Exlude (Whitelist) specific email senders/domains from being tagged and quarantined

Vastattu

Kommentit

2 kommenttia

  • Avatar
    Matthew Bates

    You might want to create a rule, and automatic action to return the message to the user, and mark it as resolved (or delete) in PhishER. That's what we are doing:

    rule OFFICE365_EXCHANGE_QUARANTINE
    {
    meta:
    author = "matthew.bates@octoconsulting.com"
    description = "Commonly reported as phishing, but are real SPAM quarantine notifications"
    date = "2019-06-18"
    strings:
    $from = /(\n|\r)From:.{0,200}quarantine\@messaging\.microsoft\.com.{0,200}/ nocase
    $subject = /(\n|\r)Subject:.{0,200}Spam\sNotification.{0,200}/ nocase

    condition:
    all of them
    }

    1
    Kommenttitoiminnot Pysyvä linkki
  • Avatar
    Chris E . Johnson

    Matthew Bates,

    Thank you so much for the suggestion.  I have taken your solution and applied it in my environment.  I tested it with one of my own spam notification emails and it works wonderfully!  Thank you so much; this is an excellent solution to build a white list: just create a custom rule for each white list item and assign them all the same tag, something really smart like "WhiteList".  Create an action (first in the action order) to mark these as Clean, Low Priority, and Resolved and they are instantly zero touch 100% automated!  Good stuff!

    0
    Kommenttitoiminnot Pysyvä linkki

Kirjaudu sisään jättääksesi kommentin.