Email Link Analysis - does it look at all emails?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Email Link Analysis - does it look at all emails?

I am curious to know if the organization I work at gets a blast email to 500 employee's from an external B2B marketer does the wildfire analysis get performed on all 500 identical emails or does it simply do it once knowing the email and links are identical.

Highlighted
Cyber Elite

@joecbrown 

 

As per my knowledge WF maintains trusted domain list and it will examine the external email address only once.

 

Regards

MP
Highlighted
Cyber Elite

Actually yes, the firewall is doing the analysis for every email. It does not really care about the url, it simply forwards it to wildfire - in batches of 200 URLs per upload or all 2 minutes - depending on which limit is hit first. About the list of trusted sites I am not sure, as theoretically there is nothing like trusted site. On every website there is the potential risk that it gets hacked and will be used to host malware or exploit kits. But at least I think, there is a timer that a website is not ddos'ed by wildfire and only scanned for example max. once per hour or day. About a local check if the urls are identical, @jdelio could you say something about this? But often the links in such mass-emails aren't identical, every link is different to track which recepient clicks on the url.

Highlighted
Community Team Member

@vsys_remo  and others.. 

From the official documentation on WildFire email analysis.. 

https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-concepts/em...

 

It states:

"WildFire visits submitted links to determine if the corresponding web page hosts any exploits or displays phishing activity. A link that WildFire finds to be malicious or phishing is:

 

  • Recorded on the firewall as a WildFire Submissions log entry. The WildFire analysis report that details the behavior and activity observed for the link is available for each WildFire Submissions log entry. The log entry also includes the email header information—email sender, recipient, and subject—so that you can identify the message and delete it from the mail server, or mitigate the threat if the email has been delivered or opened.
  • Added to PAN-DB and the URL is categorized as malware.

The firewall forwards email links in batches of 100 email links or every two minutes (depending on which limit is hit first). Each batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall 
Firewall Forwarding Capacity by Model
 (PAN-OS 8.1, 9.0, 9.1). If a link included in an email corresponds to a file download instead of a URL, the firewall forwards the file only if the corresponding file type is enabled for WildFire analysis."
 
I hope this helps a little.. 
 
Stay Secure,
Joe
End of line
Highlighted
Cyber Elite

@jdelio My question was more about if the firewall already does a local check for the urls? Or does it - in the case like in this topic - upload 500 times exactly the same URL to wildfire if there are 500 incoming emails with this one URL?

Highlighted
L1 Bithead

@vsys_remo That is what I am trying to understand as well.  If 500 people in my organzition all receive the same email with the same url http://www.website.com/page123.  Is that URL submitted 500 times and scanned 500 times or does it scan that URL once?

Highlighted
Community Team Member

@joecbrown and @vsys_remo 

When there are 500 of the exact same link.. I  would like to think that it would count them as one, but I will ask the experts about this and see what they are able to tell me. 

I will respond as soon as I have an answer.

Stay Secure,
Joe
End of line
Highlighted
Community Team Member

OK, @joecbrown , @vsys_remo  and everyone else.. found the info.. 

Actually I was able to get the details from people who looked at the code, and other detailed info.. and it looks like there will be 500, because each one comes from a different email header and we produce separate reports with the specific session information associated with the SMTP, IMAP or POP3 session. So, all links are sent to the cloud at this time, duplicate or not.

 

Stay Secure,
Joe
End of line
Highlighted
Cyber Elite

Thanks @jdelio

This makes sense, as the URL is only one of the different attributes contained in wildfire report.

Highlighted
Cyber Elite

@jdelio 

 

Many thanks for this great info!

 

Regards

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!