Views:
With Attachment Password Guessing, Cloud App Security attempts to find passwords in email content (subject, body, and attachment names) to access password-protected attachments, making it possible to detect any malicious payload in these files.
Attachment Password Guessing is available only after you turn on the Malware Scanning filter or Virtual Analyzer filter. This feature supports the following services, attachment file types, and email languages.
Services
Attachment File Types
Email Languages
  • Exchange Online
  • Gmail
  • ZIP (by 7-Zip or PKZIP)
Note
Note
Cloud App Security uses the true file types instead of file extensions to identify file types.
  • English
  • Portuguese
  • German
  • Spanish
  • Italian
  • Russian
  • Czech
  • Polish
  • Bengali
  • Hindi
  • Chinese
  • Japanese
  • Korean
  • Vietnamese
  • Arabic
  • Hebrew

Procedure

  1. In Cloud App Security, go to PoliciesGlobal SettingsOther SettingsAttachment Password Guessing.
  2. Turn on Enable Attachment Password Guessing.
    Cloud App Security uses both predefined and user-defined password extraction rules to extract passwords from an email.
  3. Add user-defined password extraction rules.
    1. Under Custom Password Extraction Rules, click Add to define rules that you want Cloud App Security to use to extract passwords from an email.
    2. On the Add Custom Password Extraction Rule screen, use regular expressions to specify the following parameters:
      Note
      Note
      Make sure the regular expressions follow the expression formats defined in Perl Compatible Regular Expressions (PCRE). For more information on PCRE, visit the following website: http://www.pcre.org/.
      • Preceding Text: The text preceding a password in an email.
      • Password: The password in an email.
      • Subsequent Text: The text following a password in an email.
      Here is an example of a password extraction rule.
      Parameter
      Value
      Description
      Preceding Text
      Password is:\s{1,}
      This regex is designed to match a specific label followed by whitespace.
      • Password is:: Matches the literal characters "Password is:" exactly (case-sensitive).
      • \s: Matches any whitespace character (space, tab, newline).
      • {1,}: A quantifier meaning "one or more." It ensures there is at least one space after the colon.
      Password
      [A-Za-z0-9@#%$^&*]{2,128}
      This is a character class commonly used for validating password complexity.
      • [A-Za-z0-9@#%$^&*]: A character set that matches any single character contained within the brackets, where
        • A-Z, a-z, 0-9: Matches any uppercase letter, lowercase letter, or digit.
        • @#%$^&*: Matches these specific special characters.
      • {2,128}: A quantifier specifying length. The total string must be between 2 and 128 characters long.
      Subsequent Text
      ===[0-9]{2,3}
      This matches a specific prefix followed by a short numeric sequence.
      • ===: Matches three literal equal signs.
      • [0-9]: Matches any single digit from 0 to 9.
      • {2,3}: A quantifier meaning "two or three." This matches a 2-digit number (for example, ===10) or a 3-digit number (for example, ===100).
    3. Optionally make the rule case sensitive.
    4. Specify Test Data.
      Type the email content that you expect the rule to match.
    5. Click Test to verify that the rule can match the test data.
      The Test Result highlights the extracted password.
    6. Click Save.
  4. Click Edit to change a custom password extraction rule.
  5. Click Delete to delete one or multiple custom password extraction rules.
Comments (0)