SandBlast and links inside email

Checkmates Post Link :

Query by Shahar_Grober (Checkmates memeber) :

I have an ongoing case with TAC about emulation of links inside emails 

R80.10 with MTA take_25 

Issue: TE doesn’t block Links with PDF inside emails 

Scenario: I took a malicious PDF from the  Threat Emulation POC (

Test #1:  download the malicious file through a web browser – AV found it as malicious and blocked the connection (see the first log) 

Test #2: I took the same link that I downloaded and copy it to an email and forward it via the MTA – TE emulates the link and finds the email is benign (second log)

I also tried it with other files which are not part of the TE POC. As you can see the file is emulated in the link and is forwarded to the recipient

SK’s that I already tried 

sk109573 and sk115313

I am not sure if it is a configuration issue as TAC managed to reproduce it and cannot find any issue with the TE configuration 

can anyone approve if this feature is working on his environment or can try to reproduce it?

Answer By Thomas_Werner (Checkmates Memeber) :

We finally tracked it down.

If you enable full debug of MTA (ATRG: Mail Transfer Agent (MTA)  you will see this log for your testing URL:

[mtad 3200 3780316048]@R8020SA[30 Jan 17:43:56]  [TE_IS (TD::All)] te_is::CurlSender::Send: <response> http error code: 200, url:…, data:

{“response”:[{“status”:{“code”:2001,”label”:”SUCCESS”,”message”:”Succeeded to generate reputation”},”resource”:”″,”reputation”:{“classification”:”Volatile Website”,”severity”:”Medium”,”confidence”:”High”},”risk”:50,”context”:{“protection_name”:”Phishing_website.bebwd”}}]}

So in general URL reputation works fine in MTA.

But we decided to only handle URLs in prevent mode if the risk level of a URL is 80 or greater.

In this case, it is 50 – that´s why the URL is not blocked.

This decision was taken due to less false positive rate in the first stage when enabling AV in MTA.

Currently, the level is not adjustable.

Summarize by Chinmaya (Admin, :-

In MTA, Threat Emulation work only if that URL end with any file extension, like also leads to the PDF file to download (xyz.pdf) 

It did not scan if it’s not to leads any PDF or any known extension like simple 

When enabling AV in MTA then URL reputation is checked over MTA base on the risk level. So if the risk level is  80 or below 80 then that malicious URL is not blocked even that the malicious URL have severity”: “Medium”, “confidence”: “High”. 

As on the above scenario, URL is bypass but If the customer is using Checkpoint URL Filtering then when the user is open that malicious link its BLOCK by Checkpoint URL Filtering. Because CP URL filtering is working base on severity and confidence level, not by Risk level.


  • Leave a Comment