: Configure Phishing Analysis
Focus
Focus

Configure Phishing Analysis

Table of Contents

Configure Phishing Analysis

Learn how to configure Phishing analysis.
Similar to DLP and Wildfire detections, Data Security supports Phishing Analysis and detects malicious and phishing URLs and proactively removes them.
This feature is currently available only for Microsoft Teams. Data Security scans chat messages, channel messages and URLs embedded within them.
Phishing Analysis is enabled by default (Data SecuritySettingsScan SettingsPhishing Analysis). You can add URLs to the Whitelisted URLs (exact URL or domain based) list so that Data Security does not perform Phishing Analysis on those URLs.

Configure Policies for Phishing Analysis

Data Security uses a predefined Phishing policy to proactively scan and remediate malicious and phishing URLs. You can also modify it as per your requirement or create a custom phishing policy using the following steps.
  1. Select Data SecurityPoliciesAdd Policy.
  2. Enter the basic information such as policy name, description (optional), severity and enable Phishing Analysis.
  3. Select the Cloud Applications (currently only instances of Microsoft Teams) you want to analyze for phishing.
  4. Select: URL for Data Pattern or Phishing for Data Profile as match criteria.
  5. Select the currently available options for Auto Remediation: Modify URLDelete URL.
  6. Select Other Actions as required. For example, you can choose to create an incident, assign it to a user, and send an administrator email alert.
  7. Save Policy.

Monitor Phishing Analysis

You can view the details of assets scanned for phishing.
  1. To monitor phishing scanning, select Data SecurityData Assets and apply the appropriate filters.
    In the following example, you can see that the Phishing data profile filter has been applied to display assets related to phishing analysis.
  2. Select the data asset you want to monitor to view additional details, specifically Phishing Report.
  3. Data Security uses Auto Remediation to delete malicious and phishing URLs automatically. To delete the URLs manually, select Data Asset NameActionsDelete URL.
    • If there are two URLs in a chat message, one whitelisted and the other phishing, Data Security performs remediation on the chat message and deletes both the URLs.
    • When a phishing URL is detected, only one remediation action can be performed on the asset—User Quarantine OR Delete URL. Both remediation actions cannot be performed on the same asset.