DLP for Bitcoin Addresses

5/5 - (5 votes)

One of the up-and-coming combination phish-ransom attacks is to trick the mark into thinking that you’ve got access to their data, and then get them to send money to a Bitcoin address to protect them from data leakage.  You can create a DLP rule in the Office 365 Security & Compliance Center (or an Exchange Online transport rule) to try to combat this.

The regular expression we’re going to work with is:

(bc1|[13])[a-km-zA-HJ-NP-Z1-9]{25,34}(\s|$|\.(?!\w))

This will match the standard BTC addresses (beginning with bc1 or a 1 or a 3), and then 25-34 alphanumeric characters excluding lookalikes (lowercase L, uppercase i, numeral 0 and uppercase o), followed by a space character (\s), the end-of-line ($), or a period (as long as it didn’t have any characters immediately after it).

Security & Compliance Center

To configure the Security & Compliance DLP sensitive information type, follow these steps.

  1. Launch a browser, navigate to protection.office.com, select Classifications and then select Sensitive info types.
  2. Click +Create.
  3. Enter a name and description and click Next.
  4. Click +Add an element.
  5. Select Regular expression from the drop-down, and paste in the regular expression text.
  6. If you want to increase the sensitivity or confidence level, you may want to include supporting elements like:
    btc, bitcoin, address, payment, wallet, ransom, “or else”, threat, decrypt
  7. Confirm and click Finish.
  8. Click Yes to test your pattern against a file.
  9. Create a file with the following content:
    Send BTC payment to address:1JHJnnDp9A92XdjfYkHKyrJ3R99Q72K3X4
  10. Upload the file and click Test.
  11. Click Finish.

Boom! Success!

Using the Bitcoin Sensitive Information Type

Once you’ve created the Sensitive info type, you can use it in DLP policies, labels, and Exchange Transport Rules.  We’ll go over a few cool things you can do.  You can

Exchange Transport Rules

There are a number of ways to use this, but perhaps the best things to do might be to generate some sort of incident report or redirect the message to another mailbox.  Without further ado…

  1. Launch https://outlook.office365.com/ecp as an administrator.
  2. Select Mail flow.
  3. Under Rules, click + and then select Generate an incident report when sensitive information is detected.
  4. Fill out a name, and then click Select sensitive information types… link next to Apply this rule if…
  5. Click +.
  6. Add the Bitcoin sensitive information type, and then click OK twice.
  7. Next to Do the following, click Select one…
  8. Choose the recipient to receive the incident report and click OK.
  9. Select Include message properties, select all of the properties you want included in the incident report, and then click Save.
  10. In my case, I think it’s probably a good idea to deliver this to the hosted quarantine so it doesn’t make it to the intended recipient (at least not without review).
  11. Click Save.

 

author avatar
Aaron Guilmette
Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

3 Replies to “DLP for Bitcoin Addresses”

    1. Perhaps it would be better:
      (^|[^0-9a-zA-Z])(bc1|[13][a-km-zA-HJ-NP-Z1-9]{25,34}(\s|$|\.(?!\w)))

Comments are closed.