cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3777
Views
10
Helpful
4
Replies

ESA URL filtering

sfk
Level 1
Level 1

Hi,

 

I received an email containing a phishing attack. 

When I examined the url in the mail, my e-mail address was also written in the url. This is often used in phishing attacks. When you go to the page, you will see that your e-mail address is written.

Despite this, ESA detected it as "noscore". If there is an e-mail address in the URL, I want to block the e-mail. can i do this?

 

 

Message 17896787 URL: hxxps://bostonsurveyors.co.uk/wp-inlcudes/ouhphils/cutidvedous/tremeodinos/refulusscox/attentionakls/XwErYxWqKxEwX.htm?ert=xxx@xxxx.xxx, URL reputation: noscore, Action: URL redirected to Cisco Security proxy.

1 Accepted Solution

Accepted Solutions

UdupiKrishna
Cisco Employee
Cisco Employee

You can use a message or content filter with body or attachment contains statement with a regex 

E.g. if the URL is - hxxps://bostonsurveyors.co.uk/wp-inlcudes/ouhphils/cutidvedous/tremeodinos/refulusscox/attentionakls/XwErYxWqKxEwX.htm?ert=xyz.efg@gmail.com

The following regex can be use to scan for the email pattern and block it - ^https:\/\/.*gmail.com

 

If would like to monitor/scan for multiple email domains, a regex like this can be used - ^https:\/\/.*@(gmail|cisco).com

Refer to the attached results from regex test which matches different email domains too.

View solution in original post

4 Replies 4

sfk
Level 1
Level 1

UdupiKrishna
Cisco Employee
Cisco Employee

You can use a message or content filter with body or attachment contains statement with a regex 

E.g. if the URL is - hxxps://bostonsurveyors.co.uk/wp-inlcudes/ouhphils/cutidvedous/tremeodinos/refulusscox/attentionakls/XwErYxWqKxEwX.htm?ert=xyz.efg@gmail.com

The following regex can be use to scan for the email pattern and block it - ^https:\/\/.*gmail.com

 

If would like to monitor/scan for multiple email domains, a regex like this can be used - ^https:\/\/.*@(gmail|cisco).com

Refer to the attached results from regex test which matches different email domains too.

Hi,

 

If the regex query checks the entire content, my legitimate emails are also blocked. I just have to run the regex query in URL filtering. How can I do it?

Depending on which condition was used, regex may scan entire content of the email. E.g. if you used message body and attachments, this regex will look to the entire email body attempting to match pattern/line that starts https. 

Without looking into the email content or the configuration, its hard to say the cause. However if i am to assume, it may also catch patterns like the attached screenshot

Screenshot 2022-03-31 at 10.30.35 AM.png

 

Which means any emails that contains https and an email ID later (not necessarily part of the URL) would get caught. The regex was just an example, but had to be tweaked according to your requirement.

 

However if you are to specifically match it against URL(s) and provided they don't generally contain spaces, a different regex can be used - https:\/\/\S*@gmail.com

As you can see in the image below, the content with spaces no longer match.

Screenshot 2022-03-31 at 10.34.41 AM.png

 

I would generally recommend the action to quarantine over drop, this way you can always release emails if there are any false positives.