This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

can you block attachments based on Regex matches like you do with keywords

we have recently recived a bunch of emails that have attachments that are not in themselves malicious, but contain links to malicious sites with downloads, the files dont have the same names, and or links, but they all have filenames that match one of the regex rules that i was using to block them when they had the filename as subject lines.

 

blocking each by name would take forever and be a game of wack-a-mole, and all are pdfs so the mount of false positives by blocking the entire attachment type is unsustainable.

Is there any way to match extension name by regex?



This thread was automatically locked due to age.
Parents
  • Hi Enviable,

    There a re a couple of things to consider with this request.

    #1 workstations should always have update ep/av clients as often malware / attachments may be encrypted or may be unknown at the split second they hit your gateway. So multiple levels of AV is always recommended.

    #2 there is a feature called "time of click" you may wish to have a look at.. in short it will scan email for rfc links in the email.. it will then re-write the address so that the link is proxied through the appliance.  this allows the labs team to block domains in addition to av/as rules.

    #3 the appliance actually doesn't care what you call a file.. It will use true-type scanning to scan the file.  So theirs no way you could scan for a file name.. you would simply block the file type.. ie: *.ole2  .. *.zip or similar..  Just be careful because the appliance will match that against every file type that is contained within the file.. for example you may have test.pdf  but the file its self would contain .txt .jpg .pdf and other elements.

    that been said you can make rules based on subject.. just enable the advanced tick box on the first page of a data control or additional policy.. there is a tab for regular expressions..  the format MUST be fully qualified .. and uses email globs and perl regex.. for example \btest\b  have a look at something like this https://www.regular-expressions.info/numericranges.html 

    NOTE: never set a rule to discard until its proven, there is no recycle-bin.. so if your rule isnt working exactly as you would like .. you may get FP/FN

    #4 the very best option you have is to install the 'submit spam' button in outlook and submit the samples as spam to is-spam@labs.sophos.com  emails will be tabulated and anything that is malicious or contains malicious links would be dropped by AS rules.  (if you dont have the plug-in, create a new message and drag and drop all of the spam as .eml attachments , fire that off, just make sure your excluded from outbound spam checking if you have it enabled)

     

    in addition, make sure the appliance has fast dns, check your firewall rules and ensure any sxl lockups are not been blocked.. and double check your AS rules via my kb here : community.sophos.com/.../120802

     

    cheers

  • Hi Red_warrior,

    not sure i made my question clear enough. The issue we have is emails from a specific campaign are using the following method

    From <random Address>

    Subject <something about payment>

    text something like:

    Dear Customer,

    Please see attached

    We look forward to working with you.

    Attachment: /([Dd]oc|DOC)-\d{3,9}\.pdf/

    that attachment contains a to view your document click this link, that downloads a macro dropper for EMOTET

     

    the issues are:

    we cant block by subject as finance get these all the time

    cant block/quarantine *.pdf as there are too many legitimate ones

    Time of click wont re-write the link inside the attachment

    its a case of whack a mole to id the domains being set-up, and web-filtering doesnt flag them as quicl as they make new ones.

    Intercept-X / EndPoint catches the final stage download, but imho this is too late in the delivery chain

    we have a spam mailbox, but if you get hit by one of these campaigns, its a deluge of reports to manually assess over the next couple of weeks (as people actually log in.)

    and once you know what and How, reports are not really helping

Reply
  • Hi Red_warrior,

    not sure i made my question clear enough. The issue we have is emails from a specific campaign are using the following method

    From <random Address>

    Subject <something about payment>

    text something like:

    Dear Customer,

    Please see attached

    We look forward to working with you.

    Attachment: /([Dd]oc|DOC)-\d{3,9}\.pdf/

    that attachment contains a to view your document click this link, that downloads a macro dropper for EMOTET

     

    the issues are:

    we cant block by subject as finance get these all the time

    cant block/quarantine *.pdf as there are too many legitimate ones

    Time of click wont re-write the link inside the attachment

    its a case of whack a mole to id the domains being set-up, and web-filtering doesnt flag them as quicl as they make new ones.

    Intercept-X / EndPoint catches the final stage download, but imho this is too late in the delivery chain

    we have a spam mailbox, but if you get hit by one of these campaigns, its a deluge of reports to manually assess over the next couple of weeks (as people actually log in.)

    and once you know what and How, reports are not really helping

Children