You may notice that Agari Phishing Defense (APD) did not detect that a link in a message you may consider malicious. This can be caused by a few common scenarios; it could be a newly crafted URI that has not been reported and verified as malicious, the link could be benign when it is originally delivered and then weaponized afterward, or the site could have already been taken down. It is not uncommon for an attacker to include a link that goes to a clean site, then change the content after the campaign has been completed and the messages delivered. It is also not uncommon for the malicious site to be taken down within minutes/hours of it being first detected, and then no vendor finding it malicious afterwards as the scan returns a 404 with no content.
The APD Sensor scans the HTML body of the message for any URIs that are inside an html <href> tag. If the URL is not in an <href> tag, or the message not in HTML format, the URL will not be detected and thus not scanned. The sensor will also scan links inside Word Documents and other file types. This scan happens at the time of delivery and the URIs are checked against multiple 3rd party databases for known malicious content.
The Agari Sensor can "re-fang" URIs that were previously "de-fanged" by the most common de-fangers. This includes Microsoft Safelinks, Cisco, Symantec, and Proofpoint.
You may also notice that the same URI is classified differently in other messages delivered at a different time. This is due to the status of the URI changing over time as new reports and verifications come in.
Most vendors do not update the level of maliciousness after the site has been taken down as there is nothing to mark as malicious. This means that if a 3rd party analysis tool scans the URI and it receives a 404 error for example, it will typically not mark it as malicious, and the verdict will come back clean or unknown. There are many 3rd party analysis and sandboxing tools to verify the site's status without having to go directly to the suspected malicious site, including Agari's own APR solution.
Virus Total is a popular 3rd party URL reporting service. At the time of writing, VT displays the verdict of over 90 different URL engines. They typically use the engines free or lowest tier status, which may not be as up to date as the paid service. While APD does use some of the vendors listed in VTs list (and others), APD does not use all of them as many do not uphold the level of accuracy Agari commits to provide to its customers. In addition, Agari uses the paid (not free) version of these services which is updated more frequently and has overall better results. So while Virus Total is a great tool, it can have a varying degree of accuracy depending on the vendors returning the verdict.
At this time we are unable to share the vendors we utilize.
In the message details section you are able to make an "adjustment", allowing you to quickly change the status of a URL. Scoring adjustments that you make take approximately five minutes to take effect. See the admin guide for more information about scoring adjustments.
APD offers 3 different "modes" of the level of "aggressiveness" used with URI scanning. These modes determine how many vendors must agree that the URL is malicious. Out-of-the-box every organization is set to "moderate", but if you find that you want to have more or less URLs marked as malicious, this can be adjusted.
Note: Being more aggressive with URL detection can result in a higher False Positive rate. Moderate was chosen as it has the best FP/FN ratio across our entire customer base, however we understand that every organization is different.
To change this setting please contact support.
- Less vendors must agree
- A moderate amount of vendors must agree
- More vendors must agree
Agari offers a SOC user-reported phish analysis triage tool called Agari Phishing Response (APR) which includes paid licenses for Virus Total and Hybrid Analysis for URL and Attachment scanning. If you are interested in finding more information about APR please contact email@example.com.
Article is closed for comments.