topic Re: Compliance rule that doesn't capture internal senders in Peer-Peer Topics

Compliance rule that doesn't capture internal senders

sleeciambra — Wed, 15 May 2024 15:37:55 GMT

I have a compliance rule that quarantines any message that comes from drive-shares-dm-noreply@google.com in an attempt to capture phishing messages before they get to recipients. We'd like to alter this rule to that internal sharing is not quarantined. We tried using the bypass this setting for address lists/domains (under show options), excluding our domain from the body of the message, excluding our domain from the envelope sender, and excluding our domain from the sender header. No matter what the changes, internal sharing still went to quarantine. Does anyone know a way we can exclude our domain from this rule or am I trying to do something impossible? Thanks!

Re: Compliance rule that doesn't capture internal senders

Ivan — Wed, 15 May 2024 23:23:01 GMT

I would think Envelope Sender should work, but it must not be using the 'Reply-To' address to determine that.

Instead of filtering Envelope Sender, you could use a regex to look at the header and see who the Reply-To is set to? If that's set to your domain user's email address, that should be ok (I don't think that could be forged?)

So it's in the format of something like

Reply-To: FirstName LastName <Username@domain.com>

So your regex could be set to something like this:

^Reply-To:\s.*<.*@domain\.com>$ (and obviously you'd be setting it to 'Not Matches RegEx')

Re: Compliance rule that doesn't capture internal senders

ddelboccio — Thu, 16 May 2024 12:08:40 GMT

Does it make any difference if you use "recipients header" instead of envelope sender?

Re: Compliance rule that doesn't capture internal senders

ddelboccio — Thu, 16 May 2024 12:22:12 GMT

Also, check all four boxes "inbound, outbound, internal sending and receiving". You want it to look at everything.

Re: Compliance rule that doesn't capture internal senders

Kim_Nilsson — Fri, 17 May 2024 07:50:18 GMT

Reply-To is one of the easiest things to forge, if it doesn't go through Google's servers. 🙂

But since it is Google who knows who sent the sharing, the Reply-To should absolutely always point to the real account that shared the file. That's at least the experience I get when checking the header.

@sleeciambra using regex the way @Ivan suggests should be a working solution, and it's worth testing with all the different Location types, as they may not all contain the Reply-To header.

Re: Compliance rule that doesn't capture internal senders

Kim_Nilsson — Fri, 17 May 2024 07:58:05 GMT

Heads up!

This will, of course, not catch shares sent without an email message!

So, if users find such a document, and it contains phishing material, they may still be fooled.

Of course, incoming emails will get more attention, and are higher risk.

Re: Compliance rule that doesn't capture internal senders

Kim_Nilsson — Fri, 17 May 2024 08:15:45 GMT

Tested and verified, works like a charm!

Thank you, @Ivan ! Another tool stored in the toolbox. 🙂