Re: Phishing e-mails coming in, going out...

Jason Meyer · ‎09-26-2013

For the past twelve months I have seen an increase in phishing e-mails that are coming into our environment from external senders, yes they are being scanned for SPAM by our C670s and consistantly getting missed. We also have internal accounts that are getting compromised (probably due in some part to all these phishing e-mails that are getting through Cisco appliances) and then begin to send phishing e-mails OUT of our environment, yes these are also being scanned.

I've reported this to CISCO and the answer was, are your appliances scanning them. Answer: yes. Are you reporting the missed ones to spam@access.ironport.com. Answer YES.

I have so many custom filters built to block these phishing e-mails it's starting to consume too much of my time and quite honestly, this is what we paid Cisco for to automatically block.

Anyone else seeing a up trend in phishing e-mails getting through the appliances?

I'm getting tired of blocking them with manually created content filters.

My question, if I report e-mails that came from within my environment but were blocked with my custom filters will this negatively impact my own reputation score? I need these e-mails blocked automatically with the SPAM definitions.

OK, sorry, anyone have any advice? Any input would be appreciated.

Jason

Starla Rivers · ‎09-26-2013

Ditto.

And our manually created content filters only work for one campaign and the next week there is a minor modification such that the filters don't work. So the work never ends.

We sent out an education piece to our staff again to remind them to NEVER give up their credentials and the very next work day, 4 did so we have the same reputation score concern. We have instituted alerts so that we can block and flush the outbound queue as a response strategy but we would like to see a better prevention strategy.

Star

Valter Da Costa · ‎09-26-2013

Jason,

It seems you are seeing an important issue so I wanted to advise you to:

Submit a support ticket;

Attach the backup (in xml) of the current configuration of your inbound appliance;

Submit recent samples and report you did that in the ticket, letting the Engineer knows the list of Subjects for the missed sapm you just sent submitted;

Provide Message Tracking, showing the message was indeed scanned by the device;

Attach the week/month report for Overview report. This will allow both, you and the Engineer to understand the volume of mail being processed;

Ask the engineer to review the configuration and recommend changes in order to improve catch rate;

I would say do the above for recurrent missed spam first. I woud say, start reporting/working with the top 10 most recent missed Spams.

If you have interest, and I highly recomend that, you can ask for assistance to setup Spam Traps. This will allow your environment to automatically report real spam to our systems, which will be beneficial for both you and all our other customers.

Hope this helps.

-Valter

Jason Meyer · ‎10-17-2013

Valter, first, thanks for the response.

I have had a Cisco Engineer look at the configuration file and look at a list of missed SPAM that I have submitted, it was verifed that it is being scanned for SPAM by the appliance and after many hours of verifying all is correct, the suggestion was to create custom filters.

We also already have a Honey Pot domain setup that isn't used for any legitimate e-mail that routes all e-mails received to Cisco for review.

My post was more to other IronPort customers to see if they are also seeing a trend in phishing attempts being missed by the IronPort appliances. My opinion is that Cisco needs to up their game in looking at these phishing e-mails and blocking them automatically.

I'll work on getting the SPAM Quarantine feature rolled out to all of my users, then I can lower the thresholds on the SPAM filtering polices and if something legitimate gets blocked, the user can still retreive it on their own.

Do the Outbreak filters do anything for phishing e-mails or is that just virus filtering?

Again, thank you for the thoughts, if I have a few hours to run through the steps you provided I will.

Also, if you can check for submitted missed PHISH from my e-mail address, I've done 195 submissions (mostly phishing e-mails) in the past 2 months. Reported with Cisco's 7.2 Outlook plugin.

Robert Sherwin · ‎10-21-2013

Don't forget - you can also submit missed/suspected Phishing emails directly to:

phish@access.ironport.com

This will help to classify the reportings appropriately.

To reach out and answer your questions in the last posting:

> Do the Outbreak filters do anything for phishing e-mails or is that just virus filtering?

The VOF filters does add another layer of scanning and rulesets that will help with spam/phish.

One key thing to remember is that Sophos and McAfee do not recognize Phishing/URL threats. IPAS (IronPort AntiSpam) does scan, but it's ruleset are not always Phishing aware. We recommend to full combate Phishing, to have VOF purchased and enabled. VOF can also be used and integrated with Sender Rate limiting, which will aide and reduce the collateral damaged caused by Acompromised accounts.

General overview of what VOF brings to the table:

Phishing and URL based threat detection

• In addition to existing viral attachment protection

• Uses IPAS (CASE) for scanning

Dynamic quarantine retention time

• CASE returns a recommended retention time

• Max retention settings can override recommended

• Retention overrides for Viral and Other threats

Outbreak Quarantine Rescans

• Viral threats rescanned after TOC/AV rule updates

• Other threats rescanned after a CASE recommended interval

• CASE rescans catch short-lived phishing attacks

URL modification

• Re-write URLs to use a web security proxy

• ScanSafe and SecApps working together

• Signed messages can be preserved

• Domain bypass list

• Supports IPv4 & IPv6 literal/CIDR, hostnames, partial domains

Disclaimers

• Warn that message is a potential threat

• System generated disclaimer or custom text resource

• Threat level, category, type, description available for substitution

• Disclaimer added to the top of the message

Subject Modification

• Warn that the message has been modified

• Prepend/Append just like AS and AV

> can check for submitted missed PHISH from my e-mail address, I've done 195 submissions (mostly phishing e-mails) in the past 2 months.

I did a review of submissions from your email address, and see the following:

SEPT

30 messages submitted to NewOutlookPhish.

OCT

47 messages submitted to NewOutlookPhish.

Hope that helps!

-Robert

Cheers,
Robert Sherwin

Iggy · ‎10-30-2017

One of our users received and email from messenger@webex.com/64.68.x.x (don't want to expose the full IP... I can see webex messages coming from that range of IPs) advising that the users online bank account has been disabled with a phishing link "ow.ly/lrzJ30gaYS5". We do allow the webex.com and thankfully the user was vigilant enough to report it to us.

exMSW4319 · ‎11-03-2017

Iggy, from the /16 you revealed I can see five blocks in the SPF for WebEx that might match, suggesting that the mail was genuine. I presume that this means that WebEx accounts can be exploited if the credentials are swiped. Would you say your sample was bulk or a spear?

To answer Jason's original question, yes, we're seeing more phish here too; mostly very low grade banking scams that really aren't going to get any traction. Hacked (SFA?) O365 accounts are much more of a danger, though the attackers mostly get their lines wrong...

Iggy · ‎11-03-2017

Thank you. Since it came from Webex it was delivered. Looks like spear Phishing. The filter is supposed to check URLSs, but does not seems to work all the time. We monitor the email filters often and have internal alerts on mass mail delivery. The contents inside the email that caught my attention. I don't think BankofAmerica (" https://www.bankofamerica.com/closed.ID/banking.go?channel=locked" /embedded link is ow.ly/lrzJ30gaYS5") uses Webex messenger. Happy for the user who did the right thing.