Jump to content

Phishing simulations are blocked, no allowlisting possible?

Collin

By Collin
in ESET Cloud Office Security

 Share
Go to solution Solved by Marcos,

Recommended Posts

Collin

Collin 0

Posted
Posted

We have several customers 365 tenants in ECOS at the moment. One of our customers has just migrated to ECOS/365 and they have phishing awareness tests 3 times a year. Last week they did another phishing test, which we first tested out with some test users and they came in the inbox, using the domain whitelist policy feature of the antispam filter in ECOS. So after the test the phishing test was conducted to all employees and we noticed that pretty much all these phishing mails were filtered using the Phishing filter, for which we cant find some sort of allowlist functionality.

After contacting Eset tech support we got the answer that there are no options for bypassing the phishing filter, so they were not able to provide me with a solution. It's hard to believe that a security focused company like Eset is not providing this functionality, since phishing tests are a very effective tool of inproving information security within a company, so I really hope this will be added to the platform.

As an alternative, I could remove the tenant from ECOS temporarily or unprotect the users manually. Will that have any effect, apart from not being protected for a short period of time?

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

Please provide an example of such email in the eml or msg format so that we can find out the reason for evaluating it as phishing and possibly fix it.

Link to comment
Share on other sites
Collin

Collin 0

Posted
  • Author
Posted (edited)

Thanks Marcos, to be clear, this IS a phishing email that is supposed to be filtered out, but because this is a test, the only solution should be to allow the urls, sender addresses and/or ip's of sending mailservers via an allowlist.

When you click the link, you get a 365 login portal and when you enter credentials, you get a message saying you fell for it and you get some explanations about phishing mails.

Jan Willem Förch heeft een map met u gedeeld.msg.txt

Edited by Collin
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

The phishing for simulation of a phishing attack is not detected which is correct, ie. it's not an actual phishing attack.

Link to comment
Share on other sites
Collin

Collin 0

Posted
  • Author
Posted

Hi Marcos, this email WAS being blocked by the phishing filter, which is the exact problem. We need to whitelist based on some criteria like sender address, subject, source IP, whatever. Any one of those should solve our issue (but which most likely is not possible).

The other solution could be to unprotect all users in COS, send the Phishing test, REprotect all users. I guess this may be the only solution, which is a shame. Microsoft does provide whitelisting for Phishing simulations, but when the email is passed to COS, it will be blocked by the phishing filter.

Microsoft has support for this exact scenario:

https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation

 

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

I see now, it was not evaluated as spam by the ESET antispam which also checks for phishing and malicious links in messages. secure-login.nl has been whitelisted, please re-check it in ~30 minutes or later.

Link to comment
Share on other sites
Collin

Collin 0

Posted
  • Author
Posted

Thanks Marcos, but the new simulation will use a new URL (m365.company-login.nl). (the last one failed due to the ECOS phishing filter)

Can I whitelist URL's myself in ECOS or somewhere else?

Link to comment
Share on other sites
  • Administrators
  • Solution
Marcos

Marcos 5,074

Posted
  • Administrators
  • Solution
Posted

Antiphishing protection in the mail server protection setup doesn't have any kind of whitelist in ESET Mail Security.

image.png

I will mark the domain as trusted to prevent it from being blocked in the future.

Link to comment
Share on other sites
Collin

Collin 0

Posted
  • Author
Posted

Thanks Marcos, maybe it's a userful feature request to be able to manage these URL's via an ECOS policy. For now, I'm  happy, we will test if the mails get through this time. Thanks for your assistance!

Link to comment
Share on other sites
  • 1 month later...
Collin

Collin 0

Posted
  • Author
Posted

Hi Marcos, a related issue, one of our customers keeps getting their own emails (sent from Sendgrid) marked as spam by Cloud Office Security because of a blocked URL:

URL (duovraagt.nl/Respondent/Home/Login) found on cloud blacklist, URL system set mail as SPAM

The domain duovraagt.nl is owned by our customer. It is a research company which is sending out questionnaires to their customers. So the domain is not malicious in any way or form. We also can't find a blacklist online which is mentioning this domain, except for ESET. Is there a way to get this domain duovraagt.nl removed from the ESET blacklist?

Thanks again :)

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...