locked
Regex matching to fight Display Name spoofing RRS feed

  • Question

  • Hello,

    ITsec engineer here looking for some sysadmin Outlook/Exchange wisdom.

    I would like to know if there's any way to run regexes on incoming display name emails field to decide whether to drop the email or not in the context of spam fighting.

    Let me illustrate, lots of display name spoofing attacks happens with company employees receiving email with display name as such :

    John Smith - Employee, Title <John.smith@company.domain> <attacker@hackedcompany.tld>

    A title a bit too long and a lack of attention and quickly you got yourself an employee opening a phishing email and interacting with it.

    These emails are pretty easy to identify, there's a <name@domain.tld> in the display name which has nothing to do here. Nobody has '<', '>', '@' in their name on this planet and I don't see any legitimate reason why you would put an email address as your display name in a business context.

    So, to manage these attacks, we can just drop any email which display name field contains '<*@*.*>', easy as 1,2,3.

    Technically though, I have no idea how to manage to do this, I don't think Outlook rules allow regex matching in a matches -> drop, doesn't match -> pass and I am about 0% familiar with Exchange insides.

    During my researches I came across topics like "combating-display-name-spoofing" by Andrew Stobart, but it simply focuses on dropping inbound emails displaying the name of someone from within the company, which is pretty weak and poses a big problem if legit outside people are wanting to do business with you and have the misfortune of sharing the same name as one of your employees. 

    So, I hope this is clear enough, anybody got an idea ?

    Cheers

    Tuesday, December 3, 2019 9:05 AM

Answers

  • Hi Perry,

    The rule is actually to match '>"[double quote]' in the headers. It doesn't seem to be possible to match within the display name of the sender outside of headers.

    sample :

    [...]

    Date: Thu, 1 Nov 2019 12:00:00 +0000
    From: "Impersonated Anon - (Hacked person) <ano@nymous.com>" <attacker@hacked.company>
    To: "Target Victim (Victim)" <Target@victim.com>
    MIME-Version: 1.0

    [...]

    You want to match this specific >" as it's the only place it will appear in the header in this specific use case.

    Cheers,

    • Proposed as answer by Perry-Pan Thursday, December 12, 2019 2:32 AM
    • Marked as answer by Cdudez Wednesday, December 18, 2019 2:41 AM
    Tuesday, December 10, 2019 4:18 AM

All replies

  • If the attacker has specific domain, we can add the domain to Blocked Sender List.

    On Outlook client side, we can set rule based on sender’s name which contains specific text. Check “Method 1” in this link.

    (Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

    For Exchange server, we can use the antispam feature to avoid spam emails. Refer to this official link for more details.

    I checked transport rules on Exchange server and there seems to be no option to detect email address which includes “<”,”>” and “@”.

    You may try the rule on Outlook client to see if it works.

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Proposed as answer by Perry-Pan Thursday, December 5, 2019 6:41 AM
    Wednesday, December 4, 2019 5:33 AM
  • Hi Perry,

    Thanks for your answer. 

    Simply blocking domains is not enough as there's thousands of emails getting hacked around the world and being used with this method to spread spam and malware. 

    If you're targeted by a phishing campaign, it's probable that attackers use several different sender to maximize their chances.

    My first idea was indeed to create a rule on outlook and spread it to all outlooks in the organization but it looks like rule creation doesn't allow pattern matching on display name field, hence my question here.

    Most third-party do not allow this kind of check either before deciding to drop/forward emails as it is a relatively "new" technique employed by attackers I guess. They use this non limited set of characters in the display name field to mimic the name resolution.

    Cheers


    Thursday, December 5, 2019 7:16 AM
  • I can understand that dealing with phishing attacker is really a challenge. The link above provided a way to set rule based on sender’s name which contains specific text. You could try to see if it helps.

    Besides, we can also submit phishing scam emails to Microsoft by sending an email with the scam as an attachment to: phish@office365.microsoft.com.

    Reference: Phishing

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, December 6, 2019 5:53 AM
  • Hi Perry,

    I managed to find a way to filter out those by matching the string '">' in the header. It's very weak but it'll work until I find a better solution.

    Thanks,

    Cheers


    • Proposed as answer by Perry-Pan Monday, December 9, 2019 4:55 AM
    Monday, December 9, 2019 4:27 AM
  • Hi Perry,

    I managed to find a way to filter out those by matching the string '">' in the header. It's very weak but it'll work until I find a better solution.

    Thanks,

    Cheers


    Glad to see that helps. If I've found anything better, I'll also inform you.

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, December 9, 2019 4:55 AM
  • Here I will provide a brief summary of this post for your information.

     

    [Request/Expectation]

    ====================

    Block emails from sender whose display name shows like <John.smith@company.domain> <attacker@hackedcompany.tld>

     

    [Suggestions]

    ====================

    Create a rule to block senders match '>"[double quote]' in the headers in the Sender's name.

     

    [Reference Links]

    ====================

    https://www.msoutlook.info/question/sender-name-contains-specific-text-rule


    • Edited by Perry-Pan Thursday, December 12, 2019 2:32 AM
    Monday, December 9, 2019 7:12 AM
  • Hi Perry,

    The rule is actually to match '>"[double quote]' in the headers. It doesn't seem to be possible to match within the display name of the sender outside of headers.

    sample :

    [...]

    Date: Thu, 1 Nov 2019 12:00:00 +0000
    From: "Impersonated Anon - (Hacked person) <ano@nymous.com>" <attacker@hacked.company>
    To: "Target Victim (Victim)" <Target@victim.com>
    MIME-Version: 1.0

    [...]

    You want to match this specific >" as it's the only place it will appear in the header in this specific use case.

    Cheers,

    • Proposed as answer by Perry-Pan Thursday, December 12, 2019 2:32 AM
    • Marked as answer by Cdudez Wednesday, December 18, 2019 2:41 AM
    Tuesday, December 10, 2019 4:18 AM
  • Thanks for sharing this information here:) Would you mind helping mark your reply as answer. I believe this information would be helpful to other users who encounter the same issue and read this thread :)


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, December 10, 2019 6:10 AM
  • Hi Perry,

    Sorry for the delay, done !

    Cheers

    Wednesday, December 18, 2019 2:41 AM
  • Thanks :)

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, December 18, 2019 4:50 AM