[FR] New analyzer and responder: Mimecast

[jaredjennings]

Feature description
Mimecast is a company that provides email security as a service. Several of their features can be usefully used in response to phish messages:

• Their URL Protect feature can rewrite URLs in email messages received through Mimecast. When users click the link, various checks can take place before redirection to the original URL. But threat responders need to know what the original URL was. Mimecast provides an API service to do this decoding.
• When a phish is received by a user from some address, and the user reports it, threat responders need to know who else inside the organization also received the phish. Mimecast provides an API service to find messages sent by a given email address within given time bounds.
• Mimecast provides an API service that will place a URL or domain on a block list, such that when a user clicks on a link in an email that points to that URL or domain and has been rewritten by Mimecast's URL Protect feature, the user will not be redirected to the blocked page; instead, warnings will issue, to the user and to IT staff.

A mimecast_api module has been released that makes these actions easy from Python, given appropriate Mimecast credentials, which can be generated if one is a Mimecast customer.

Describe the solution you'd like

• An analyzer that decodes an observed URL which has been rewritten by URL Protect, and provides the original URL as an artifact.
• An analyzer that finds who has received messages from an observed email, and provides recipient email addresses as artifacts.
• A responder that allows blocking URLs or domains using Mimecast's Managed URL feature - but avoids creating duplicate blocklist entries.