Blocking ingress emails with a certain URL via transport rules.

Copper Contributor

Hello All,

My first post on the forum so forgive me if this has been discussed before. 

I am working on an exchange tansport rule that would quarantine any email that includes the url "https://www.google.com/url?hl=en-GB&q=https://exampledomain.com/exablesubfolder/xys" Ideally the rule would block any email that includes just the google redirect url but I seem to be struggling a bit with this. My current powershell script is as follows:
 New-TransportRule -Name "Quarantine if Known Good Redirect URLv2" -SubjectOrBodyContainsWords '^https://www.google.com/url?hl=en-GB&q=' -Quarantine $True

I've included the carrot per the instructions found in this doc. Any guidance would be appreciated! 

4 Replies
You're mixing things a bit. ^ is used as part of regular expressions, but if that's your intention you should be using the -SubjectOrBodyMatchesPatterns condition instead. And you should be escaping some of the characters in the string (/ and ? and .), as those have special meaning in regex syntax.
Use a regex builder site, it will help you get the correct syntax.
As Vasil says, use the patterns predicate rather than words but beware that the Microsoft definition of "patterns" should not be equated with generally accepted standards for regular expressions even though there are Microsoft articles suggesting that the .Net standards apply. They don't, at least as far as Exchange Online is concerned. We instead have an undocumented subset of regular expressions, and if anything has been published in the last 6 months to clarify that then by all means please post the link.

I am going with 'http\S*\.google\.com/url\?hl=' and will post if it does not work.

Before you go hog-wild with patterns, do remember that there is a limit to the total length of patterns a tenancy is allowed. It's in the product limits statement.

Now here is a general question: when we discuss a specific attacking technique in TechCommunity, we are presumably exposing our knowledge to the black hat community who will then think one of two things:

1) that is a good idea - I will try it on some of my Microsoft targets
2) time to devise a new technique

What is the correct balance between concealing countermeasures and warning the community?

For the pattern, for starters the exempted sender's address [Community auto-redact] is probably a good idea.

 

Update: hoping no-one will have problems decoding this:

 

googlealerts<hyphen>noreply<at>google<period>com

Hi @Cole_ALbury 

 

you can use Microsoft Defender to do the same 

navigate to https://security.microsoft.com

From Policies and rules/threat policies/ tenant allow-block list click block to add url.

 

this will quarantine any mail that contain the link you enterd

RecepGencaslan_0-1684953302062.png

 

 

If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like :smile:

Appreciate your Kudos! Proud to contribute! :)