Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1664
Views
5
Helpful
3
Replies

Links to malicious URLs inside PDF attachments

stadlmeierroland
Level 1
Level 1

‎03-20-2020 12:34 AM

Hello,

we see an increasing count of PDF attachments which contain links to malicious URLs. All security measures fail.

AMP doesn't scan/upload the PDF because of non-existing active/dynamic contents.

Is there any way to detect such URLs inside of PDF attachments?

 

Thank you!

Roland

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Ramanjaneya Devi Madem
Cisco Employee
Cisco Employee

‎03-20-2020 07:59 AM

Could you please share such a PDF for us to analyze. 

 

Configuring the URL filtering feature with Content Filter can help here.  

 

Thanks & Regards,

Rama 

 

 

 

0 Helpful

ppreenja
Cisco Employee
Cisco Employee

‎03-22-2020 12:42 AM

Hello,

Advanced Malware Protection is an anti-malware tool. It is not designed to catch phishing documents. AMP is only concerned with files that have active/dynamic content that could contain a virus. A flat pdf with a link in it is not going to be uploaded for File Analysis. Even if it is uploaded to ThreatGrid for File Analysis sandboxing, the sandbox is not designed for Phishing documents it is designed for active malware content. AMP does provide some limited protection against phishing documents. There are other data sources that AMP pulls from other than File Analysis for making convictions. AMP may be able to get a conviction on a phishing file through one of those other sources or from manual intervention.

The ESA did add a feature in 11.1.x to address phishing links in documents. This would allow the existing URL filtering engine to scan for malicious URLs inside of documents. You can see the addition of this new feature in the release notes below.
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa11-1/ESA_11-1_Release_Notes.pdf

I hope the above information is helpful!

Cheers,
Pratham
0 Helpful

charella
Cisco Employee
Cisco Employee
In response to ppreenja

‎03-24-2020 09:57 AM

Hello stadlmeierroland,

The following information is not widely known yet, as the ESA is still going through the phases of beta testing for the new changes. Look for 13.5.1 release in about 2 months.
ESA and TALOS have performed major redesign of how multiple functions within the ESA, with phishing detection as a central focus in additional to overall improvement to TALOS services.

Telemetry has transitioned to Service Logs and is heavily leveraged to make TALOS services more dynamic and allows a more rapid responses to capture new malicious content.


Service Logs redesigned and more efficient.
SBRS improvements.
URL Filtering improvements.
Outbreak Filters has a new enhanced cloud process, completely offbox cloud sourced, of which the focus is phishing.

########### there are a few comments about phishing enhancements/improvements
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa13-5/ESA_13-5_Release_Notes.pdf
###########
The LD release is a closed release at this time and may not be available for everyone.
The next 13.5.1 release will be a General Release Version within a couple months and will include this functionality.

Thx,
Chris

Customers Also Viewed These Support Documents