WildFire phishing emails allowed instead of blocked?

Reply
Highlighted
L1 Bithead

WildFire phishing emails allowed instead of blocked?

Hello Everyone,

 

I note that when I view the Monitor -> Wildfire Submissions activity on my Palo Alto PA-3020 8.1.6, all the detections with a verdict of "phishing" with a Severity of "high" are allowed. 

 

However, the other verdict I can see, which is "malicious" with a severity of "Informational" is successfully blocked.

 

Is this the behaviour that others see, or have I not configured WildFire correctly?

 

Is there anything I can do to set the "phishing" emails to be blocked?

 

Thanks,

Steve

 

 

L7 Applicator

Re: WildFire phishing emails allowed instead of blocked?

Hi @Steve-Phillips 

 

From your description it sounds like already configured it correctly. These events that are allowed are normal because these links were not known as phishing links by wildfire. With that email the url was forwarded to wildfire and the verdict was received by the firewall afterwards. The firewall allows the url/attachment if it is unknown at that time and the reason is that the firewall only does flow-based checks and does not operate in store-and-forward mode like a mailgateway.

 

Hope this helps,

Remo

L1 Bithead

Re: WildFire phishing emails allowed instead of blocked?

Hi @vsys_remo,

 

Many thanks for your reply.

 

Following on from what you have said, and so I and perhaps others can understand this a bit better, an example phishing email I have received is as follows:

 

Receive Time
2019/03/18 14:44:58

 

WildFire Analysis Summary

 
Link Information
URL hxxps://remove_me_walimusacco.com//dhlserver/DHL/portal/?email=enquiries@my_domain.co.uk
 
SHA-256 691ec4a0d6d24af2fe6f0e2715c11c8bcef7ad72f2d43c859f19a9ac93ecb8dc
 
SHA1 4516f515484f4ae98d09de7b1ce309024abf6fe0
 
MD5 31aff8cb2eed386d168d700aa0b0bba2
 
First Seen Timestamp 2019-03-18 14:45:46 UTC
 
Verdict phishing

 

 

Receive Time
2019/03/18 14:48:21

Details:

Threat/Content Type
wildfire
ID
1238713750
Severity
high
Repeat Count
1
File Type
email-link

 

 

Would this sequence of events demonstrate the following was true:

 

- Our Palo Alto firewall recieved the phishing email at 14:44:58 and sent the email to WildFire.  As the email phishing URL was not currently known, the email was allowed.

 

- From the WildFire Analysis Summary, WildFire accepted the email for processing at 14:45:46, and our Palo Alto firewall was the first WildFire Palo Alto to see this particular phishing URL.

 

- After several minutes of processing, at 14:48:21, the email was determined to be a phishing email and set as such in WildFire.

 

- Any other Palo Alto firewall using WildFire would block that phishing email from that point in time onwards.

 

Is the above a reasonable summary of the events as detailed above?

 

Can I further conclude that if I have only seen WildFire phishing verdict as "allow", that all of our detected phishing emails are "first seen" phishing emails, otherwise I would have seen a blocked phishing email?

 

Thanks,

Steve

 

Reason for editing: Obsfucation of malicious URL's

L7 Applicator

Re: WildFire phishing emails allowed instead of blocked?


@Steve-Phillips wrote:

Is the above a reasonable summary of the events as detailed above?


Yes, it is. Only one point: the might be a little delay between wildfire setting the verdict until every paloalto firewall receives the update

 


@Steve-Phillips wrote:

Can I further conclude that if I have only seen WildFire phishing verdict as "allow", that all of our detected phishing emails are "first seen" phishing emails, otherwise I would have seen a blocked phishing email?


Exactly (or if another firewall already uploaded the url but wildfire was still processing it when your firewall received the email)

L1 Bithead

Re: WildFire phishing emails allowed instead of blocked?

@vsys_remo,

 

Great, many thanks for that explanation, most useful in increasing my knowledge of the Palo Alto firewall.

 

Cheers,

Steve

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!