This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Compliance rule that doesn't capture internal senders

sleeciambra
New Contributor II

‎05-15-2024 08:37 AM

I have a compliance rule that quarantines any message that comes from  drive-shares-dm-noreply@google.com in an attempt to capture phishing messages before they get to recipients. We'd like to alter this rule to that internal sharing is not quarantined. We tried using the bypass this setting for address lists/domains (under show options), excluding our domain from the body of the message, excluding our domain from the envelope sender, and excluding our domain from the  sender header. No matter what the changes, internal sharing still went to quarantine. Does anyone know a way we can exclude our domain from this rule or am I trying to do something impossible? Thanks!

Screen Shot 2024-05-15 at 10.38.49 AM.png

why doesn't this work.png

0 Kudos
Reply
6 REPLIES 6

Ivan
New Contributor II

‎05-15-2024 04:23 PM

 

I would think Envelope Sender should work, but it must not be using the 'Reply-To' address to determine that.

Instead of filtering Envelope Sender, you could use a regex to look at the header and see who the Reply-To is set to? If that's set to your domain user's email address, that should be ok (I don't think that could be forged?)

So it's in the format of something like 

Reply-To: FirstName LastName <Username@domain.com>

So your regex could be set to something like this:

^Reply-To:\s.*<.*@domain\.com>$ (and obviously you'd be setting it to 'Not Matches RegEx')

Reply

Kim_Nilsson
Admin Moderator
In response to Ivan

‎05-17-2024 12:50 AM

Reply-To is one of the easiest things to forge, if it doesn't go through Google's servers. 🙂

But since it is Google who knows who sent the sharing, the Reply-To should absolutely always point to the real account that shared the file. That's at least the experience I get when checking the header.

@sleeciambra using regex the way @Ivan suggests should be a working solution, and it's worth testing with all the different Location types, as they may not all contain the Reply-To header.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to Ivan

‎05-17-2024 01:15 AM - edited ‎05-17-2024 01:15 AM

Tested and verified, works like a charm!

Thank you, @Ivan ! Another tool stored in the toolbox. 🙂

--
https://wheretofind.me/@NoSubstitute
Reply

ddelboccio
Contributor III

‎05-16-2024 05:08 AM

Does it make any difference if you use "recipients header" instead of envelope sender?

0 Kudos
Reply

ddelboccio
Contributor III
In response to ddelboccio

‎05-16-2024 05:22 AM

Also, check all four boxes "inbound, outbound, internal sending and receiving".  You want it to look at everything.

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎05-17-2024 12:58 AM

Heads up!

This will, of course, not catch shares sent without an email message!

So, if users find such a document, and it contains phishing material, they may still be fooled.

Of course, incoming emails will get more attention, and are higher risk.

--
https://wheretofind.me/@NoSubstitute
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines