How do I wildcard match partial email addresses?

nathan_dias · ‎04-13-2021

We frequently receive Phishing emails with sender email address of the form: principalmail196@gmail.com

Question: is there a way I can enter wildcards to match partial email address in a Cisco Email Security policy?

For example, I would like to block all sender email addresses of the form: principal*@gmail.com

marc.luescherFRE · ‎04-20-2021

A message and a content filter will allow you to use REGEX expressions to allow or block messages by sender and recipient.

Emma Corry · ‎04-26-2021

I have the same phishing problem, but from pl***@gmail.com
But with REGEX expressions I blocked it.

svgeorgi · ‎05-03-2021

You may want to create a new incoming mail policy which would be matched only if the sender should be blocked - in it you're defining only the senders for blocking. To this policy you can bind a content filter with no conditions, but with just a single action - drop (final action).

Later on, you can add more sender email addresses to the same policy, and they will also get blocked.

EDIT: Actually the mail policies RegEx is not that smart for that kind of wildcards, so the only way would be to use the proposed solutions above in a content filter with condition.
if mail-from == ^principal.*@gmail\\.com$