PANCast Episode 25: Phishing Emails and Relevant Threat Prevention Features in PAN-OS

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings


Episode Transcript:



Hello, and welcome back to PANCast. In today's episode, we will discuss Phishing Emails and relevant Threat Prevention features in PAN-OS. We have a special guest today to talk about this, Jithu.

Before we start Jithu, could you tell us about yourself?



Hey John, I’m a Principal Cybersecurity Specialist in the Threat team and have been with Palo Alto networks for about 7 Jithu is a Principal Cybersecurity Specialist in the GCS threat team, he is passionate about Cybersecurity and has a special interest in handling Cyber Incidents and breaches. He has been with Palo Alto Networks for around 7 years.Jithu is a Principal Cybersecurity Specialist in the GCS threat team, he is passionate about Cybersecurity and has a special interest in handling Cyber Incidents and breaches. He has been with Palo Alto Networks for around 7 years.years now. Our team mainly deals with issues associated with the Threat prevention features of the Palo Alto Networks firewall.



Thanks Jithu, so to start with, what is Phishing?


What is Phishing?



Phishing is a form of social engineering where a threat actor sends one or more fraudulent communications to a user in an attempt to trick them into downloading malware onto a device or forfeit sensitive information such as login credentials, personal identifiable information (PII) or financial data. In most cases, phishing usually occurs through communication channels such as email, SMS messages, social media or phone calls (also called vishing). Today we'll be talking about phishing emails and coverages we have in PAN-OS.



Great, so what coverage do we have and what are typical scenarios?


What Coverage Do We Have in PAN-OS?



Phishing is a very popular initial attack vector and we'll be discussing 2 scenarios today. Before I start, I want to stress on the point that SSL Inbound inspection has to be configured in the firewall for it to be able to inspect inbound SMTP traffic running over TLS.


Scenario No 1 - Email with Phishing link passing through the firewall


This is a common scenario where an attacker sends out phishing emails with a link, with the goal of convincing the user to click on the link and provide login credentials, download and execute malware etc.


If the Wildfire Profile is attached to the security policy matching the traffic and it's configured to forward email-links, the firewall extracts the HTTP/HTTPS links and forwards it to Wildfire for Analysis. WildFire visits submitted links to determine if the corresponding web page hosts any exploits or displays phishing activity. A link that WildFire finds to be malicious or phishing is:


  1. Recorded on the firewall as a WildFire Submissions log entry. Please note that the Email-Links are only detected by Wildfire and the email itself will not be blocked by the firewall.
    The log entry also includes the email header information like email sender, recipient, and subject so that you can identify the message and delete it from the mail server, or mitigate the threat if the email has been delivered or opened.
  2. Added to PAN-DB and the URL will be categorized as malware/phishing.


Now, let's move on to what happens when the user clicks the link assuming that this is a phishing attempt focusing on credential theft. Scenario where the link downloads a malware is similar to the scenario no 2 that I'll be talking about next:


  • DNS Resolution happened first, which could be blocked by DNS Signatures (or DNS Security) if the domain or FQDN is classified as Malware.
  • URL Filtering can block the HTTP request, SSL Decryption is required if the connection is over HTTPS. We also have real-time detection, Local and Cloud inline detection to detect web-based attacks that use advanced evasion techniques. 
  • URL Filtering User Credential Detection can be used to block credential submission to sites in untrusted categories, this needs the User-ID feature to be configured in the firewall.


Scenario No 2 - Phishing Email with malicious Attachment passing through the firewall


This is also a common scenario where an attacker sends out phishing emails with a malicious attachment with the goal of tricking the user to execute the malware.


This malicious attachment can be blocked by Wildfire Signatures, Antivirus Signature or Wildfire Inline ML. All these are configured as a part of Antivirus profile, Wildfire and Antivirus Signatures are signatures released as a part of Wildfire and Antivirus Bundle respectively. The WildFire inline ML option present in the Antivirus profile enables the firewall dataplane to apply machine learning on PE (portable executable), ELF (executable and linked format), MS Office files, PowerShell scripts and shell scripts in real-time. This protection extends to currently unknown as well as future variants of threats that match characteristics that Palo Alto Networks has identified as malicious. To keep up with the latest changes in the threat landscape, inline ML models are added or updated via content releases.


Apart from this, Wildfire profile can be attached to the security policies and Wildfire supported file types will be forwarded to Wildfire for Analysis. Wildfire will analyze the sample in the sandbox and Wildfire Submissions log will be written in the firewall with verdict 'malware'. Wildfire Submissions logs will be written irrespective of if the sample was blocked by the above mentioned features or not, the main difference is the priority of the logs:


  • High Priority indicates that the file was NOT blocked.
  • Informational Priority indicates that the file was blocked.


So, if a file has passed through the firewall 5 times and was allowed 1 time and blocked 4 times, there will be 1 High priority log and 4 Informational priority logs under Wildfire Submissions. As a customer you should always review the High Priority Wildfire submissions log as these samples were not blocked by the firewall and have potentially reached the end-point. 


Once Wildfire classifies a sample as Malware, a signature is released and sent to the firewall as a part of Wildfire bundle or real-time based on the configuration. This signature will eventually be released as a part of the Antivirus bundle in 24-48 hours.


You can also leverage File Blocking profiles to block unwanted files being allowed over security policy matching SMTP traffic. You should have a custom file blocking profile that's mapped to the security policy allowing SMTP traffic and should ask yourself questions like "Do I really need to allow encrypted-rar, encrypted-zip or even exe file type over SMTP?".



Looks like we have strategies to counter phishing emails. 

Jithu, what would be the key takeaways for today?


Key Takeways



The key takeaways would be to be diligent with hardening the security profiles and making sure that the profiles are applied to the relevant security policies so that all the protections that I mentioned are applied.


I would like to reiterate the importance of having a process in place to handle High Priority Wildfire Submissions Logs.



Thanks, Jithu, great info on some of our threat prevention features. You can find the transcript and some valuable links on under PANCast. Thanks again Jithu.



Thank you for having me, looking forward to being a part of more episodes.



Hope you have learnt something today PANCasters and remember to subscribe on all popular podcast platforms. Bye for now.


Related Content:

Threat Prevention WildFire NGFW 

Rate this article:
L2 Linker

Good concepts shared. Explains how to apply them for specific use cases for our environment. Relevant and applicable to keeping us secure from phishing threats. Thank you @jithu 

Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎08-30-2023 12:04 PM
Updated by: