It's no secret that mail and mail attachments are one of the main attack vectors. The body of the message may contain phishing links that lead to malicious sites where a gullible user can leave their personal data or download malware (spyware, ransomware, ransomware, trojans, etc.).

ITKarma picture

A new type of attack


Recently, “Delayed attacks" (from the English “Delayed Poisoning Attacks" ) have become quite popular. The bottom line is this: the attacker sends an email with a normal link, which is not malicious at the time of checking the email, but soon the attacker changes the site where this user link redirects. As a result, the user, clicking on the supposedly “normal” link, gets to a phishing resource, or to a malicious site on which the malware is downloaded in the background and the user becomes infected. All the magic is that at the time of checking the letter with NGFW modules, the letter is legitimate and easily bypasses all levels of protection. In this article, we will examine how Check Point deals with this threat and what settings need to be made.

Email protection from “Check Point”


The NGFW “Check Point Security Gateway” functionality has mail protection and emulation of mail attachments in the sandbox thanks to the mail agent - Mail Transfer Agent (MTA).
This is shown schematically in the figure below:

ITKarma picture

MTA functionality comes down to the following options:

  • Sending file attachments to sandbox emulation (Threat Emulation blade);
  • Decryption of messages encrypted using SSL/TLS (standard MitM with certificate only for SMTPS);
  • Checking the links in the email for phishing or redirecting to malicious resources;
  • Removing malicious email attachments and delivering secure e-mail.

Solving the Delayed Attacks problem


The way to deal with this type of attack is called Click-Time URL Protection . In this case, the “Check Point” Security Gateway will redirect requests to all links every time through its cloud-based reputation check URL service and inspect websites for phishing, malware and other suspicious elements before opening it to the user.
If the website or file accessible via the link is malicious, then access to the resource will be blocked. Otherwise, the user will open the website successfully.

Benefits of Click-Time URL Protection:


A constantly updated URL base - " Check Point Threat Intelligence " (cloud analytics service) is updated every second with new indicators compromises, patterns and other metrics that allow you to detect new malicious resources at high speed.
Prevention of “Delayed attacks" - a relatively new MTA bypass scheme is no longer valid because links are checked every time they are clicked.
Inspection of all links - as a rule, links that are not explicitly indicated (for example, a button to reset the password or the button "unsubscribe from news") are not checked by the MTA. The Click-Time URL Protection function “clicks” on all links in the message and in attachments.
This function is not yet built-in in MTA, it is provided in EA (Early Availability). However, this option can be enabled on the command line.

Enabling Click-Time URL Protection:


1. Ensure that the Anti-Virus and Threat Emulation blades are enabled on the MTA gateway.

ITKarma picture

2. Install the latest “MTA Engine” (MTA update) on the gateway. The latest version of MTA at the moment under version R80.30 is Take 37.Information and instructions for installing MTA updates are available at the link .

3. Open SSH access to the gateway and switch to expert mode.

4. Enter the command vi $ FWDIR/conf/mail_security_config

5. At the bottom of the file, add a new section [click_time_url]

6. Add a line below this section (see screenshot below): enabled=1

ITKarma picture

7. Save the changes and exit the editor: wq
Note: if you have a cluster, then follow the steps above on both nodes.

8. In SmartConsole, set the Threat Prevention policy to Security Gateway/Cluster.

Note: In order to disable this option in the $ FWDIR/conf/mail_security_config file, edit the line enabled=1 to enabled=0. Then install the Threat Prevention policy on the Security Gateway/Cluster.

Enabling the Click-Time URL Protection option can be customized:

  • Exclude specific recipients by email
  • Include only for specific recipients by email
  • Exclude specific domains by email
  • Modify explicit links in the body of the email
  • Embed original URLs in modified AIT links
  • Customize blocked pages
  • Embed original URLs on blocked pages

Exclusion of specific recipients by email



1. Connect to the MTA Security Gateway.

2. Create the following file: touch $ FWDIR/conf/mta_click_time_exclude_recipient_list

3. In this file, enter the email’s of the employees whom you want to exclude from this setting. Each new mail entry starts with a new line without spaces. For example:
recipient1@mydomain.com
recipient2@mydomain.com

4. Open the vi $ FWDIR/conf/mail_security_config file in the editor

5. Under the [click_time_url] section, add the following line: mode=exclude

6. If you have a cluster, follow the steps on both nodes.

7. Install the Threat Prevention policy on the gateway or cluster.

Enabling the Click-Time URL Protection option for specific recipients only


1. Connect to the MTA Security Gateway.

2. Create the following file: touch $ FWDIR/conf/mta_click_time_allowed_recipient_list

3. In this file, enter the email’s of the employees for whom you want to enable this MTA option. Each new mail entry starts with a new line without spaces. For example:
recipient1@mydomain.com
recipient2@mydomain.com

4. Open the vi $ FWDIR/conf/mail_security_config file in the editor

5. Under the [click_time_url] section, add the following line: mode=allowed

6. If you have a cluster, follow the steps on both nodes.

7. Install the Threat Prevention policy on the gateway or cluster.

Exclusion of certain domains from the Click-Time URL Protection function


1. Connect to the MTA Security Gateway.

2. Create the following file: touch $ FWDIR/conf/mta_click_time_url_white_list

3. In this file, enter the domains that you want to exclude from this setting. Each new domain starts with a new line without spaces. R80.20 supports regular expressions. For example:
. * domain1.com. *
. * domain2.com. *

4. If you have a cluster, then follow the steps on both nodes.

5. Install the Threat Prevention policy on the gateway or cluster.

Changing (re-writing) explicit links in the body of emails


Links, which are presented in the form of hyperlinks (for example, wonderful document), are relayed by MTA, where redirection goes to their resource and the link is safe. However, there are links like www.mydocument.com/download and they do not change by default. To make the configuration more secure, do the following:

1. Connect to the MTA Security Gateway.

2. Open the vi $ FWDIR/conf/mail_security_config file in the editor

3. Under the [click_time_url] section, add the following line: enforce_text_links=1

4.If you have a cluster, follow the steps on both nodes.

5. Install the Threat Prevention policy on the gateway or cluster.

Other options are also further configured by sk162618 .

Recently, colleagues at Check Point’s Moscow office published a wonderful webinar about new Threat Emulation features (sandboxes) and MTA.

Instead of a conclusion


In the near future we are planning several more technical publications on various information security products. If you are interested in this topic, then stay tuned for our channels ( Telegram , Facebook , VK , TS Solution Blog ) !.

Source