Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2025
Views
0
Helpful
4
Replies

Scaning for Phishing in an Attachment

techtone
Level 1
Level 1

‎04-05-2017 11:34 AM

Hi,

 We are seeing emails with attachments coming through our Ironport ESA that are being used for Phishing. It was a PDF (or appears to be a PDF) attachment named Dropbox.PDF. When the user clicked on it, it brought up a bogus link to a dropbox that was asking to login with credentials.

How can we configure the ESA to scan attachments for Phishing and if we do will it catch something like this? Thanks

Labels:
0 Helpful
4 Replies 4

Libin Varghese
Cisco Employee
Cisco Employee

‎04-05-2017 12:20 PM

Hi,

The Sophos scanning engine and AMP File reputation File Analysis features should scan for these phishing attachments.

If there are attachments missed by these it is recommended to open a TAC case to get the rules updated for newer threats.

Apart from that if you would like to block attachments with specific filenames you can certainly use content/message filters for the same.

Thank You!

Libin Varghese

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee

‎04-07-2017 06:38 AM

Depending on the PDF --- if the PDF only contains a URL that requires the end-user to interact and click on the URL to take them off-PDF and TO the malicious/phish site, the ESA currently is not capable of scanning that from AMP on ESA.  These PDF files are usually flagged from AV rules, or VOF rules.  AMP will take into account these rules, and readjust the scoring --- and will send out retrospective scoring adjustments based on the SHA reported from the ESA.

Any missed phish emails, emails with attachments - they can be directly submitted to Cisco:

phish@access.ironport.com

  • spam@access.ironport.com - Subject is prepended with [SUSPECTED SPAM] and is actual spam.  Forwarding this will assist the product efficacy team confirm the content and possibly score it lower.
  • ham@access.ironport.com - Subject is prepended with [SUSPECTED SPAM], but it is not spam, or Subject is prepended with [SUSPICIOUS], and may also contain other tags.
  • ads@access.ironport.com - Untagged subject, but you consider it to be or contain marketing content.
  • not_ads@access.ironport.com - Subject is prepended with [MARKETING], but you do not consider it marketing.
  • phish@access.ironport.com - Untagged subject, but it appears to be a phishing (designed to acquire usernames, passwords, credit card info, or other personally identifiable information), or contains malware attachments

For full info:

ESA FAQ: How to submit email messages to Cisco

-Robert

Cheers,
Robert Sherwin
0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-12-2017 08:41 AM

make sure you have enabled AMP file Analysis and selected all file types for file analysis

Preview file
25 KB
0 Helpful

Sriram Subramanian
Cisco Employee
Cisco Employee

‎04-21-2017 07:02 AM

In Incoming Mail Policy, we recommend enabling Antivirus, AMP and Outbreak Filtering. In Outbreak filtering policy make sure to have Message Modification feature enabled with URL Rewrite so suspicious emails are tagged to warn end users about these emails. As long as the threat level is about 3 (default) it should trigger the tagging to warn users.

0 Helpful
Customers Also Viewed These Support Documents