This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

App Rule to Identify Phishing Email

NeilHaskins
Beginner
Beginner

‎2016-04-29 10:56 AM

We have download and deploy the “phishing_lua” parser, “mismatched href header” rule, and “Phishing Profile” report

 

0 Likes
2 REPLIES 2

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2016-04-29 11:18 AM

phishing_lua will register risk.warning "href host doesn't match displayed host"

 

Specifically, if an email contains an href for which displayed text is a url and the host portion of the displayed url doesn't match the host portion of the href then the above meta will be registered.  For hostnames, only the domain is compared;  for addresses, the entire address is compared.

NeilHaskins
Beginner
Beginner
In response to WilliamMotley1

‎2016-05-01 01:49 AM

Thank you for response

 

We are getting 1000s of events under the risk.warning "href host doesn't match displayed host", Can you please suggest how we can grill down to find the exact event eliminating the genuine's 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.