0

A lot of our clients get phishing emails. Most are blocked, but recently the ones that get through are html attachments which contain javascript to obfuscate the contents.

They all have one thing in common, they contain document.write as a part of the obfuscation.

<script>document.write(unescape('%20%0A%0A%3C...

I setup an Exchange mail flow rule as below:

  • Apply this rule if... Any attachment's content includes :'document.write'
  • Do the following... Forward the message for approval to 'email.approvals'

The emails still go through to the recipient, the rule is priority 0. Am I misunderstanding how this rule would work?

HippoDuck
  • 335
  • 1
  • 9
  • 26

1 Answers1

0

According to your description, I have conducted the same test on the rule you mentioned in my Exchange 2016 environment and the rule can be successfully applied. Considering that the cache on the mailbox server is not updated in time, please restart the Microsoft Exchange Transport service(You need to restart the service on each Mailbox server where you want to forcibly update the cache).

Restart-Service MSExchangeTransport
Christy
  • 2,481