Like everyone else, we’ve been seeing a significant number of phishing campaigns utilizing new domain registration to try and avoid detection. We have Zscaler’s “Enable Newly Registered Domain Lookup” turned on and the “Newly Registered Domains” URL category set to “block”. Unfortunately, we’re repeatedly seeing in logs that the first user that visits a “Newly Registered Domain” is initially allowed access before eventually being blocked. Obviously this isn’t ideal. We opened a ticket and were told this was a bug at first, but now we’ve been instructed we’d have to make a “feature request” to get this fixed. We never had this issue with our previous solution which also had “newly registered domain” block functionality. Are we missing something?
Hi @itsec, we do have an enhancement request filed to improve the design around Newly Registered Domain blocking. Please feel free to email me directly at jkrakora (at) zscaler (.) com and I can share more details. Thank you.