Can we detect presence of specific MetaData in PDF's using CES ESA

Tony Kilbarger · ‎10-18-2022

Our security team has noticed many BEC Email incidents where there is an attached PDF document with specific information in the MetaData. Can we in some fashion filter on the ESA looking for email containing this Metadata in a PDF?

Udupi Krishna. · ‎10-19-2022

The message or content filter indeed has the capability to examine meta data within attachments.

From - https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/user_guide/b_ESA_Admin_Guide_13-0/b_ESA_Admin_Guide_12_1_chapter_01000.html

Section "Attachment scanning" - When you scan attachments for content, the Content Scanner extracts data from attachment files to search for the regular expression. It examines both data and metadata in the attachment file.

Ran a quick test looking for the author name within a PDF file which was present as a METADATA (nowhere else with in the doc) and it was indeed caught by the filter. However it's important to use the correct keywords.

E.g. when i created the filter as attachment contains with the name of the author (e.g. "krishna") it worked, but when I set the filter to something like "Author krishna" it did not match proving that the keywords don't actually line up together though in a pdf reader application it may show them to be next to each other.

Tony Kilbarger · ‎10-21-2022

Thanks Krishna. Follow up question. Let's say you were looking to find something in the Metadata of a PDF like:

<pdf:Producer>DocFly</pdf:Producer>

Would you need to basically create a RegEx to match that with the special characters or ??

Thanks.

Could you use a content filter or would it require a message filter?

Would you need to use a RegExp because of the special characters?

Thanks.