Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1587
Views
0
Helpful
1
Replies

ESA Contents FIlter: Defang Rule not work

a.zahid
Level 1
Level 1

‎07-09-2020 02:01 AM

Hi,

 

I have a defang rule for incoming email in Cisco cESA (as per screenshot, just example). There are times when incoming email hit default policy, the defang rule will take action and defang the URL inside the email even though the domain of sender is set to bypass (@hd.onmicrosoft.com).

 

I still think my configuration is correct but just in case, can anyone give their insight on this, or any suggestion to make the rule not intermittent?

 

Thanks.

Labels:
Preview file
36 KB
0 Helpful
1 Reply 1

ppreenja
Cisco Employee
Cisco Employee

‎07-09-2020 09:25 AM

Hi,

For your requirement, I would suggest that instead of creating the filter, you can create a new policy for the particular domain (hd.onmicrosoft.com).

From the example filter shared, I can see that you are using mail-from header not equal to check which allow emails with a different "mail-from" header and "from" headers and hence it might bypass. Examples any email with mail-from header value as "abc@imposter.com" and from the header as "xyz@hd.onmicrosoft.com" will match this filter.

When you define a domain incoming mail policy, it will match the below three headers:

1) Mail-From
2) From
3) Reply-To

User matches are evaluated as a top-down fashion, first match wins.

Please check below article for more details:
https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/212808-configure-flexible-mail-policy-match-fea.html

I hope the above information helps.

Cheers,
Pratham
0 Helpful
Customers Also Viewed These Support Documents