https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518159#M107499 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/228820">@BrianMacha</a>&nbsp;,</P> <P>&nbsp;</P> <P>Can you verify the category of your in-house website? I would go to&nbsp;Monitor -&gt; Logs -&gt; URL Filtering and find the traffic with the destination being the in-house website. Verify that the "credential theft detected" is set to yes and the category that is associated with it. Once the category is verified, you can go into the url filtering profile applied to your policy and set credential theft detection to not block the category associated with your in-house website.&nbsp;</P> <P>If that doesn't work,&nbsp; you can enter the domain into a whitelist. Whitelisting the site will bypass URL-filtering thus not being checked for credentials.&nbsp;</P> <P><LI-WRAPPER></LI-WRAPPER></P> Mon, 17 Oct 2022 20:14:08 GMT JayGolf 2022-10-17T20:14:08Z https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518138#M107496 <P>Hi!</P> <P>&nbsp;</P> <P>Users connecting to our network via VPN receive "Suspected Credential Phishing Detected" when attempting to log into our in-house equipment reservation webpage. The URL filtering log indicates a blocked URL action on category "government".&nbsp; &nbsp;I've tried to adjust the group profile item in the associated rule for the "government" category from "block" to "continue" or "allow" but it doesn't seem to matter.</P> <P>&nbsp;</P> <P>Any insight is welcome!</P> <P>&nbsp;</P> <P>Thanks!&nbsp;</P> <H1>&nbsp;</H1> Mon, 17 Oct 2022 18:51:05 GMT https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518138#M107496 BrianMacha 2022-10-17T18:51:05Z https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518159#M107499 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/228820">@BrianMacha</a>&nbsp;,</P> <P>&nbsp;</P> <P>Can you verify the category of your in-house website? I would go to&nbsp;Monitor -&gt; Logs -&gt; URL Filtering and find the traffic with the destination being the in-house website. Verify that the "credential theft detected" is set to yes and the category that is associated with it. Once the category is verified, you can go into the url filtering profile applied to your policy and set credential theft detection to not block the category associated with your in-house website.&nbsp;</P> <P>If that doesn't work,&nbsp; you can enter the domain into a whitelist. Whitelisting the site will bypass URL-filtering thus not being checked for credentials.&nbsp;</P> <P><LI-WRAPPER></LI-WRAPPER></P> Mon, 17 Oct 2022 20:14:08 GMT https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518159#M107499 JayGolf 2022-10-17T20:14:08Z https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518170#M107502 <P>Thanks for the reply, Jay.</P> <P>&nbsp;</P> <P>I'd like to add that users in-house/local are able to access the website without issue.&nbsp; The rule associated with in-house user access utilizes the same URL filtering profile as the rule that is utilized for the VPN users (except the VPN users are given the Suspected Credential... message).&nbsp; It is as if there's something beyond the the Actions|Profile Setting in the VPN rule that's overriding everything.</P> <P>&nbsp;</P> <P>Another thing I noticed in the URL Filtering log is that "credential detected" is "no" and source user is blank for entries in which there is successful interaction with the website by in-house/local users.&nbsp; For VPN users, "credential detected" is "yes" and "source user" is occupied by the full username.</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 17 Oct 2022 21:07:33 GMT https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518170#M107502 BrianMacha 2022-10-17T21:07:33Z https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518259#M107531 <P>Hello,</P> <P>If the website is internal to your company, eg inside your network. Do Not perform URL filtering.</P> <P>Regards,</P> Tue, 18 Oct 2022 20:54:11 GMT https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518259#M107531 OtakarKlier 2022-10-18T20:54:11Z https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518359#M107547 <P>I ended up whitelisting the site in the URL filtering profile.</P> <P>&nbsp;</P> <P>Thanks for the help!</P> <P>&nbsp;</P> <P>-Brian M.</P> Wed, 19 Oct 2022 13:33:57 GMT https://live.paloaltonetworks.com/t5/general-topics/suspected-credential-phishing-detected/m-p/518359#M107547 BrianMacha 2022-10-19T13:33:57Z