Cisco best practice to tackle phishing email that contain clickable URL

amahmud01 · ‎02-19-2017

Hi All,

I wonder if you can help me tackle the phishing emails contain clickable URLs what will be the best possibility in cisco email security best practice second thing how I can defang the URL so it can't be clickable and if user want to access the URL by copying it and putting it on the browser manually.

I look forward to hear from you.

Thanks.

Libin Varghese · ‎02-20-2017

Hi,

URL filtering enablement and best practices are mentioned in the below article.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html

Apart from URL filtering, anti-spam engine and outbreak filters too take into account any bad URL's present in the emails.

Thanks!

Libin Varghese

amahmud01 · ‎02-20-2017

Thnaks Libin, for the above URL, "take into account any bad URL's present in the emails." what do you mean by this statement.

and what about defanging mechanism for any Hypertext URL that comes with email planning to consider this also.

Libin Varghese · ‎02-20-2017

Hi,

The anti-spam and outbreak filter rules also prevent phishing emails based on suspicious URLs present in the emails. However, based on your requirement you would need to add content filters to defang URLs.

When an administrator configures a URL to be rewritten using the defang method the following is inserted into the URL rendering it inoperable, this can be done by using actions available in content filters based on URL reputation/URL category.

http://www.playboy.com becomes x-msg://1676/BLOCKEDwww.playboy.comBLOCKED

The end users email program may chose to hide the x-msg://1676 notations and simply display BLOCKEDwww.playboy.comBLOCKED

The user still sees the URL that was sent and can chose to copy and paste just the URL section into his/her browser but it is not a clickable link inside the email message.

Thanks!

Libin V

amahmud01 · ‎02-20-2017

Ok perfect this is what I meant do you have the step by step configuration guide for the defang method, I will be thankful.

Thanks.

Libin Varghese · ‎02-20-2017

Unfortunately, I do not have a complete guide as configuration varies depending on the end customer's requirement. Below are some steps that you may review.

Step 1: To enable URL filtering :

Go to web Interface - Security Services - URL filtering - Enable - Commit the changes.

Step2 :Now, create a filter to action on the results of URL filtering :

To create filter to use:

Hover over the "Mail Policies" tab and select "Incoming Content Filters"

Click on the "Add Filter..." button

Label, describe, and order accordingly

Click on the "Add Condition..." button

Select either the "URL Category" or "URL Reputation" conditions, or use both

Click on the "OK" button

Click on the "Add Action..." button
Select either the "URL Category" or "URL Reputation" actions, or use both, configure

Either:
-Defang URL (The URL will be modified to make it unclickable, but the message recipient will still be able to read the intended URL. Extra characters are inserted into the original URL.)

-Redirect to Cisco Security Proxy (The URL will be rewritten to pass through Cisco's Security Proxy for additional verification when clicked.

Based on Security Proxy's verdict, the user may not be able to access the site.)

-Replace URL with text message Click on the "OK" button "Submit/Commit Changes"

Once the filter is added you would need to enable that on one or all of your incoming mail policies.

Thanks!

Libin V

amahmud01 · ‎02-20-2017

Thanks Heaps I got the step by step configuration guide below is the URL.

https://www.cisco.com/c/dam/en/us/products/collateral/security/email-security-appliance/guide-c07-738015.pdf

Libin Varghese · ‎02-20-2017

Yes, that looks perfect.

Thank you for sharing the link.