cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2695
Views
10
Helpful
0
Replies

Possible Message Filter to block most recent Apple IOS vulnerability IOC's

marc.luescherFRE
Spotlight
Spotlight

hi there,

 

was just asked to create a possible block for email in regards to the most recent Apple IOS IOC's.

It has been running now for 2 hours and already caught one "bad" email adressed to an IPhone user.

 

AppleIOSTextDetectv2: if recv-listener == "DefaultListener" {
## Pattern 1
if (only-body-contains("AAAAATEy") AND only-body-contains("EA\r\nAABI")) {
log-entry("--AppleIOSDetectPattern1--");
quarantine("Policy");
}
## Pattern 2
if (only-body-contains("T8hlGOo9") AND only-body-contains("T8hlGOo9") AND only-body-contains("AAAAAAAA")){
log-entry("--AppleIOSDetectPattern2--");
quarantine("Policy");
}
## Pattern 3
if (only-body-contains("3r0TRZfh") AND only-body-contains("AAAAAAAA")) {
log-entry("--AppleIOSDetectPattern3--");
quarantine("Policy");
}
## Pattern 4
if (only-body-contains("\n/s1Caa6") AND only-body-contains("J1Ls9RWH")) {
log-entry("--AppleIOSDetectPattern4--");
quarantine("Policy");
}
## Pattern 5
if (only-body-contains("://44449")) {
log-entry("--AppleIOSDetectPattern5--");
quarantine("Policy");
}
## Pattern 6
if (only-body-contains("://84371")) {
log-entry("--AppleIOSDetectPattern6--");
quarantine("Policy");
}
## Pattern 7
if (only-body-contains("://87756")) {
log-entry("--AppleIOSDetectPattern7--");
quarantine("Policy");
}
## Pattern 8
if (only-body-contains("://94654")) {
log-entry("--AppleIOSDetectPattern8--");
quarantine("Policy");
}
}

## filter created by Marc Luescher to block Apple IOC
## 4/24/2020 v3

 

 

I hope this might helps some users until Apple comes up with an OS fix.

 

-Marc

 

0 Replies 0