Block Sender in Office 365 based on Regex Pattern

We have seen products like Proofpoint & Ironport use Pattern blocks quite effectively, Today we will go ahead & test the same functionality in office 365.

Below rule is demonstrated as an example, there can be other regex expressions that can also be utilized.

Scenario: Lot of spam was being received from Envelope sender, numbers are always getting changed, only Name is unique.

Name+bncBCAJ75O6TMERBLWFWK2AKGQE3SRMX7I@googlegroups.com

We can’t block googlegroups so we arrived at a conclusion to use regex pattern:

Name.*@googlegroups.com

You can test this pattern before implementation at https://regex101.com/

Capture

Now lets create a pattern block in Office 365

Launch O365 admin console –>Admin –> Exchange –> Mailflow

Capture

Click on Plus to create a New Rule

Capture

Click on More Options, Provide Name to the rule

Capture

Apply this rule if Sender –> Sender Address Matches any of the Text Pattern

Capture1

 

Do the following –> Deliver the message to the Hosted Quarantine

Capture

Scroll down & Match Sender address in Message–> Select Envelope –> Save

Also, Please check Stop processing more rules.

Capture

Note:- If you use grouping, which is allowed in Cisco Ironport  & not in o365, you will receive an error as shown below so you have to avoid it.

Example:-

Name(.*)@googlegroups.com

Capture

Now let’s test by sending a message based on pattern, I had created one test pattern which matches my personal id so that I can test the above approach..

Message was successfully quarantined 🙂

Capture

Regards

Sukhija Vikas

http://msexchange.me

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s