So, the inevitable had to happen. The cryptolocker folks are getting around extension blocking with this:
========================================================================== PLEASE NOTE! In case you are not able to open the attached document, please save it to your computer and manually add an extension SCR (characters after dot). See the sample name: Ivoice9999640.SCR Then try again to read the file! ========================================================================== And, naturally, some *#&$*&% users fall for it. A base64-encoded MS-DOS executable always matches this regex: ^TV[opqr] but we only want to match that at the very beginning of the B64-encoded body. Any ideas how to do this with a full rule? Would: full MSDOGEXE /\n\nTV[opqr]/ do the trick? Regards, David.
