cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 3
‎05-23-2023 06:20 AM

How do we deal with tinyurl.com obfuscation?

Just that. Emails sent in with a tinyurl.com link are not flagged as malicous. We should not have to click the link to find if the location it takes you to is malcious. What is the way to deal with this?

Stewart
0 Kudos
Reply
2 Replies
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3
‎05-23-2023 10:38 AM

Re: How do we deal with tinyurl.com obfuscation?

Hello @User27605043 

I have such requests very often. Sadly McAfee/SkyHigh URL database doesn't a separate URL category for url shorteners that can be blocked or put behind a coaching page.

When a user click on a tinyurl.com link, the browser sends the request to proxy, the proxy will request the page and check the answer:

 

GET /bddsavr4 HTTP/1.1
Host: tinyurl.com
Accept: */*

HTTP/1.1 301 Moved Permanently
Location: hxxp:/x/proxy-test.com
Cache-Control: max-age=0, public, s-max-age=900, stale-if-error: 86400
Referrer-Policy: unsafe-url

 

As you can see, the proxy gets 301 redirect with an indication which url is behind the shortened link using a Location header.

The proxy doesn't check the Location header by default and send the answer to the client. The client's browser follows the 301 redirect and request the url from the location header. The proxy receives this request and now blocks it based on the url reputation.

The proxy protects the client in realtime when a user clicks the link to see the real url behind the tinyurl. 

You can configure proxy to block malicous redirects before it reaches the browser by placing this rule after the HTTPS Scanner:

Name: Block malicious redirects

Rule Criteria:
URL.ReputationForURL (Header.Response.Get ("Location")) greater than or equals 30

Action: Block

 

 

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo (click on the thumb up symbol) to help other community members. MWG+Splunk=❤
0 Kudos
Reply
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3
‎05-25-2023 06:57 AM

Re: How do we deal with tinyurl.com obfuscation?

Thanks for the response. It is too bad that GTI does not automatically check obfustated URLs like tinyurl, that would make that tool and the ENS Web Control much more useful.

I always find it weird and concerning that no Trellix Engineer reviewed a post these days. I wonder if they are still monitoriing the forums? I always used to see an emplyee response.

Stewart
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC