This seems to be catching most of them:
Subject: Invoice [A-Z]{2,3}\d{7}\b
...but it might need to be combined with other things to ensure no false
positives, since there would be a rare legit message that would hit on this?
--Rob McEwen
On 11/8/2017 10:45 AM, Dianne Skoll wrote:
Hi,
Heads-up: We're seeing weird new malware with a subject that looks like
Invoice XXXnnnn
where XXX is two or three random upper-case letters and nnnnn is a series
of digits. What's weird is that the Content-Type: header looks like this:
Content-Type: multXXXart/mixed
where the XXX is the same as in the subect. That is, a message
with subject "Invoice UUI8187685" has Content-Type "multUUIart/mixed". This
is fooling our MIME parser because it doesn't see the container as a
multipart. Does any client software?
Anyway, might want to make rules for this.
Regards,
Dianne.
--
Rob McEwen