case, our security policy triggers its security definition (password protection) when a social security pattern is found in the attachments or the body of the email.

IMPORTANT: if the security policy does not match the content, and there is no default security action configured, the attachment will not be moved and linked to your cloud storage. This allow you to effectively turn off mxHERO attachment linking if conditions are not met.

To ensure that the message itself if protected in the event that a social security number is found in either the body or attachments do the same for "Secure Email".

Save your Fusion rule and test!



Note, you could have configured the above in many different ways. You might have created two security policies. One that only checks for social security numbers in the attachments and applied that only to moved attachments. Then adding another security policy that only checks for social security numbers in the body of the email and applying it to Secure Email. In this way, your configuration would only protect attachments or the body of the email when needed.

If you need any assistance in created a desired outcome, please don't hesitate to contact us!





Have more questions? Submit a request


Powered by Zendesk