O365 RegEx transport rules

Copper Contributor

Hello,

 

I'm trying to configure a regular expression transport rule in O365 and I have been successful in getting a large part of it to work but there is one part that has eluded me.

 

NOTE: All of the regular expression that I have used have been test, and work, on the .Net Regex tester  http://regexstorm.net/tester but the portion that I am having a problem with with does not work when I copy it over to O365 (I can paste it in and it is accepted as valid but O365 does not catch my tests).

 

Here is an example of one of the regex that I used

 

((?i-m)mycompany?(.com|.com<\/a>\s?)?(?i-m)(\s+?\w+\s+?center|\s?\w+\s+?Team)|mycompany?\s+?\w+\s?Desk)

 

Here are the test input phrases, all of which match the regex tests but none of the ones that have mycompany.com in them are caught by the O365 transport rule. All of the other phrases are caught.

 

MyCompany HelpDesk
MyCompany ServiceDesk
MyCompany Verification Center
MyCompany Help Desk
MyCompany Service Desk
MyCompany.com Security Team

MyCompany Security Team
MyCompany.com Verification Center
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><a href="http://MyCompany.com">MyCompany.com</a> Verification Center<br></div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><a href="http://MyCompany.com">MyCompany.com</a>Security Team<br></div>

 

The goal here is to create a regex that catches multiple common phishing phrases and quarantines them.

 

Has anyone ever successfuly done something like this?

 

Any / all suggestions are greatly appreciated.


Thx!

1 Reply
While some articles mention 'regex' is supported for particular predicates with transport rules, it is not regex - the term 'pattern' used in documentation is more appropriate. You can only do some basic matching; supported tokens are mentioned here - note the absence of the 'zero or one' (?) for example:
https://technet.microsoft.com/en-us/library/aa997187%28v=exchg.141%29.aspx?f=255&MSPPError=-21472173...
The article is about Ex2010; AFAIK this isn't different in later versions. Also note that to its defense, allowing too complex expressions could - at scale - impact resources on the server side.