cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1118
Views
5
Helpful
3
Replies
stadlmeierroland
Beginner

Links to malicious URLs inside PDF attachments

Hello,

we see an increasing count of PDF attachments which contain links to malicious URLs. All security measures fail.

AMP doesn't scan/upload the PDF because of non-existing active/dynamic contents.

Is there any way to detect such URLs inside of PDF attachments?

 

Thank you!

Roland

3 REPLIES 3
Ramanjaneya Devi Madem
Cisco Employee

Could you please share such a PDF for us to analyze. 

 

Configuring the URL filtering feature with Content Filter can help here.  

 

Thanks & Regards,

Rama 

 

 

 

ppreenja
Cisco Employee

Hello,

Advanced Malware Protection is an anti-malware tool. It is not designed to catch phishing documents. AMP is only concerned with files that have active/dynamic content that could contain a virus. A flat pdf with a link in it is not going to be uploaded for File Analysis. Even if it is uploaded to ThreatGrid for File Analysis sandboxing, the sandbox is not designed for Phishing documents it is designed for active malware content. AMP does provide some limited protection against phishing documents. There are other data sources that AMP pulls from other than File Analysis for making convictions. AMP may be able to get a conviction on a phishing file through one of those other sources or from manual intervention.

The ESA did add a feature in 11.1.x to address phishing links in documents. This would allow the existing URL filtering engine to scan for malicious URLs inside of documents. You can see the addition of this new feature in the release notes below.
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa11-1/ESA_11-1_Release_Notes.pdf

I hope the above information is helpful!

Cheers,
Pratham

Hello stadlmeierroland,

The following information is not widely known yet, as the ESA is still going through the phases of beta testing for the new changes. Look for 13.5.1 release in about 2 months.
ESA and TALOS have performed major redesign of how multiple functions within the ESA, with phishing detection as a central focus in additional to overall improvement to TALOS services.

Telemetry has transitioned to Service Logs and is heavily leveraged to make TALOS services more dynamic and allows a more rapid responses to capture new malicious content.


Service Logs redesigned and more efficient.
SBRS improvements.
URL Filtering improvements.
Outbreak Filters has a new enhanced cloud process, completely offbox cloud sourced, of which the focus is phishing.

########### there are a few comments about phishing enhancements/improvements
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa13-5/ESA_13-5_Release_Notes.pdf
###########
The LD release is a closed release at this time and may not be available for everyone.
The next 13.5.1 release will be a General Release Version within a couple months and will include this functionality.

Thx,
Chris

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad