Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1264
Views
5
Helpful
1
Replies

ESA Content filter

jackey.fung1
Level 1
Level 1

‎07-13-2020 12:16 AM

Hi I'm new to regex.

How to add a condition in a filter to block emails with similar text in the subject:

Nancy Reardon sent you "PO-09507.pdf"

Andrew Beverley sent you "PO-124.pdf"

larry noble sent you "PO-110.pdf"

Tony Flinn sent you "PO-09522.pdf"

 

Labels:
0 Helpful
1 Reply 1

marc.luescherFRE
Spotlight
Spotlight

‎07-13-2020 07:52 AM

Hi there,

 

to answer your question I would point you to one of the best regex sites to help you defining querys.

Check out : https://regex101.com/r/7C7YsR/1 to get some ideas.

 

I personally would create a content filter checking for two components :

textblock in subject : "sent you"

pdf as file attachment

 

The filter would be like:

 

CheckforBadPDFv1: if (body-contains("sent you", 1)) AND (attachment-filetype == "pdf")

                               { quarantine("Policy"); }

 

I hope that helps, be aware that this might also catch valid messages shared from O365 with a PDF

 

-Marc

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents