One of the up-and-coming combination phish-ransom attacks is to trick the mark into thinking that you’ve got access to their data, and then get them to send money to a Bitcoin address to protect them from data leakage. You can create a DLP rule in the Office 365 Security & Compliance Center (or an Exchange Online transport rule) to try to combat this.
The regular expression we’re going to work with is:
(bc1|[13])[a-km-zA-HJ-NP-Z1-9]{25,34}(\s|$|\.(?!\w))
This will match the standard BTC addresses (beginning with bc1 or a 1 or a 3), and then 25-34 alphanumeric characters excluding lookalikes (lowercase L, uppercase i, numeral 0 and uppercase o), followed by a space character (\s), the end-of-line ($), or a period (as long as it didn’t have any characters immediately after it).
Security & Compliance Center
To configure the Security & Compliance DLP sensitive information type, follow these steps.
- Launch a browser, navigate to protection.office.com, select Classifications and then select Sensitive info types.
- Click +Create.
- Enter a name and description and click Next.
- Click +Add an element.
- Select Regular expression from the drop-down, and paste in the regular expression text.
- If you want to increase the sensitivity or confidence level, you may want to include supporting elements like:
btc, bitcoin, address, payment, wallet, ransom, “or else”, threat, decrypt
- Confirm and click Finish.
- Click Yes to test your pattern against a file.
- Create a file with the following content:
Send BTC payment to address:1JHJnnDp9A92XdjfYkHKyrJ3R99Q72K3X4
- Upload the file and click Test.
- Click Finish.
Boom! Success!
Using the Bitcoin Sensitive Information Type
Once you’ve created the Sensitive info type, you can use it in DLP policies, labels, and Exchange Transport Rules. We’ll go over a few cool things you can do. You can
Exchange Transport Rules
There are a number of ways to use this, but perhaps the best things to do might be to generate some sort of incident report or redirect the message to another mailbox. Without further ado…
- Launch https://outlook.office365.com/ecp as an administrator.
- Select Mail flow.
- Under Rules, click + and then select Generate an incident report when sensitive information is detected.
- Fill out a name, and then click Select sensitive information types… link next to Apply this rule if…
- Click +.
- Add the Bitcoin sensitive information type, and then click OK twice.
- Next to Do the following, click Select one…
- Choose the recipient to receive the incident report and click OK.
- Select Include message properties, select all of the properties you want included in the incident report, and then click Save.
- In my case, I think it’s probably a good idea to deliver this to the hosted quarantine so it doesn’t make it to the intended recipient (at least not without review).
- Click Save.
it generate false positives 🙁
for example:
Unsubscribe | http://example.com/?qs=7574d0ccc887c6d4a65805f599619916e05ed205f29eddfe2ccaae7dccd15c5c844d941aee358d6bfccc22d497811301a46d47c11fbb581c13fa4615845c2485 My Account | ffds,.f fhs fksdh fksdfk skf skf
Perhaps it would be better:
(^|[^0-9a-zA-Z])(bc1|[13][a-km-zA-HJ-NP-Z1-9]{25,34}(\s|$|\.(?!\w)))
Can you give an example of a false positive that it tripped on?