04-22-2022 02:57 AM - edited 04-22-2022 03:00 AM
We have url filtering in place for several scores. Works fine
But we use a phishing tool ( external ) to test our users if they click on a 'phishing' url in an email they receive from the attacking tool
We noticed recently that Cisco seems to open the url in the background ( or in Talos or whatever ) that triggers it , just like a user would click on it. This gives false positives
We thought 1st O365 is doing it due to their safelinks etc, but even if we quarantine the mail ( so not deliver it to O365 ) the link is being triggered ( the phising application is reporting a cisco ip that triggered the click : not one of our ip's , but a strange one : 146.112.163.35
If we look that one op via Talos its Cisco OpenDns or something.... and it is even listed on a blacklist....
We also tried disabling VOF ( outbreak filter ) in the mailpolicy for he sending ip's of the phishing app, so that VOF does not trigger it somehow. But even without VOF interfering,a click occurs..
And we cannot whitelist the specific urls , since we rewrite them for example to https://rewrite/originalUrl .
We want to test if users take the hassle to remove the rewrite part from an url and then open it
Any ideas what might trigger the click on the url ? And the strange cisco originated ip ?
And the tool is reporting the client whom clicks as Chrome 98.0.4758 on Windows.
04-22-2022 04:17 AM
04-22-2022 04:42 AM
What do you mean which product ? The anti phishing tool ? That's cymulate
Cisco esa version is : 14.0.0 for Cisco C390 build 698
04-22-2022 05:36 AM
04-22-2022 04:53 AM
Strangly it is, that it is not always triggered ( cache ? )
And before the 19th of April we didn't had this behaviour
SO if cisco sandboxes it in te background we should have seen this behaviour before
04-22-2022 05:37 AM
04-22-2022 06:23 AM
No not recently. No changes on ESA
04-25-2022 12:31 AM
We even tested with a mailpolicy, were NO CF were triggered, and every service off ( no antispam, VOF etc ) . And still from time to time the phishing mail gets triggered. Seems by ip 146.112.163.35 ( Cisco OpenDns ) according to the logs in the phishing tools. ANd always from the same browser version ( a browser we don't have at our company ) ; Chrome 98.0.4758 on Windows
Very strange
04-25-2022 11:31 AM
I've heard similar stories recently and this is most likely our Cloud URL Analysis (CUA) feature scanning them. Effectively sandboxing them and crawling the page, and hence you see a 'clicked on link' type of behavior.
https://docs.ces.cisco.com/docs/url-rewriting-and-analysis#cloud-url-analysis
I was informed that disabling Service Logs may be a potential workaround, but, this would also decrease overall efficacy and is not recommended.
You can read more about Service Logs here: https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_13-5/b_ESA_Admin_Guide_ces_13-5/m_service_logs.pdf
If you want, feel free to open a TAC case and we can help take a closer look.
Thanks!
-Dennis M.
04-25-2022 11:52 PM
Hello dmccabej;
I checked and we even have it with VOF disabled etc
In the docu it states :
We truned off everything on our 'prod' environment, and still have the issue from time to time ( not on every similar email )
in our 'TDA' environment, everything is on, and we don't have an issue ..Exactly the same version etc. Very strange
Service logs is indeed enabled, but so it is on our TDA
04-26-2022 08:53 AM
Thanks for confirming. You can test the workaround I suggested and see if that helps. Else, I'd recommend a TAC case and we can assist.
04-26-2022 11:22 PM
Workaround does not help. They will first discuss this with the phishing tool to see if they can whitelist cisco's ip range for clicks ( its a specific range )
04-25-2022 11:46 AM
04-25-2022 05:08 PM
I have the same issue lately as well. Will be good to know what the solution is to prevent a possible false positive.
05-19-2022 01:08 AM
I found the possible culprit
There is a setting : Enable sharing limited data with the Service Logs Information Service (Recommended)
I disabled that one, and found that there were no more ' click actions ' reported for urls ( sent in via pishing campaign )
Hope anyone else can test it also and give feedback
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide