Special treatment for new sender incomming

sysresuem · ‎02-16-2023

Hi,

I have more and more often a legitimate domains whichs is compromised.
These domains have never been used to send email to my company before.

Now attacker sends email from theses domains with a phishing link to me.
Cisco security proxy did not detect that was a phishing email, but it is an other problem.

Is there a way to make a special treatment on Cisco ESA with these "new incomming senders" like put a special header message to users ?

The obvious solution is to create a content filter with a list of exclusions for top known domains, but it seems hard to keep up to date and dirty.

Ken Stieers · ‎02-16-2023

So these are "new to you" domains... I think Email Threat Defense (used to be Cloud Mailbox Defense, cloud native, O365 only, based on journaling mail to Cisco), has a detection for this.
I think they're planning on making some of those cloud detections available to CES/ESA somehow in the future, but I haven't seen an actual roadmap.

Antonius · ‎02-22-2023

You could take a look at the senderbase reputation score (https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117919-technote-cdc-00.html) And make an Content filter for certain range of score, so you could add and disclaimer text to the emails.

sysresuem · ‎03-02-2023

Thanks for your answers.
Yes It could be smart to add a disclaimer for "poor" reputation.
Unfortunatly I still have users who opened clearly bad attachments with a disclaimer message ...

For the SBRS is there a view to see the distribution of this score. There is for the domain reputation score but not for SBRS.
I need to know what percentage of my incoming mails will be affect by the disclaimer.

Guillaume