WSA web filtering WBRS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2017 02:08 PM
I'm seeing more and more phishing emails with links that incorporate a google redirect to allow the web connection to pass because Google has a good WBRS. The URL being redirected to has a poor web reputation score, so the phisher is bypassing the WSA with the Google redirect.
How can we verify the WSA interrogates the whole URL and not just the first domain name in the URL link? Is there a way toset up a custome filter to ignore the redirect domain and just see the malicious URL?
Example:
https://www[.]google[.]com/url?hl=ru&q=https://guardmailboxprotection.com/view/user/secure_account/PDF/secure_account.pdf&source=gmail&ust=1497379074170000&usg=AFQjCNGeaFXemYbB6pZQwL0zkO4yTvlSaw#ztibfdse
- Labels:
-
Web Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2017 05:39 PM
Hi,
Since google.com traffic will automatically using HTTPS connection and in order to see the full link for this connection, the request will need to be decrypted otherwise WSA will only sees just the parent domain (www.google.com).
To decrypt the HTTPS traffic means that the HTTPS proxy will need to be enabled in WSA and use decryption policy to decrypt traffic for google.com.
Once it is decrypted, it will then go to Access Policy.
You can create a custom URL category using regular expression for this then include that new custom URL category to your access policy and set the action such as block or allow.
The regular expression in the custom URL category to identify redirect domain behaviour from google, you can use below regular expression:
url?.*\.*\q=
Hope this helps.
Regards
Handy Putra
