Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
0
Helpful
1
Replies

Account Takeover

Go to solution
mateormz
Level 1
Level 1

‎06-27-2022 03:24 PM

Good Adternoon,

 

I setup an outgoing filter for Account Takeover based on Best practices, but now emails reported as phishing get quarantined due to the content filter.  Any Suggestions?

 

This is how I configured the Content Filter

ACCOUNT_TAKEOVER

Condition: Other Header; header("X-AMP-Result") == "(?i)malicious"

Condition: URL Reputation; url-reputation(-10.00, -6.00 , "", 1, 1)

*Set Apply Rule: If one or more conditions match

Action: Notify;notify ("myit@mycompany.com", "POSSIBLE ACCOUNT TAKEOVER", "", "ACCOUNT_TAKEOVER_WARNING")

Action: duplicate-quarantine("ACCOUNT_TAKEOVER")

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎06-27-2022 07:08 PM

Which engine is reporting these emails as phishing? outbreak?  If it's outbreak it may be looking into the URL's reputation to provide a threat level/category.

Given the content filter condition is set to match either the header or the reputation, some of these phishing emails may have URL(s) falling under the score of -10 to -6 resulting in quarantine action.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎06-27-2022 07:08 PM

Which engine is reporting these emails as phishing? outbreak?  If it's outbreak it may be looking into the URL's reputation to provide a threat level/category.

Given the content filter condition is set to match either the header or the reputation, some of these phishing emails may have URL(s) falling under the score of -10 to -6 resulting in quarantine action.

0 Helpful
Customers Also Viewed These Support Documents