Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
15
Helpful
8
Replies

Phishing emails integration between ESA and Exchange ?

Go to solution
pvinay2004
Level 1
Level 1

‎02-13-2023 08:42 PM

I would like to understand, what are the solutions/integrations available with ESA for below questions.

1. Retrospective email response from Exchange mailbox, if false negative email delivered through ESA ?

2. Suspicious email reporting by end-users ?

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
José L. Dávila
Cisco Employee
Cisco Employee
In response to pvinay2004

‎02-14-2023 10:18 PM

Hello there,

Indeed MAR allows the ESA to take an action over emails which attachment was previously determined benign and retrospectively classified as malicious. Integration can be done with both Office 365 and On premise exchange. Here is a good article explaining how the integration is done and going over deeper details about the process: cisco.com/c/en/us/support/docs/security/email-security-appliance/211404-How-to-configure-Azure-AD-and-Office-365.html.

About the message tracking remedation, you may take a look at search and remediate, which allows you to take action from emails displayed in message tracking without waiting for a retrospective verdict from AMP. Here is more information about this: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_chapter_010101.html#con_1096601

Hope it helps.

Cheers. 

 

José L. Dávila

View solution in original post

8 Replies 8

Go to solution
Ken Stieers
VIP
VIP

‎02-14-2023 07:16 AM

So... "retrospective phishing" as a determination to pull a mail back from a mailbox doesn't exist in currently released ESAs. It's in version 15, currently in beta.
And mail reported by users isn't automatically pulled back either.
You can search and remediate that mail yourself, or using SecureX and Orchestration to build a workflow to do that... you would probably want an approval process to do that remediation. You know you'll have users misreport something that shouldn't be remediated.

Go to solution
pvinay2004
Level 1
Level 1
In response to Ken Stieers

‎02-14-2023 09:03 PM

Thanks Ken for taking time to answer my question.

However, I need clarification on MAR (Mailbox Auto Remediation) under AMP module in ESA, my understanding about is that "ESA can integrate with on-prem Exchange and o365 exchange to pull the AMP false negative emails".

Also, from the Message tracking in the new ESA portal with 4431 port, we can manually pull/quarantine the emails from on-prem exchange and o365 exchange.

Response on these will be highly appreciated. Many thanks.

0 Helpful

Go to solution
José L. Dávila
Cisco Employee
Cisco Employee
In response to pvinay2004

‎02-14-2023 10:18 PM

Hello there,

Indeed MAR allows the ESA to take an action over emails which attachment was previously determined benign and retrospectively classified as malicious. Integration can be done with both Office 365 and On premise exchange. Here is a good article explaining how the integration is done and going over deeper details about the process: cisco.com/c/en/us/support/docs/security/email-security-appliance/211404-How-to-configure-Azure-AD-and-Office-365.html.

About the message tracking remedation, you may take a look at search and remediate, which allows you to take action from emails displayed in message tracking without waiting for a retrospective verdict from AMP. Here is more information about this: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_chapter_010101.html#con_1096601

Hope it helps.

Cheers. 

 

José L. Dávila

Go to solution
pvinay2004
Level 1
Level 1
In response to José L. Dávila

‎02-15-2023 05:24 AM

Thanks Jose for clarification. One last question - Does "on-prem virtual ESA" can be integrated with Exchange to pull the malicious emails OR only with Cloud ESA ?

0 Helpful

Go to solution
José L. Dávila
Cisco Employee
Cisco Employee
In response to pvinay2004

‎02-15-2023 09:34 AM

Hello,

Yes you can integrate a virtual ESA based on-prem with MAR. 

Cheers.

José L. Dávila
0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to pvinay2004

‎02-15-2023 04:46 AM

MAR: As mail flows through, AMP on the ESA scans the attachments. If an attachment that scanned clean is later marked bad by AMP, the ESA can go remove it from the destination mailbox.

Searche and Remediate: you can search in tracking for mail thaylt passed through the ESA and tell the ESA to remove it from the mailbox.


https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/214976-esa-13-0-new-mailbox-auto-remediation-fe.html

Go to solution
pvinay2004
Level 1
Level 1
In response to Ken Stieers

‎02-15-2023 05:25 AM

Hi Ken - Does "on-prem virtual ESA" can be integrated with Exchange to pull the malicious emails OR only with Cloud ESA it's possible ?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to pvinay2004

‎02-15-2023 05:31 AM

Yes. On prem vms can do it.
0 Helpful
Customers Also Viewed These Support Documents