Hi Checkmates,
We're using a 3rd party (proofpoint) for phishing simulations, these work be sending in emails from proofpoint owned domains and include links to these domains that track click through (and present a notice to the user about phishing).
We're having a lot of trouble trying to allow the emails in and the http traffic out. We tried whitelisting the urls via dynamic objects and static but we're not getting consistent results and this is only for the sending domains and URL clicks, we can't see to prevent Checkpoint from defanged some of the urls contained in the emails.
Ideally the ProofPoint domains would be re-categorised but as we don't own them and can't vouch for them beyond our usage, I'm not sure if we better off getting ProofPoint to request this with Checkpoint? And if so, how likely is it that they will be actioned outside of opening a TAC call (our experience with other vendors on URL re-categorisation has not been great).
Is there a way to whitelist these consistently and across both HTTP and SMTP protections?
We're using R81.20 with URL Filtering, ThreatEmulation, IPS, Anti-Bot, AntiVirus and HTTPS inspection.
An example defang in an inbound email below:
Time: 2024-02-15T14:08:01Z
Triggered By: MTA
Original Queue ID: 4TbH2n5W89z4y9vC
Log ID: 0
Severity: High
Confidence Level: High
Malware Action: Malicious file/exploit download
Protection Type: Signature
Verdict: Malicious
Risk: 100
IP Protocol: 6
Destination Port: 25
Sender: updates@emailquarantine.net
Email Subject: Security Update
Email Recipients Number: 1
Scan Result: Malicious
Protection Name: Infecting URL
Last Hit Time: 2024-02-15T14:08:01Z
Action: Prevent
And below is the HTTPS behaviour, the policy was not changed during the 2 logs below:
Example HTTPS traffic outbound that matches the whitelist fine:
Time: 2024-02-08T17:22:59Z
Interface Direction: outbound
Service ID: https
Destination: 52.213.205.224
Destination Port: 443
IP Protocol: 6
Protection Name: Infecting URL.RS.TC.93c3wTZS
Confidence Level: High
Severity: Critical
Malware Action: Access to site known to contain malware
Protection Type: URL Reputation
Threat Prevention Rule Name: Phishing Simulator
Vendor List: Check Point ThreatCloud
Action Details: exception
Method: GET
HTTP Host: updates.emailquarantine.net
Action: Detect
Type: Log
Blade: Anti-Virus
Product Family: Threat
Action: Inspect
Resource: http://updates.emailquarantine.net/
A request 10 minutes before that was blocked even though it has the same domain and IP:
Time: 2024-02-08T17:08:18Z
Interface Direction: outbound
Service ID: https
Destination: 52.213.205.224
Destination Port: 443
Protection Name: Infecting URL.RS.TC.93c3wTZS
Confidence Level: High
Severity: High
Malware Action: Access to site known to contain malware
Protection Type: URL Reputation
Threat Prevention Rule Name: TE HTTP Rule Hold
Protection ID: 004CCA60C
Vendor List: Check Point ThreatCloud
Method: GET
HTTP Host: updates.emailquarantine.net
Confirmation Scope: Application
Action: Block
Type: Log
Blade: Anti-Virus
Product Family: Threat
Action: Inspect
Resource: http://updates.emailquarantine.net/
UserCheck Message to User: The site you are trying to access is classified as malicious and has been blocked. For more information, please contact your help desk. Click here to report an incorrect classification. Activity: Access to site known to contain malware URL: https://updates.emailquarantine.net/ Reference: 493203FD
UserCheck Interaction Name: Anti-Virus Blocked