Exlude (Whitelist) specific email senders/domains from being tagged and quarantined

Respondida

Comentários

2 comentários

  • Avatar
    Matthew Bates

    You might want to create a rule, and automatic action to return the message to the user, and mark it as resolved (or delete) in PhishER. That's what we are doing:

    rule OFFICE365_EXCHANGE_QUARANTINE
    {
    meta:
    author = "matthew.bates@octoconsulting.com"
    description = "Commonly reported as phishing, but are real SPAM quarantine notifications"
    date = "2019-06-18"
    strings:
    $from = /(\n|\r)From:.{0,200}quarantine\@messaging\.microsoft\.com.{0,200}/ nocase
    $subject = /(\n|\r)Subject:.{0,200}Spam\sNotification.{0,200}/ nocase

    condition:
    all of them
    }

    1
    Ações de comentário Permalink
  • Avatar
    Chris E . Johnson

    Matthew Bates,

    Thank you so much for the suggestion.  I have taken your solution and applied it in my environment.  I tested it with one of my own spam notification emails and it works wonderfully!  Thank you so much; this is an excellent solution to build a white list: just create a custom rule for each white list item and assign them all the same tag, something really smart like "WhiteList".  Create an action (first in the action order) to mark these as Clean, Low Priority, and Resolved and they are instantly zero touch 100% automated!  Good stuff!

    0
    Ações de comentário Permalink

Por favor, entrar para comentar.