hi there,
was just asked to create a possible block for email in regards to the most recent Apple IOS IOC's.
It has been running now for 2 hours and already caught one "bad" email adressed to an IPhone user.
AppleIOSTextDetectv2: if recv-listener == "DefaultListener" {
## Pattern 1
if (only-body-contains("AAAAATEy") AND only-body-contains("EA\r\nAABI")) {
log-entry("--AppleIOSDetectPattern1--");
quarantine("Policy");
}
## Pattern 2
if (only-body-contains("T8hlGOo9") AND only-body-contains("T8hlGOo9") AND only-body-contains("AAAAAAAA")){
log-entry("--AppleIOSDetectPattern2--");
quarantine("Policy");
}
## Pattern 3
if (only-body-contains("3r0TRZfh") AND only-body-contains("AAAAAAAA")) {
log-entry("--AppleIOSDetectPattern3--");
quarantine("Policy");
}
## Pattern 4
if (only-body-contains("\n/s1Caa6") AND only-body-contains("J1Ls9RWH")) {
log-entry("--AppleIOSDetectPattern4--");
quarantine("Policy");
}
## Pattern 5
if (only-body-contains("://44449")) {
log-entry("--AppleIOSDetectPattern5--");
quarantine("Policy");
}
## Pattern 6
if (only-body-contains("://84371")) {
log-entry("--AppleIOSDetectPattern6--");
quarantine("Policy");
}
## Pattern 7
if (only-body-contains("://87756")) {
log-entry("--AppleIOSDetectPattern7--");
quarantine("Policy");
}
## Pattern 8
if (only-body-contains("://94654")) {
log-entry("--AppleIOSDetectPattern8--");
quarantine("Policy");
}
}
## filter created by Marc Luescher to block Apple IOC
## 4/24/2020 v3
I hope this might helps some users until Apple comes up with an OS fix.
-Marc