Hi, >> Hi, >> Does anyone have any special techniques for catching these invoice phish >> emails? >> >> https://pastebin.com/raw/TfvhUu0X >> >> I've added a few body rules, and even despite training previous >> similar messages as spam, they continue. These emails very closely >> resemble legitimate email regarding invoices that purchasing people >> fall for them all the time. >> >> Senderscore greater than 90, and routed through O365. >> >> The domain is no longer defined in DNS, but even the x-originating-ip >> is not currently listed on any RBL. > > Hmmm. > > "attached" + "invoice" + no actual attachments? A download URL ain't an > attachment...
Turns out "attach" appears in headers which are apparently processed by body rules: body __LOC_BODY_ATTACH /.*attach.*/i I've set it with the asterisks to include the full output in a rule hit to identify where exactly it's hitting. In this case it hits on "X-MS-Has-Attach: yes" Why is this body rule hitting on a header? I thought only Subject was considered part of the body?
