Comments on: Better Spam Filtering with Exchange Online Mail Flow Rules

By: TheRey

TheRey — Mon, 05 Dec 2022 19:57:50 +0000

Thank you.
I try to filter the content of htm & html attachment; when it contains
* document.write(unescape( …..
* or http{://e ……..
but the filter does not seem to work.
Have any idea on how to accomplish this ?
how to force O365 to analyse in brute mode, not in reader mode ?
best regards

By: rajeev

rajeev — Fri, 23 Aug 2019 20:33:39 +0000

Hi Paul, If a message found positive in malware scanning and the attachment was scanned and cleaned. Will the message bypass other filtering policies once it was cleaned up by Malware filters?

By: Hugh

Hugh — Fri, 09 Nov 2018 12:18:49 +0000

Is there any way to make our rules run after the native EOP and ATP filters? I’d like to let those Microsoft-supplied rules do the heavy lifting and to use our custom rules only for the small percentage of items that slip through.

By: Kevin

Kevin — Thu, 28 Jun 2018 14:00:05 +0000

In reply to Paul Cunningham.

Thanks Paul – yeah that’s exactly what I was thinking about doing too (maybe…5-10 regex lines per rule) to narrow down the false-positive offender quicker…but I figured I’d ask the above question before I go and create 5 new test rules 🙂

Thanks for your help!

By: Paul Cunningham

Paul Cunningham — Thu, 28 Jun 2018 01:35:50 +0000

In reply to Kevin. If you've thrown them all into a single rule you won't be able to identity specific hits. What you can do is add them in small batches to a test rule. Once that test rule proves that it won't create excessive false positives, move those values into a rule that is actively enforced, and test another small batch in the test rule. If you wanted to speed things up you could run multiple test rules at the same time. If a test rule is causing false positives you can just break it down into individual values to test further.

By: Kevin

Kevin — Wed, 27 Jun 2018 20:09:15 +0000

Does anyone have a good method to deduce which of those list of regex strings was the one that flags an email? I’m currently just being notified on email hits (vs. taking action) against SwiftOnSecurity’s regex “Suspicious Patterns” list: a large of amount of emails being flagged are legitimate ones.

Unfortunately, I am a regex n00b so editing this list is a bit daunting to me if I don’t know which lines are the ones that flagged an email…especially when the message body is fairly extensive. I tried using a site like https://regexr.com/ or https://regex101.com/ to paste in the email body to be parsed by the regex strings above but didn’t have much success.

Got any shortcuts from new blood like myself, or is learning Regex the only real thing one can do?

By: Paul Cunningham

Paul Cunningham — Thu, 21 Jun 2018 23:47:38 +0000

In reply to Tony Corsen. Good question. No, it will bypass content filtering but not malware filtering. Malware filtering is mandatory.

By: Tony Corsen

Tony Corsen — Thu, 21 Jun 2018 16:28:04 +0000

Great article. A quick question: If an IP address is in the IP allow list, will it by pass all other layered defences shown in the first picture? For example if the mail has a malware attached, will it pass through and deliver to the inbox of the recipient?