URL and Page Content Pattern Matching for Un-categorised Websites

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

URL and Page Content Pattern Matching for Un-categorised Websites

L2 Linker


Unless I've missed something I don't believe this is yet possible. I'd love to be proven wrong however so by all means let me know.

We are seeing an increased number of highly personalised phishing attacks i.e. the individuals behind the attempts are setting up identical login pages to our sites with our graphics etc in an attempt to fool our users. Which unfortunately it does on too many occasions. These sites are most often hidden behind a link in an email which comes from an already hacked trusted source user and when visited gives the illusion that the user has been logged out of OWA for example and they therefore need to login again. We have 2FA authentication in most places where possible but this doesn't prevent those less aware users from giving away their login information. As the site is often personalised and setup on random addresses it's rarely if ever caught by the phishing category on the firewalls. These sites always follow the same pattern, the html page will most often contain our company name, logo and links to our real sites etc. A really nice feature in the future would be able to run a pattern match on just the unknown category sites for specific keywords within the page content, title and filename of the page being visited and have the option to display a "Potential Phishing Warning Page" with the continue option. This wouldn't of course be 100% and will produce the occasional false match but if the user can simply hit the continue button this wouldn't be a big deal but it would alert the user that if the next page asks for login details it's not in anyway associated with the company and should be reported to Support etc as it's most likely a phishing attempt. We can then block the page in a more timely manner to protect our user base.

Just and idea anyway.

Thanks for listening.



L6 Presenter

Cant you do this today?

I mean create a security rule last that will match if none of the known good categories has been hit - this will use a continue page to inform your client that the page they are visiting is not yet indexed by your url-category engine and the user should be careful with which files are being downloaded or what info is being written in any input boxes and so on?

Not the pattern matching part. Unless I've missed something here.


L5 Sessionator

Hello Andy,

If my understanding is correct for your situation don't you think certificates getting signed by CA is the solution?


Hari Yadavalli

L2 Linker

Hi Hari,

We of course have certificates on our sites, it does not help in this instance.

Let me explain...

When the user clicks on the link within the dodgy email (webmail) they are taken to a webmail login page which is identical to ours or as near as they can get it. It's only catches the user out if they are using webmail generally. The user rarely notices that they have been taken to another site in the meantime. These are not tech users remember they just want to get on and take no notice! They get caught into thinking they have been kicked out of the webmail so re-enter their auth info again. This gets sent off to the phisher. The fake login webpage then takes them on to the site in the original link, the user is unaware they have given away their info. It's not sophisticated at all but for many users it catches them out every time. It's hard to block with email security because it's highly targeted so none of the various email engines out there know anything about it so let it through. The phisher now has the users credentials and can login in as them and go through their email, assuming you don't have two factor of course! Regardless the user has still given away part of their details. Unfortunately users swap passwords between themselves in their emails as well, it's banned but they still do it so it's a gold mine for the phisher not to mention all the company confidential data they may have in their mailbox. These sites are rarely known to the Palo so a rule based system that could look at the unknown sites webpage content on first access for keywords such as the company name, text boxes with the titles username and password on the page and warn on it would be a god send to stop this instantly. Something like "This webpage contains elements similar to your companies sites but is not on your companies domain, proceed with caution. Do not enter any user information on this site blah blah blah".

There is one particular group out there that are doing this constantly. Unfortunately it's caught out a large number of very well know companies. I cannot divulge any more info than that I'm afraid but having this feature would help mitigate against it. I'm 99% sure this cannot be done at the mo so hopefully someone at Palo will pick this up and think it's a good idea for a new enhancement perhaps.

All the best, over and out...


  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!