Phishing campaign result is altered by WildFire profile as email-link is clicked by Wildfire sandbox
Objective
When WildFire receives an Elink, its API tends to visit the link, in the process the results are changed. For example, all links are clicked in a phishing campaign, hence the results are not accurate. Another example is a link that is clicked for automatic approvals. There are two ways for WildFire to stop visiting the ELINK in the mail as follows.
(a) Either you can stop the WildFire from clicking those links.
(b) Or you can stop at Firewall by filtering out the phishing campaign traffic using App-ID in a security rule that doesn't have a WildFire profile.
Environment
- All PAN-OS version
- Phishing campaign email traffic
Procedure
Option(a): You can stop the WildFire to click those links.
- You can open a support case using the support portal.
- List your company name, phishing company name, and domains/URL the user can visit by clicking the links.
- We will add those domains to the WildFire whitelist. Even the ELINK has been submitted to WildFire by Firewall, WildFire will not visit links.
This is a simple three-step process.
- Create a custom application signature to match the phishing campaign emails by using email header fields.
3. Finally, move this security rule to precede the currently matched SMTP rule.
The following example illustrates the knowbe4 phishing campaign, you can create a custom application signature for any application once a unique indicator and create a custom signature; these indicators can be a field in the header. Here is a link that describes how to create a custom application.
Step:1
2. Give the name of the signature, select the category -> general-internet, Parent App->smpt, select the other fields.
3. Move to next tab, “advance”, and select scanning as needed for Filetype, virus, and Data patterns
- Click on the "Add" and give a name.
- Click on the “ Add or condition”, and do the following selection:
- Operator-> Pattern match
- Context -> email-header
- pattern-> X-PHISHTEST { Please note this header can be changed, you can see the current header by selecting the "show original" email}
6. You can add more conditions in the custom app based on the email header. While adding the second condition, you can use "or" or "and" condition.
Step 3:
- Move this policy before any other policy that can match such traffic, so this policy will hit first.