URL Rewriting and Analysis (using Outbreak Filters)

URL Defense Guide using Cisco Secure Email

Outbreak Filters

Outbreak Filters protects your network from large-scale virus outbreaks and smaller, non-viral attacks, such as phishing scams and malware distribution, as they occur.

0NoneThere is no risk that the message is a threat.
1LowThe risk that the message is a threat is low.
2Low/MediumThe risk that the message is a threat is low to medium. It is a “suspected” threat.
3MediumEither the message is part of a confirmed outbreak or there is a medium to large risk of its content being a threat.
4HighEither the message is confirmed to be part of a large scale outbreak or its content is very dangerous.
5ExtremeThe message’s content is confirmed to part of an outbreak that is either extremely large scale or large scale and extremely dangerous.

Cisco Secure Email provides URL defense using Outbreak Filters in the following ways:

  • URL Rewriting
  • Cloud URL Analysis
  • Web Interaction Tracking

URL Rewriting

Outbreak Filters can rewrite URLs to redirect traffic to potentially harmful websites through a web security proxy, which either warns users that the website they are attempting to access may be malicious or blocks the website completely.

Cloud URL Analysis

What is Cloud URL Analysis (CUA)?
Starting with AsyncOS 13.5, CUA is Cisco Talos' URL intelligence generating service. CUA integrates existing WBRS information with a variety of different analysis techniques. By actively analyzing many facets of a URL, from the structure of the URL itself to information about the domain and even page contents, CUA provides the ability for Talos to detect and deliver intelligence on a variety of URL-based attacks.

Items to keep in mind about CUA:

  • CUA is transparent to the email administrator and the end user
  • No updates or upgrades are required
  • No configuration is needed to enable CUA
  • CUA is a process used by Outbreak Filters


Cloud URL Analysis Prerequisites

  1. Outbreak Filters must be enabled and configured
  2. Web Interaction Tracking must be enabled in Outbreak Filters
  3. Service Logs must be enabled
  4. Depending on the version of AsyncOS deployed, a Message Filter may be needed for URLs included in attachments
    • Message Filter dependency is removed as of AsyncOS 14.0

How CUA is triggered

  1. An email with URL(s) looks suspicious
  2. With Outbreak Filters enabled, CUA is triggered by Threat Level 1 to 5
    • Even if the email gateway is configured to NOT quarantine

Not all URLs are crawled by CUA

  • Limited crawling capacity compared to ALL URLs received
  • Decisions are made to what to crawl and what not to
  • URL redirects are consumed, up to 19 redirects

What happens to URLs received by CUA?

  • Machine Learning analyzation
  • Heuristics (discover, learn, and report)
  • WBRS feeds (analyzed by and contribute to) (:point-left: this is also known as URL Filtering!)
    --- All of these determine which URLs requiring crawling

My Gateway/Cloud Gateway is running AsyncOS 13.5/13.7, what is the Message Filter needed?

  • Initially, CUA runs against URLs within the email body alone. In order to consume URLs in attachments, a Message Filter is needed to expose those for analysis. Message Filters are administrable only from the command line on Cisco Secure Email. The following is our best practice Message Filter for CUA:
expose_attachment_urls: if (url-reputation(-10.00, 10.00 , "", 1, 1)) OR (url-no-reputation("" , 1, 1)) {
                            log-entry("<<<=== THIS MESSAGE CONTAINED A URL, EXPOSING URL FOR CUA ===>>>");

Note: Cloud Gateway customers that do not have command line access may request this to be enabled for their instance: Command Line Interface (CLI) Access


AsyncOS 14.5

Starting in AsyncOS 14.5, Cisco Secure Email is working to expand the usage, reporting, and visibility of Cloud URL Analysis. AsyncOS 14.5 is tentative for late-Fall 2021.

Web Interaction Tracking

The web interaction tracking feature provides information about the end users who clicked on rewritten URLs and the action (allowed, blocked, or unknown) associated with each user click. Once you enable this feature, you can use the Web Interaction Tracking report to view information such as top malicious URLs clicked, top users who clicked on malicious URLs, and so on.

Did this page help you?