Skip to main content

Overview

Ocean reads mail from Microsoft 365 or Google Workspace after delivery. If your organization routes inbound mail through Mimecast first, the messages that land in mailboxes — and that Ocean ingests — have already been modified by Mimecast: links are rewritten and awareness banners are injected. Enabling this integration lets Ocean analyze the original message content, not the Mimecast-modified version. End-user inboxes are unchanged.

What Mimecast does to your inbound mail

  • Targeted Threat Protection (TTP) URL rewriting — Mimecast rewrites links to a *.mimecastprotect.com or protect-*.mimecast.com wrapper so it can re-check destinations at click time.
  • CyberGraph banners — Mimecast’s CyberGraph user-awareness feature injects HTML banners, “Report” links, and tracking pixels into the body of inbound messages.

What Ocean does about it

What Ocean doesWhen
Strips CyberGraph banners, report links, and tracking pixelsDuring parsing
Unwraps TTP URLs to the original destinationDuring analysis

When to enable this

Enable the Mimecast integration if all three apply:
  • You run Mimecast as the inbound gateway in front of Microsoft 365 or Google Workspace.
  • You have already configured the matching Ocean integration (Microsoft 365 or Google Workspace).
  • You see Mimecast-wrapped URLs or CyberGraph banners in Ocean’s incident views and want analysis to run on the original message.

Prerequisites

  • An active Microsoft 365 or Google Workspace integration in Ocean.
  • Admin access to the Mimecast Administration Console to create API 2.0 credentials.

Enable

Contact your Ocean Security representative and provide:
  1. Your Mimecast region (US, EU, DE, ZA, AU, JP, or CA).
  2. A Mimecast API 2.0 Client ID and Client Secret scoped to Mimecast’s URL Decode endpoint. Generate these in the Mimecast Administration Console under Services → API and Platform Integrations. Refer to the Mimecast API 2.0 documentation for the exact path and the current endpoint reference.
Ocean stores the credentials in encrypted secret storage. Banner stripping activates as soon as the integration is enabled on your tenant; URL unwrapping activates within a few minutes of the credentials being loaded.
Only mail processed after activation is affected. Emails ingested before activation are not reprocessed.

What changes after enabling

  • Incident details show the decoded destination URL instead of the Mimecast wrapper. Verdicts, IOC matches, and link analytics run against the real target.
  • Body previews in incident review no longer include CyberGraph banners, report links, or tracking pixels.
  • End-user inboxes are unchanged.

Notes

  • Decoded URLs are cached for 24 hours to avoid repeat calls to Mimecast’s API.
  • If Mimecast is briefly unreachable when Ocean tries to decode a URL, Ocean falls back to the wrapped URL and continues analysis — no emails are blocked or delayed.
  • Only the wrapped URLs themselves are sent to Mimecast’s API as part of the decode call. Message content, headers, and recipient data are not shared.

Need Help?

For questions about enabling the Mimecast integration or interpreting how it affects incident review, contact your Ocean account executive.