Exchange Online: Using Regular Expressions to Match Specific Phrases in Transport Rules

Background:

Recently a customer was dealing with a virus/spam issue that was interesting. They were getting spammed and the subjects were intentionally misspelled by leaving a character off of the end of the word and came with a nasty virus attached. The problem is that when they created a transport rule to quarantine these malicious emails with the intentionally misspelled subjects, it was also quarantining valid emails with subjects that were spelled correctly. I honestly think that the misspellings were there intentionally so as to make it difficult to block them without causing false positives on the transport level. We were able to fix this via Regular Expressions.

https://technet.microsoft.com/en-us/library/aa997187%28v=exchg.141%29.aspx

Solution:

1. Create a New Transport Rule

2. Hit 'More Options' at the bottom

3. Select 'Apply this rule if...'

4. Select 'Subject matches these text patterns'

5. In order to match words/phrases exactly, simply put a ' ^ ' at the beginning of the phrase/word and a ' $ ' at the end, Example:
^This is totally not a viru$

6. Check ‘Defer the message if rule processing doesn’t complete’ at the bottom

Any message that comes in and meets the above criteria exactly (not more or less) will be actioned on appropriately. In this case we just sent them to quarantine, but you can reject/NDR/redirect them as you see fit.

-Mitchel