Use iQ.Suite Wall to search for text patterns and block formatting content of a MIME email
Tags: IBM Domino Microsoft Exchange Microsoft SMTP SharePoint Connections Watchdog FileSafe Wall Trailer Crypt Pro KeyManager PDFCrypt WebCrypt Pro WebCrypt Live Bridge
Problem
Due to an Apple Mail vulnerability (Original report from ZecOps. https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/), it was necessary to find a way to scan formatting contents of a MIME mail for text patterns and then block them.
How can this be accomplished with iQ.Suite?
Solution
With iQ.Suite Wall
Wall-Advanced-Job in MIME-Analysis mode
It is not necessary to select any conversion in text analysis mode. However, the MIME transport encodings are always decoded implicitly. In MIME analysis mode, the transport codes remain as they are.
The "Unicode Analyzer for Regular Expressions" allows you to search for line breaks with the syntax \ r \ n. However, it should be noted that in the Domino system the MIME parts can be somewhat reformatted and the line breaks may end up in other places.
A partial sample from the “Indicators of Compromise” table from https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/ is indeed common: “AAAAAAAA” fits six Base64-encoded zero-bytes. Such zero-byte sequences are very often found in attachments.
For regular expressions, an AND can be implemented with small restrictions: A pattern of the form "Subpattern1. * Subpatter2" is possible if Subpattern2 occurs after Subpattern1 (". *" fits a sequence of any length and characters). If the order in which the subpatterns must appear is not clear, you can enter a second regular expression with the reverse order: “subpattern2. * subpattern1”.
Further information
The Wall-Advanced-Job only offers the possibility to analyze the complete mail (with headers, body, attachments and other parts of the mail) at MIME level.
Last updated: 13 May 2020