All things Palo Alto Networks

  • Blog

  • Forum

  • Members

  • More

    Use tab to navigate through the menu items.
    To see this working, head to your live site.
    • Categories
    • All Posts
    • My Posts
    vijaya.vasan
    Apr 27, 2021

    Want to know whether this specific URL is phishing or not

    in General discussion

    Below screenshot states that the base url firebasestorage.googleapis.com comes under content delivery network and the sub Url comes under phishing where customer wants to know why they were not blocking by the firewall. Also while im checking with the Virsutotal the below urls have been mentioned as phishing. I just wanted to know how to take forward with this. By creating a deny rule on url category or kindly need you assistance here.


    urlcategory1
    .png
    Download PNG • 14KB

    urlcategory
    .png
    Download PNG • 90KB

    thanks in advance



    6 comments
    0
    Reaper
    Apr 27, 2021

    hi Vijaya


    firebasestorage.googleapis.com is not a phishing site, it is a application development platform owned and operated by google, but users have been abusing the app-development capabilities by creating nefarious apps and storing credentials gathered from phishing campaigns. The main FQDN itself is safe, the lengthy URL you provided in the screenshot is a subsection (users pace) where this 'abuse' has taken place and that seems to be getting categorized properly


    as such, the main site should not necessarily be blocked as it hosts countless 'good' applications



    hope this helps

    Tom


    vijaya.vasan
    Apr 27, 2021

    Hi Tom,


    Thanks for the inputs.. So how shall i proceed to block that specific lengthy url on the firewall

    Needed some inputs on that as well.

    So shall i use a url category for the lengthy one without decryption or do we need decryption for that to be blocked. Kindly provide me with other possible means to rectify this issue.


    thanks and regards,

    Vijay

    0
    Reaper
    Apr 28, 2021

    you will need ssl decryption to detect it, without decyption you will only be able to see the FQDN. the lengthy one you posted is already identified as phishing, so will be blocked as long as you have decrypted the session. any 'new' instances should hopefully be picked up by also applying WildFire and dynamic URL lookups. you could subscribe to external services like spamhaus and cofense and ingest their lists as well, for extra coverage

    0
    vijaya.vasan
    Apr 28, 2021

    Hi Team, I just want to know whether this specific urls are phishing or not and how to take it forward. Like blocking the url using url category with decryption enabled? could that be a solution for all type of email phishing as well?

    I mean if we enable decryption the sub url could be visible and the verdit for the urls can be checked with wildfire for signatures. So is this could be a solution for preventing from further links entering organization.

    Regards

    0
    Reaper
    Apr 28, 2021

    for best coverage and least false positives/negatives you should enable ssl decryption. on top of url filtering you should also leverage WildFire and DNS security, combining those 3 will give you far greater coverage. you cn also ingest external threat feeds through MineMeld, and you could look into credential detection (sub tab in URL filtering) to prevent credentials from being shared

    0
    vijaya.vasan
    Apr 28, 2021

    @Reaper thanks for the inputs buddy much appriciated..

    6 comments
     
    • Mastering Palo Alto Networks
    • PANgurus LinkedIn

    Subscribe Form

    Privacy Policy

    Terms of use

    ©2020 by PANgurus.