On 8/9/2016 5:56 PM, Anthony Hoppe wrote:
Here are the headers as an example: http://pastebin.com/bnU0npLR This particular email has a macro-enabled Word document attached, but I don't want to assume this will be the case every time. Any tips/tricks/suggestions would be greatly appreciated!
I think there is a trend now... towards blocking ALL .docm files (if not, there should be!). I think it is EXTREMELY rare for normal human beings to send Word documents in that particularly dangerous format. Most would be send in .doc or .docx format.
I'm not sure if there is already a SA rule for scoring against .docm files attachments? Perhaps someone else could help you with that.
-- Rob McEwen
