A security team has been alerted to a flood of incoming emails that have various subject lines and are addressed to multiple email inboxes. Each email contains a URL shortener link that is redirecting to a dead domain. Which of the following is the best step for the security team to take?
Blocking the URL shortener domain in the web proxy is the best step because it directly prevents users from accessing the malicious URLs. This action immediately stops the redirection mechanism employed by the attackers, thereby protecting users from any potential harm. Blocking the URL shortener domain, a specific and immediate threat, minimizes disruption to other business activities and reduces the risk of inadvertently allowing access to the malicious domain.
This action stops any further redirection to the malicious or non-existent site. It’s a targeted approach that directly addresses the issue without affecting other email traffic. B. Send the dead domain to a DNS sinkhole can be effective but it doesn’t prevent users from clicking the link initially. It’s more of a reactive measure.
Thank you for saying this, I don't understand how people think sending the domain to a proxy server will stop the problem overall. People will still click the link, which will still head to the dead domain. If you block the specific URL, it WILL NOT block any other shortened URL's. That literally makes no sense. Again, thank you.
Blocking the URL shortener domain in the web proxy (option D) could be an effective measure to prevent access to the malicious URLs. However, it's important to consider the possibility that the attackers could use different URL shortener services or domains in the future. Therefore, while blocking the specific URL shortener domain may provide temporary relief, it might not address the root cause of the issue comprehensively. On the other hand, sending the dead domain to a DNS sinkhole (option B) effectively prevents any traffic attempting to reach the malicious domain, regardless of the method used to access it. This approach is more proactive and robust, as it targets the destination domain itself rather than relying on blocking specific intermediaries. It provides a broader defense against potential future threats involving similar tactics.
Agree on B. DNS sinkhole prevent any eventual miss-click from the end users also.
I considered D, however blocking the shortener domain would potentially block other legitimate shortened URLs. B results in mitigating the issue while not impacting other uses.
When users attempt to access a shortened link, the proxy intercepts the request and checks whether the domain matches the blocked list. This measure does not imply blocking all shortener domains.
Sending one dead domain to DNS sinkhole does not stop the attack. The attacker could easily shift to 100 other dead domains they hold, but they would need to devise an entirely new attack strategy if all URL shorteners are blocked by default. Also, this would not really impact business as usual since businesses don't often require URL shorteners internally, they can send full link.
B. Send the dead domain to a DNS sinkhole.
Send the dead domain to a DNS sinkhole is the most logical on the list.
DNS Sink as per qwes333
Sinkholing is the most suitable, blocking the URL shortner can block legitimate addresses too
then when did u select d... lol
D absolutely: Block the URL shortener domain in the web proxy.