Take Control of Cloud-Based Email Security with Smart Custom Rules

Smart Custom Rules give administrators of FireEye Email Security a flexible and customizable method to take actions on emails based on certain triggers (attributes from the email). As a result, organizations can combine conditions and exclusions that match up before the antivirus and anti-spam (AV/AS) engines are hit, giving them greater control over what’s passing through their email system. Smart Custom Rules must have at least one condition or exception to apply an action. If more than one condition or exception is in the rule, they are combined with a logical AND.

Trigger Options

The power of Smart Custom Rules is in the wide range of conditions available. The following is a list of the available conditions and exceptions.

Trigger Option

Description

Envelope From

Detects an email from a specific email address or that is missing a sender (is empty). The criterion can be applied as a partial (contains) or an exact (equals) match.

Envelope from Domain

Detects an email from a specific web domain through DNS queries. The criterion can be applied as has MX or has A.

Subject

Detects an email with a specific subject or that is missing a subject (is empty). The criterion can be applied as a partial (contains) or a regular expression (match) match.

Keyword

Detects an email with a specific word in the subject or body. The criterion can be applied as a partial (contains) or an exact (equals) match.

HELO/EHLO Name

Detects an email with a specific HELO/EHLO name. The criterion can be applied as a partial (contains), exact (equals) or regular expression (match) match.

Body

Detects an email with specific text or HTML in the body. The criterion can be applied as a partial (contains), exact (equals) or regular expression (match) match.

Body Size

Detects an email with a text or HTML body of a specific size. The criterion can be applied as greater than or less than a certain size amount (KB).

Header Exists

Detects an email with specific text in the header. The criterion can be applied as a partial (contains), an exact (equals) or regular expression (match) match.

Recipient

Detects an email from a specific email address. The criterion can be applied as a partial (contains), an exact (equals) or regular expression (match) match.

DMARC Verdict

Detects an email that is marked with a specific DMARC verdict or has no DMARC verdict.

DKIM Result

Detects an email with a DKIM result of pass, fail, or none.

SPF Result

Detects an email with an SPF result of pass, hard fail, soft fail, neutral, temporary error permanent error, or none.

Accept Rule

Detects an email that accepts the rule.

Reverse Domain

Detects an email that matches the PTR record of the sender IP. The criterion can be applied as a partial (contains), exact (equals) or regular expression (match) match.

Message Size

Detects an email greater than or less than a specific size (KB).

Sender IP

Detects an email from a specific IP address.

Country

Detects an email from a specific country. The only criterion that can be applied is an exact (equals) match.

Deployment mode

Detects an email with a specific deployment mode. The criterion can be applied as an out of band, inline, or inline with hygiene deployment mode.

Attachment

Detects an email with an attachment based on file extension type, name or size. Add attachment file types to block. The criterion can be applied as an exact (equals) match.

Actions

Smart Custom Rules support several actions that can be configured in the event of a rule match on an email. The following table describes the various actions that can be taken.

Trigger Option

Description

BCC

Delivers the email to the recipient and sends a blind carbon copy (BCC) to additional email addresses.

Insert Header

Inserts a custom header into the email before delivery.

Modify Subject

Modifies the subject before delivery.

Bypass Hygiene

Delivers the email to the recipient, bypassing antivirus and anti-spam scanning.

Reroute

Routes the email to another MTA for processing.

Deliver

Delivers the email to the intended recipient.

Drop

Drops the email and does not deliver it to its intended recipient.

Quarantine

Routes the email to the quarantine.

Example Use Case: APT19 TTP

Take this example – on our Threat Research blog we have written about APT19 attempting to compromise law firms on several occasions with malicious .docm and .xlsm files sent as attachments. In most organizations, .docm and .xslm files are not commonly sent over email. While this doesn’t make all files with these extensions bad, it does raise the suspicion level. An organization may want to send a copy of all emails with .docm and .xlsm extensions to their SOC for extra review. This can be accomplished with a Smart Custom Rule.

Configuring Rules

Here is how to create a rule that will BCC all emails that have an attachment with the file extension .docm or .xlsm to a SOC email address:

  1. Go to Configuration > Policies


  2. Create a “Custom Rules” Policy, provide a name, and description (optional)


  3. In the Policy, click the “Manage” link next to “Custom Rules”


  4. Click “Add Rule”
  5. In the “Create New Rule” screen, take the following actions:
    1. Provide a rule name and description
    2. In the “Apply the rule if” section choose Attachment > File Extension > Equals > Custom
    3. In the Custom field add the extensions .docm and .xlsm
    4. In the “Except field”, add any email addresses or domains to ignore. In this case, we selected Envelope From > Equals
    5. In the “Perform the following actions” section, select BCC and enter the desired email addresses into the SOC for further review.

Other Use Cases

The aforementioned APT19 example is just one in a myriad use cases for the Smart Custom Rules functionality. Here are several other possibilities:

  1. Take an action anytime an email has an attachment with a .pdf extension, but the true file type is not a .pdf. This logic could be applied to other file formats as well.
  2. Modify the subject of an email with a tag such as [External] when sent from a domain other than your own.
  3. Quarantine any email that has a specific term or regex match in the email headers.
  4. Drop an email that has an attachment with a name that includes a double extension such as badfile.pdf.zip
  5. BCC emails with links to Google Drive, Dropbox, etc. to the SOC for further review

Conclusion

Smart Custom Rules allow administrators to exercise creative methods of taking actions on emails. When email is the most vulnerable attack vector, harnessing greater levels of control is especially important. The examples shared in this blog post serve as just a small sampling of what can be accomplished with this latest enhancement to FireEye Email Security Cloud Edition.

Have a creative use for the Smart Custom Rules functionality? Let us know about it!