cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2296
Views
0
Helpful
2
Replies

URL phishing test

Lemat
Level 1
Level 1

In ESA I would like to have the following filter: scan for URLs in message body. If the URL contains specific word (or match regular expression) i.e. for word "company" it would match https?://example.company.test, https?://example-company.test. Then exclude URLs from "trusted" list i.e. *.company.com, *.company.net. So:

 

if (URL match regular expression) AND (URL does not match trusted list) then ...

 

I would prefer to avoid constructing negative lookahead (?!pattern) on message body.

Any hints?  

2 Replies 2

That feels like you're trying to use a URL whitelist? For content filters that's built into the ESA

Under Mail Policies/URL List create a your list.

Then in the content filters any of the URL based filter conditions and actions allow you to pick a url list as a whitelist, so the filter actions only apply to URLS that aren't in the trusted list...

Message filters also support the url list feature...





Also it sounds like you think you need to test your excluded URLS against the mail body??? but you don't...

You wrote this:

if (URL match regular expression) AND (URL does not match trusted list) then ...



I'm reading it as

Find a url that matches. Check URL against trusted list... (MUCH SMALLER than mail body...)

???



It also sort of depends upon what you're trying to do with the mail next...

It may be that you're trying something more complex... so you might need to put your trusted list in a dictionary instead... but th

Find a url, check $matchedcontent against a dictionary instead of checking to make sure the dictionary terms aren't in the email.






In the Mail Policies->incoming content filters I can add a filter with condition either "URL category" or "URL reputation". That is not what I want. I want to match domain name from the URL to some patterns. If I could create patterns that would match domains phishing my "company name" then of course I want to exclude all known trusted "company name" sites.