10-23-2019 07:05 AM
Hi,
I have a customer ask to block messages containing links to (.windows.net|.azurewebsites.net|.web.core.windows.net|.blob.core.windows.net) due to the recent escalation in phishing attacks originating from compromised business sites. I built a content filter that looks for this regex: only-body-contains("(?i)(\\.windows\\.net|\\.azurewebsites\\.net|\\.web\\.core\\.windows\\.net|\\.blob\\.core\\.windows\\.net)", 1)
This filter is catching legitimate business email because some of the messages have embedded images hosted on these sites. So I came up with this regex to ignore the <img> tag containing the above sites but match on everything else.
(?i)<img[^>]*>(*SKIP)(*FAIL)|https?:\/\/.*(\.windows\.net|\.azurewebsites\.net|\.web\.core\.windows\.net|\.blob\.core\.windows\.net)\/
This works great in regex101.com, but Ironport complains with "Illegal regular expression: nothing to repeat".
Can anyone think up another way to go about this?
Thanks in advance!
10-23-2019 06:44 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide