Home

O365 RegEx transport rules

%3CLINGO-SUB%20id%3D%22lingo-sub-163433%22%20slang%3D%22en-US%22%3EO365%20RegEx%20transport%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163433%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20trying%20to%20configure%20a%20regular%20expression%20transport%20rule%20in%20O365%20and%20I%20have%20been%20successful%20in%20getting%20a%20large%20part%20of%20it%20to%20work%20but%20there%20is%20one%20part%20that%20has%20eluded%20me.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENOTE%3A%20All%20of%20the%20regular%20expression%20that%20I%20have%20used%20have%20been%20test%2C%20and%20work%2C%20on%20the%20.Net%20Regex%20tester%26nbsp%3B%20%3CA%20href%3D%22http%3A%2F%2Fregexstorm.net%2Ftester%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fregexstorm.net%2Ftester%3C%2FA%3E%20but%20the%20portion%20that%20I%20am%20having%20a%20problem%20with%20with%20does%20not%20work%20when%20I%20copy%20it%20over%20to%20O365%20(I%20can%20paste%20it%20in%20and%20it%20is%20accepted%20as%20valid%20but%20O365%20does%20not%20catch%20my%20tests).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20example%20of%20one%20of%20the%20regex%20that%20I%20used%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E((%3Fi-m)mycompany%3F(.com%7C.com%26lt%3B%5C%2Fa%26gt%3B%5Cs%3F)%3F(%3Fi-m)(%5Cs%2B%3F%5Cw%2B%5Cs%2B%3Fcenter%7C%5Cs%3F%5Cw%2B%5Cs%2B%3FTeam)%7Cmycompany%3F%5Cs%2B%3F%5Cw%2B%5Cs%3FDesk)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20the%20test%20input%20phrases%2C%20all%20of%20which%20match%20the%20regex%20tests%20but%20none%20of%20the%20ones%20that%20have%26nbsp%3B%3CSTRONG%3Emycompany.com%3C%2FSTRONG%3E%20in%20them%20are%20caught%20by%20the%20O365%20transport%20rule.%20All%20of%20the%20other%20phrases%20are%20caught.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMyCompany%20HelpDesk%3CBR%20%2F%3EMyCompany%20ServiceDesk%3CBR%20%2F%3EMyCompany%20Verification%20Center%3CBR%20%2F%3EMyCompany%20Help%20Desk%3CBR%20%2F%3EMyCompany%20Service%20Desk%3CBR%20%2F%3EMyCompany.com%20Security%20Team%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMyCompany%20Security%20Team%3C%2FSPAN%3E%3CBR%20%2F%3EMyCompany.com%20Verification%20Center%3CBR%20%2F%3E%26lt%3Bmeta%20http-equiv%3D%22%22Content-Type%22%22%20content%3D%22%22text%2Fhtml%3B%22%20charset%3D%22utf-8%22%22%20%2F%26gt%3B%3C%2FP%3E%3CDIV%20dir%3D%22%26quot%3Bltr%26quot%3B%22%3E%3CA%20href%3D%22%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2FMyCompany.com%26quot%3B%26gt%3BMyCompany.com%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2FMyCompany.com%22%26gt%3BMyCompany.com%3C%2FA%3E%26gt%3B%20Verification%20Center%3CBR%20%2F%3E%3C%2FDIV%3E%3CBR%20%2F%3E%26lt%3Bmeta%20http-equiv%3D%22%22Content-Type%22%22%20content%3D%22%22text%2Fhtml%3B%22%20charset%3D%22utf-8%22%22%20%2F%26gt%3B%3CDIV%20dir%3D%22%26quot%3Bltr%26quot%3B%22%3E%3CA%20href%3D%22%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2FMyCompany.com%26quot%3B%26gt%3BMyCompany.com%26lt%3B%2Fa%26gt%3BSecurity%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2FMyCompany.com%22%26gt%3BMyCompany.com%3C%2FA%3ESecurity%20Team%3CBR%20%2F%3E%3C%2FDIV%3E%3CP%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20goal%20here%20is%20to%20create%20a%20regex%20that%20catches%20multiple%20common%20phishing%20phrases%20and%20quarantines%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHas%20anyone%20ever%20successfuly%20done%20something%20like%20this%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20%2F%20all%20suggestions%20are%20greatly%20appreciated.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThx!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-163433%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179733%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20RegEx%20transport%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179733%22%20slang%3D%22en-US%22%3EWhile%20some%20articles%20mention%20'regex'%20is%20supported%20for%20particular%20predicates%20with%20transport%20rules%2C%20it%20is%20not%20regex%20-%20the%20term%20'pattern'%20used%20in%20documentation%20is%20more%20appropriate.%20You%20can%20only%20do%20some%20basic%20matching%3B%20supported%20tokens%20are%20mentioned%20here%20-%20note%20the%20absence%20of%20the%20'zero%20or%20one'%20(%3F)%20for%20example%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Faa997187%2528v%3Dexchg.141%2529.aspx%3Ff%3D255%26amp%3BMSPPError%3D-2147217396%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Faa997187%2528v%3Dexchg.141%2529.aspx%3Ff%3D255%26amp%3BMSPPError%3D-2147217396%3C%2FA%3E%3CBR%20%2F%3EThe%20article%20is%20about%20Ex2010%3B%20AFAIK%20this%20isn't%20different%20in%20later%20versions.%20Also%20note%20that%20to%20its%20defense%2C%20allowing%20too%20complex%20expressions%20could%20-%20at%20scale%20-%20impact%20resources%20on%20the%20server%20side.%3C%2FLINGO-BODY%3E
Robert Strom
Occasional Visitor

