Email Security - Outbreak Filters Tidbit

Outbreak Filters aim to protect end users and organizations from malicious attachments, phishing attempts, & malicious URLs sent via emails. The function of Outbreak Filters is to delay suspect/malicious emails from being delivered to the targeted recipients.


Messages become quarantined when they contain malicious content that do the following:

  • Meet or Exceed Outbreak rules

  • Meet or Exceed thresholds configured

Note that Outbreak Filters "quarantine" feature is legit a holding area where messages are stored/held until confirmation of whether or not the email is safe. The Outbreak Filters does not take any final action on emails. The actions are either:

  • Quarantine a message for further processing

  • Move message to next step in pipeline

It is important to understand how Outbreak Filter rules are written. All rules get published via Cisco's Security Intelligence Operations (SIO). This SIO aims at providing fast, strong protection. It is essentially an all encompassing bucket that contains global threat info, reputation-based services, and sophisticated analysis.


Futhermore, SIO has 3 main components:

  • SenderBase: vulnerability database

  • Talos: Cisco's team of security analysts and automated systems

  • Dynamic updates

Outbreak rules have a threat level. Threat levels essentially indicate the potential risk of a viral outbreak. These threat levels are based on the following actors:

  • Suspicious file activity

  • Input from anti-virus vendors

  • Analysis via SIO

Outbreak filters will allow you to increase/decrease the impact of threat levels. The overview of threat levels consist of:

  • Level 0 = Risk: None

  • Level 1 = Risk: Low

  • Level 2 = Risk: Low/Medium - The risk that the message is a threat is low to medium. It is a “suspected” threat.

  • Level 3 = Risk: Medium - Either the message is part of a confirmed outbreak or there is a medium to large risk of its content being a threat.

  • Level 4 = Risk: High - Either the message is confirmed to be part of a large scale outbreak or its content is very dangerous.

  • Level 5 = Risk: Extreme - The message’s content is confirmed to part of an outbreak that is either extremely large scale or large scale and extremely dangerous.


Synopsis: Any message deemed as part of an outbreak are always quarantined until they are determined safe. This determination is based on updated outbreak information from Cisco and/or new anti-virus definitions that are published by Sophos or McAfee.


To further understand how/when Outbreak Filtering occurs during ESA message processing it is important to know that this occurs in the workqueue phase. The occurrence is near the end of the workqueue processing. Note that quarantining via Outbreak Filters is dynamic and contains a retention period. Emails can be destined for release automatically based on configured global rules and rescan of email rules. The purpose of the retention period is so that legit emails are not prevented/delayed.


For more on Email Pipeline & Email Security see the <esa> tag! Cheers!

0 comments

Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization