I'm attempting to use a regular expression mail flow rule to match inbound email pretending to be executives with my company, in Office 365 Exchange. However, I'm struggling to find what regex is accepted by the rule, and also make it broad enough to catch any domain.
I have the following items set on a test rule:
As to the regex I am using the option "The sender address matches..." and assuming my test executive is "Foo Bar", the regex is
foo\s*bar.*@.*\.\w*
I created a gmail account "Foo Bar, foobar@gmail.com" and sent test emails to my work account, but I'm not getting an incident report sent to me.
Is the issue with my regex, or some other setting in the Exchange rule?
I think the problem is that you're checking the email envelope-from (which is the email address e.g. foobar@gmail.com) with the "The sender address matches..." function instead of the "From" Header. Most (or all) email fakes manipulate this header because its contents is the value which will be displayed to the receiver in the mail client.
I've tested this out on my Exchange 2016 server (the ECP should be similar to Office 365) and this is my solution: ECP mail flow rule screenshot
Most headers are builded like these examples:
Foo Bar <foo.bar@example.com>Foo, Bar <foo.bar@example.com>And this regex match these examples:
(?i)Foo.*Bar.*[a]*
(Regex101 live demo and explination)
I had to add this not used regex part ([a]*) at the end because Exchange does not accept regex lines which are ending with an wildcard. (I don´t know why...)