topic Re: WildFire phishing emails allowed instead of blocked? in General Topics

WildFire phishing emails allowed instead of blocked?

Steve-Phillips — Wed, 20 Mar 2019 16:24:31 GMT

Hello Everyone,

I note that when I view the Monitor -> Wildfire Submissions activity on my Palo Alto PA-3020 8.1.6, all the detections with a verdict of "phishing" with a Severity of "high" are allowed.

However, the other verdict I can see, which is "malicious" with a severity of "Informational" is successfully blocked.

Is this the behaviour that others see, or have I not configured WildFire correctly?

Is there anything I can do to set the "phishing" emails to be blocked?

Thanks,

Steve

Re: WildFire phishing emails allowed instead of blocked?

Remo — Wed, 20 Mar 2019 18:48:47 GMT

Hi @Steve-Phillips

From your description it sounds like already configured it correctly. These events that are allowed are normal because these links were not known as phishing links by wildfire. With that email the url was forwarded to wildfire and the verdict was received by the firewall afterwards. The firewall allows the url/attachment if it is unknown at that time and the reason is that the firewall only does flow-based checks and does not operate in store-and-forward mode like a mailgateway.

Hope this helps,

Remo

Re: WildFire phishing emails allowed instead of blocked?

Steve-Phillips — Wed, 20 Mar 2019 19:31:48 GMT

Hi @Remo,

Many thanks for your reply.

Following on from what you have said, and so I and perhaps others can understand this a bit better, an example phishing email I have received is as follows:

Receive Time

2019/03/18 14:44:58

WildFire Analysis Summary

Link Information

URL hxxps://remove_me_walimusacco.com//dhlserver/DHL/portal/?email=enquiries@my_domain.co.uk

SHA-256 691ec4a0d6d24af2fe6f0e2715c11c8bcef7ad72f2d43c859f19a9ac93ecb8dc

SHA1 4516f515484f4ae98d09de7b1ce309024abf6fe0

MD5 31aff8cb2eed386d168d700aa0b0bba2

First Seen Timestamp 2019-03-18 14:45:46 UTC

Verdict phishing

Receive Time

2019/03/18 14:48:21

Details:

Threat/Content Type

wildfire

ID	1238713750

Severity

high

Repeat Count

File Type

email-link

File Name

hxxps://remove_me_walimusacco.com//dhlserver/DHL/portal/?email=enquiries

Would this sequence of events demonstrate the following was true:

- Our Palo Alto firewall recieved the phishing email at 14:44:58 and sent the email to WildFire. As the email phishing URL was not currently known, the email was allowed.

- From the WildFire Analysis Summary, WildFire accepted the email for processing at 14:45:46, and our Palo Alto firewall was the first WildFire Palo Alto to see this particular phishing URL.

- After several minutes of processing, at 14:48:21, the email was determined to be a phishing email and set as such in WildFire.

- Any other Palo Alto firewall using WildFire would block that phishing email from that point in time onwards.

Is the above a reasonable summary of the events as detailed above?

Can I further conclude that if I have only seen WildFire phishing verdict as "allow", that all of our detected phishing emails are "first seen" phishing emails, otherwise I would have seen a blocked phishing email?

Thanks,

Steve

Reason for editing: Obsfucation of malicious URL's

Re: WildFire phishing emails allowed instead of blocked?

Remo — Wed, 20 Mar 2019 20:11:12 GMT

@Steve-Phillips wrote:
Is the above a reasonable summary of the events as detailed above?

Yes, it is. Only one point: the might be a little delay between wildfire setting the verdict until every paloalto firewall receives the update

@Steve-Phillips wrote:
Can I further conclude that if I have only seen WildFire phishing verdict as "allow", that all of our detected phishing emails are "first seen" phishing emails, otherwise I would have seen a blocked phishing email?

Exactly (or if another firewall already uploaded the url but wildfire was still processing it when your firewall received the email)

Re: WildFire phishing emails allowed instead of blocked?

Steve-Phillips — Wed, 20 Mar 2019 20:27:52 GMT

@Remo,

Great, many thanks for that explanation, most useful in increasing my knowledge of the Palo Alto firewall.

Cheers,

Steve