cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
183
Views
0
Helpful
2
Replies
Highlighted
Beginner

problem with shortening services in phishing mails

Hi,

we are experiencing an increase of phishing mails containing shortened links from services like bit.ly, tinyurl.com or any other selfhosted solution.

The ESA does a lookup only with the shortening service website which is mostly neutral and therefore delivers the message.

I found the bug to this issue here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva56442/?reffering_site=dumpcr

Is there any way to filter those shortening services?

thank you

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

Have you tried setting up a

Have you tried setting up a filter just to log* the key details of mails featuring suspect URL domains?

It's arguable that URL shortening is for use in dead-tree (print) and SMS, and has no place in e-mail. If you see very little legitimate traffic being detected then you may be in a position to de-fang anything that matches. Of course, the numbers may show otherwise.

* logging the URL itself may not be good advice - I have a recollection of a bug that triggered when something complex hit the logging action. I personally keep samples to defend my rules, so am typically quarantining instead.

View solution in original post

2 REPLIES 2
Highlighted
Participant

Have you tried setting up a

Have you tried setting up a filter just to log* the key details of mails featuring suspect URL domains?

It's arguable that URL shortening is for use in dead-tree (print) and SMS, and has no place in e-mail. If you see very little legitimate traffic being detected then you may be in a position to de-fang anything that matches. Of course, the numbers may show otherwise.

* logging the URL itself may not be good advice - I have a recollection of a bug that triggered when something complex hit the logging action. I personally keep samples to defend my rules, so am typically quarantining instead.

View solution in original post

Highlighted
Cisco Employee

Hello,

Hello,

The defect you listed doesn't mention a workaround, however, I would probably suspect that you could try setting up a Content Filter to either search for a condition of the shortened URL in the message body, or if you're seeing those URL's attached to a certain category then add a condition of that category. Then from there you can take action based on your needs.

Thanks!

-Dennis M.