Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1164
Views
10
Helpful
2
Replies

Filter From Header

rab ngl
Level 1
Level 1

‎02-05-2018 10:37 PM - edited ‎03-08-2019 07:32 PM

Hello,

 

Some of my users received a phishing email, the email looks like below.

 

From: my-domain.com <admin@bad-domain.com>

 

Is there a way that we can filter the "From: my-domain.com"in the Content Filter?

 

Thanks.

Labels:
0 Helpful
2 Replies 2

Libin Varghese
Cisco Employee
Cisco Employee

‎02-05-2018 10:44 PM

You can certainly use the "Other Header" condition available under content filter.

 

Header Name: From

Condition: Contains

Value: my-domain.com

 

If you would like to look at only the start of the header the value can be preceded with "^" which signifies begins with in regex terms.

 

^my-domain.com = begins with my-domain.com

Using just my-domain.com essentially looks for this value anywhere in the From header value.

 

Regards,

Libin Varghese

Andreas Schreiber
Level 1
Level 1

‎02-06-2018 12:37 AM

Hi,

 

- make a new Dictionary with your company-domains inside (match whole words).

- make a new Incoming Content Filter like "detect from spoof"

- Condition: Other Header, Header Name: From, Header value contains term in content directory -> your new Dictionary (with domains)

- second condition: Envelope Recipient: Contains term in content dictionary -> your new Dictionary (with domains)

- IMPORTANT: Conditions -> Apply rules "Only if ALL conditions match"

- make a new Action: to suit your needs... I would mark them as spam in the first step to test the rules for false positives.

 

I suggest to make a second Content filter for spoofed mails in "From"and SMTP-Sender field like:

From: my-domain.com <admin@my-domain.com>

You will get this nasty spoofs too.

 

Same actions as above but additional:

- make a third condition: Envelope Sender: Contains term in content dictionary -> your new Dictionary (with domains)

- don´t forget: Conditions -> Apply rules "Only if ALL conditions match"

 

Regards.

Andreas Schreiber

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents