Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4884
Views
10
Helpful
4
Replies

ESA URL filtering

Go to solution
sfk
Level 1
Level 1

‎03-24-2022 08:08 AM

Hi,

 

I received an email containing a phishing attack. 

When I examined the url in the mail, my e-mail address was also written in the url. This is often used in phishing attacks. When you go to the page, you will see that your e-mail address is written.

Despite this, ESA detected it as "noscore". If there is an e-mail address in the URL, I want to block the e-mail. can i do this?

 

 

Message 17896787 URL: hxxps://bostonsurveyors.co.uk/wp-inlcudes/ouhphils/cutidvedous/tremeodinos/refulusscox/attentionakls/XwErYxWqKxEwX.htm?ert=xxx@xxxx.xxx, URL reputation: noscore, Action: URL redirected to Cisco Security proxy.

Labels:
Preview file
287 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Udupi Krishna.
Cisco Employee
Cisco Employee

‎03-27-2022 06:07 PM

You can use a message or content filter with body or attachment contains statement with a regex 

E.g. if the URL is - hxxps://bostonsurveyors.co.uk/wp-inlcudes/ouhphils/cutidvedous/tremeodinos/refulusscox/attentionakls/XwErYxWqKxEwX.htm?ert=xyz.efg@gmail.com

The following regex can be use to scan for the email pattern and block it - ^https:\/\/.*gmail.com

 

If would like to monitor/scan for multiple email domains, a regex like this can be used - ^https:\/\/.*@(gmail|cisco).com

Refer to the attached results from regex test which matches different email domains too.

View solution in original post

Preview file
50 KB
4 Replies 4

Go to solution
sfk
Level 1
Level 1

‎03-26-2022 03:08 AM

@balaji.bandi @Ken Stieers 

0 Helpful

Go to solution
Udupi Krishna.
Cisco Employee
Cisco Employee

‎03-27-2022 06:07 PM

You can use a message or content filter with body or attachment contains statement with a regex 

E.g. if the URL is - hxxps://bostonsurveyors.co.uk/wp-inlcudes/ouhphils/cutidvedous/tremeodinos/refulusscox/attentionakls/XwErYxWqKxEwX.htm?ert=xyz.efg@gmail.com

The following regex can be use to scan for the email pattern and block it - ^https:\/\/.*gmail.com

 

If would like to monitor/scan for multiple email domains, a regex like this can be used - ^https:\/\/.*@(gmail|cisco).com

Refer to the attached results from regex test which matches different email domains too.

Preview file
50 KB

Go to solution
sfk
Level 1
Level 1
In response to Udupi Krishna.

‎03-30-2022 09:01 AM

Hi,

 

If the regex query checks the entire content, my legitimate emails are also blocked. I just have to run the regex query in URL filtering. How can I do it?

0 Helpful

Go to solution
Udupi Krishna.
Cisco Employee
Cisco Employee
In response to sfk

‎03-30-2022 10:08 PM

Depending on which condition was used, regex may scan entire content of the email. E.g. if you used message body and attachments, this regex will look to the entire email body attempting to match pattern/line that starts https. 

Without looking into the email content or the configuration, its hard to say the cause. However if i am to assume, it may also catch patterns like the attached screenshot

Screenshot 2022-03-31 at 10.30.35 AM.png

 

Which means any emails that contains https and an email ID later (not necessarily part of the URL) would get caught. The regex was just an example, but had to be tweaked according to your requirement.

 

However if you are to specifically match it against URL(s) and provided they don't generally contain spaces, a different regex can be used - https:\/\/\S*@gmail.com

As you can see in the image below, the content with spaces no longer match.

Screenshot 2022-03-31 at 10.34.41 AM.png

 

I would generally recommend the action to quarantine over drop, this way you can always release emails if there are any false positives. 

Customers Also Viewed These Support Documents