Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
970
Views
0
Helpful
2
Replies

problem with shortening services in phishing mails

Go to solution
daro
Level 1
Level 1

‎08-23-2016 02:32 PM

Hi,

we are experiencing an increase of phishing mails containing shortened links from services like bit.ly, tinyurl.com or any other selfhosted solution.

The ESA does a lookup only with the shortening service website which is mostly neutral and therefore delivers the message.

I found the bug to this issue here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva56442/?reffering_site=dumpcr

Is there any way to filter those shortening services?

thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
exMSW4319
Level 3
Level 3

‎08-24-2016 03:12 AM

Have you tried setting up a filter just to log* the key details of mails featuring suspect URL domains?

It's arguable that URL shortening is for use in dead-tree (print) and SMS, and has no place in e-mail. If you see very little legitimate traffic being detected then you may be in a position to de-fang anything that matches. Of course, the numbers may show otherwise.

* logging the URL itself may not be good advice - I have a recollection of a bug that triggered when something complex hit the logging action. I personally keep samples to defend my rules, so am typically quarantining instead.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
exMSW4319
Level 3
Level 3

‎08-24-2016 03:12 AM

Have you tried setting up a filter just to log* the key details of mails featuring suspect URL domains?

It's arguable that URL shortening is for use in dead-tree (print) and SMS, and has no place in e-mail. If you see very little legitimate traffic being detected then you may be in a position to de-fang anything that matches. Of course, the numbers may show otherwise.

* logging the URL itself may not be good advice - I have a recollection of a bug that triggered when something complex hit the logging action. I personally keep samples to defend my rules, so am typically quarantining instead.

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎08-24-2016 10:26 AM

Hello,

The defect you listed doesn't mention a workaround, however, I would probably suspect that you could try setting up a Content Filter to either search for a condition of the shortened URL in the message body, or if you're seeing those URL's attached to a certain category then add a condition of that category. Then from there you can take action based on your needs.

Thanks!

-Dennis M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents