We had a security incident this morning and I have a phishing URL that I would like to run through some of the popular DNS filters to see who can win our business. Quad9 is the only one that has an easily accessible textbox that you can just dump a URL into and check their filter. (It was not on their blocklist)
Any ideas or recommendation on how to do this?
Do you mind sharing the URL? Not sure how specific it might be to your organization, but if generic enough, let’s take a look.
I would prefer not to share it publicly as it does display a legit user’s email address. It basically loads a fake Office 365 login page with the recipients email prepopulated.
The flaw with that test is that if you need MANY MANY over time to do any real testing. One link may get caught by one product and not another and the opposite may be true for the next 10. It’s about overall stats, not one time finds.
Paid DNS services may be more up todate, than the free services they may provide.
With all security, secuirty breaks down with the end user - maybe some training is required not to click on links that you are not expecting
So are there any DNS filters or email scanners that are effective at this kind of thing? From a technological point of view, an email scanner would need to resolve the URL embedded in the email, look at the resulting web page and say “aha, it looks like an Office 365 login page that is NOT hosted on Microsoft’s website. BAD!”.
Can anyone do this? Bueller? Bueller?
Our third party email scanning offers url scanning, if you click on the link within an email the company will check the url in a sandbox system to see if it genunie and blocks access
It rewrites the url to go to the sandbox solution.
I am sure other third party email spam / av companies offer the same sort of service
We use Mimecast at CNWR for us and our clients. It does the scanning and sandboxing of emails.
Since I use Google Apps for my LawrenceSystems company and we use Office 365 for CNWR.com along with Mimecast, I am even more impressed with how well Google does at spam filtering.
In theory Microsoft does link scanning if you paid for that option (or part of your enterprise account), but it isn’t great.
I was just wondering if Crowdsec, Suricata, or Zenarmor might grab it before it crosses back out of the firewall.
I might be able to run it across my firewall and see what happens, you can send a private message with the link. Our AV might grab it too, known bad urls are often blocked by our AV.
Is this a DNS or URL filter? If it is a DNS filter then just give us the domain name only. URL filters are kind of pointless in my opinion.
Or just run the test yourself with dig (dig somedomain.com @1.1.1.1). I have spamhaus setup (among others) so I can run that if it is not available to you.
Those are only likely to stop the more well known threats via their block lists IF the block lists are up to date, but they all get quickly out of date due to threat actors moving quickly to new IP’s as they get on those lists. Threat actors get the same feeds.
I looked at this yesterday, it seems to be a three part link where it needs to do something at each of the three urls to get the “login” page working.
First link may just be a tracker m.exactag[dot]com second part may be a legitimate site that has something compromised doganjeotermal[dot]com.tr
And then you end up at this base url with the account info filled in so it just asks for a password fiyece.erefincr[dot]com
There are strings of info that pass to each of these that are specific to this user that I won’t pass along. Without those strings and cookies set, the last link does not work. It appears that Chrome/Brave may be blocking this, but Edge lets you right through.
And all that said, Zenarmor is blocking m.exactag as an ad/tracker, but the second two links can pass. If I have time today I’m going to continue taking this apart. If anyone else is willing to give this a try, they should probably contact the OP and see if he’ll share the original link. It would be nice to have someone smarter than me take this apart and figure out what is happening. Really needs a packet capture of the session.
Interesting, thanks for the domains. But why do you need to the full URL? If your DNS filter doesn’t catch it, then it is extremely unlikely your URL list will.
Spamhaus got a big fat zero on those. Same with cloudflare malware & family dns.
My static filter caught the exactag.com domain and the doganjeotermal.com.tr toplevel domain. The tr toplevel domain was only caught b/c I do country wide blocking - so my *.tr filter caught it. Anybody else doing that?
The third one resolved successfully, unfortunately. If I still had a vlan that I really wanted to lock down, I’d do a whitelist DNS filter again. Anybody play that game?
Yes, I have run “walled garden” with whitelist, traps a lot of junk from getting out. I also forced DNS names and rejected IP address. That was with e2guardian on pfsense.