Hello,

 

I'm trying to configure a regular expression transport rule in O365 and I have been successful in getting a large part of it to work but there is one part that has eluded me.

 

NOTE: All of the regular expression that I have used have been test, and work, on the .Net Regex tester  http://regexstorm.net/tester but the portion that I am having a problem with with does not work when I copy it over to O365 (I can paste it in and it is accepted as valid but O365 does not catch my tests).

 

Here is an example of one of the regex that I used

 

((?i-m)mycompany?(.com|.com<\/a>\s?)?(?i-m)(\s+?\w+\s+?center|\s?\w+\s+?Team)|mycompany?\s+?\w+\s?Desk)

 

Here are the test input phrases, all of which match the regex tests but none of the ones that have mycompany.com in them are caught by the O365 transport rule. All of the other phrases are caught.

 

MyCompany HelpDesk
MyCompany ServiceDesk
MyCompany Verification Center
MyCompany Help Desk
MyCompany Service Desk
MyCompany.com Security Team

MyCompany Security Team
MyCompany.com Verification Center
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><a href="http://MyCompany.com">MyCompany.com</a> Verification Center<br></div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><a href="http://MyCompany.com">MyCompany.com</a>Security Team<br></div>

 

The goal here is to create a regex that catches multiple common phishing phrases and quarantines them.

 

Has anyone ever successfuly done something like this?

 

Any / all suggestions are greatly appreciated.


Thx!

1 Reply
While some articles mention 'regex' is supported for particular predicates with transport rules, it is not regex - the term 'pattern' used in documentation is more appropriate. You can only do some basic matching; supported tokens are mentioned here - note the absence of the 'zero or one' (?) for example:
https://technet.microsoft.com/en-us/library/aa997187%28v=exchg.141%29.aspx?f=255&MSPPError=-21472173...
The article is about Ex2010; AFAIK this isn't different in later versions. Also note that to its defense, allowing too complex expressions could - at scale - impact resources on the server side.
Related Conversations
Different results from DatedIf and DateDiff functions
Ajay_Anand in Excel on
3 Replies
Conditional Formatting - Consider Only Value as Lowest Value
Ben Smith in Excel on
2 Replies
Urgent - Teams and Yealink
reditguy in Microsoft Teams on
4 Replies
Mail from internal user moved to junk and can not move back
whyou in Exchange on
3 Replies
Restoring deleted "Files" folder
Daniel Carp in Microsoft Teams on
15 Replies
Rule to save attachment
Tim Hunter in Outlook on
1 Replies