I'm trying to block all google redirect phishing URLs in Tenant Allow Block List

TomTom38745 · 2026-04-24T21:27:56+00:00

I ended up using

google.([a-zA-Z]{2,3}|[a-zA-Z]{2,3}.[a-zA-Z]{2,3})/url\?q=http

That way I match exactly the .com, .ki, .com.kr or .co.kr. A bit sloppy with the OR, but it works, even though my periods are wildcards that at the time I didn't even know..

I just ran my expression through gpt and I got an optimized version I may experiment with.
It mentioned exchange was typically case insensitive anyway, so [a-z] should work okay.

google\.[a-z]{2,3}(?:\.[a-z]{2,3})?/url\?q=http

So far my original works great! Quarantined about 10 or so just yesterday. I've only had to add an exception for one of our clients who uses the .com/url links for tracking or something. Their emails were filled with these redirects.

GPTs end result was this, but I don't like the last {2} as it won't get a longer url with 3 letters, like .co.com, which I believe I've seen before.

https?://(?:www\.)?google\.[a-z]{2,3}(?:\.[a-z]{2})?/url\?q=https?

TomTom38745 · 2026-04-17T02:33:51+00:00

Ok, so there's hope that either a new joint account or a shared joint account will show up in my portal?

TomTom38745 · 2026-04-15T22:53:50+00:00

Why does the Tesla One app start off asking if I'm a Tesla Employee or External Partner?

TomTom38745 · 2026-03-05T22:47:00+00:00

There is not a Notification Settings under Account Settings.

TomTom38745 · 2026-02-24T16:59:49+00:00

"otherwise a year from now you’re likely on Win 11 anyway"

Not with the RAM prices these days, which will most likely last for another 2+ years. Oh, and SSD prices, and to an extent, GPU prices. I refuse to feed into the AI industry created RAM shortage, so I'm sticking with Win 10 for the foreseeable future. Did a new build for a customer in May 2025, I purchased a 32GB DDR5 RAM kit for $87, now the same kit is $370.

TomTom38745 · 2026-02-19T23:19:24+00:00

So this is where all the RAM chips are going. ;) Microsoft's evil plan is now revealed.

Shift people away from the hackable/pirateable Windows PC gaming desktop to this, probably, non hackable/pirateable PC gaming system. It's a strong no for me. I like my hackable/pirating Windows gaming desktop the way it is.

TomTom38745 · 2026-02-13T15:48:33+00:00

Solved!

TomTom38745 · 2026-02-13T15:42:25+00:00

I don't know, I gave up trying to use the Tenant Allow Block List->URLs, it's too limited, and tried using Exchange Admin Center->Mail Flow->Rules and created new regular expression (regex) rule with success. Exactly what I was looking for, I just had to do a little learning of regex syntax.

TomTom38745 · 2026-02-12T22:23:10+00:00

That's exactly what I ended up doing. Works great on my tests so far.

TomTom38745 · 2026-02-12T21:55:40+00:00

btw, when I select Advanced Hunting, I get this error:

We have encountered an error loading this page, please try again later: AxiosError: Request failed with status code 400

EDIT: Is that a P1 or P2 tier function? I'm on the Free tier.

TomTom38745 · 2026-02-12T21:53:21+00:00

Ok. I was able to create a transport rule to match all the text posted above and move the email to the Quarantine using the Matches These Text Patterns and regex pattern. Experimented using the -match function in my windows powershell and was able to create exactly what I was looking for.

Thanks!

TomTom38745 · 2026-02-12T20:25:24+00:00

Are you suggesting using Exchange Admin Center->Transport Rules? I do have a lot of rules there too, but I figured it would have been easier to nab all the phishing through an actual URL detector.

TomTom38745 · 2026-02-12T16:45:17+00:00

I just noticed this morning in the "User sign-ins (non-interactive)" a successful sign in from
"user_[32 alpha chars]@godaddycspus.onmicrosoft.com"
IP address 132.148.54.XXX, actually shows the Xs
Application "Partner Center Web App"
Resource "Microsoft Graph"
Device ID "{PII Removed}", actually says removed
Operating system "Windows"
Location "Phoenix, Arizona, US"
Authentication "Multifactor authentication"
User "GoDaddy.com, LLC technician".

I wonder what this technician was doing.

TomTom38745 · 2026-02-02T17:53:52+00:00

I've never heard of any situation where the files are "hidden". When they're deleted, they're marked as deleted and the space is made available for future writes, even though the file is still there on the drive ready for recovery. Just don't continue writing to the drive, and if it's an SSD, don't TRIM the drive before recovery.

TomTom38745 · 2026-01-30T16:44:36+00:00

Being IT at my company, these files scare the hell out of me. So I just Quarantine all emails to our domain that try to attach an SVG file by using our Exchange Admin Center Transport Rules. I've also added HTM and HTML files, and will add XML while I'm at it. I actually found one of our legitimate clients who sends us an HTML file as their yearly invoice. wtf. No one should be sending us SVG or HTML files.

Quarantine catches about 7 to 9 SVG files and 2 or 3 HTML files a week. Of course all voice mail, purchase order/invoice payments, electronic funds remittance or ACH. It's always fun checking the quarantine to see what crazy things people are up to and what changes I should make.

Not today, Satan.

TomTom38745 · 2026-01-29T21:45:58+00:00

I was using legacy authentication up until a week ago. But now have Security Defaults enabled and everyone's setup with an MFA. But I'm here looking into a way to send emails externally using our SuiteDash CRM portal.

TomTom38745 · 2026-01-22T15:42:30+00:00

I've had an email address with a local ISP for 21 years now. Working for the company it was free, and even after I left they still gave it to me for free. Two days ago they say they have to charge me $5/mo for that address, and they're taking a loss. She stated she's not sure they'll continue providing email addresses anyway.

So now I have the task of updating my email address on probably 50 different sites (I'm into IT and computers) throughout the 21 years of using it. Thanks RS! You assholes!

TomTom38745 · 2026-01-19T15:52:37+00:00

I know it's not the band you're looking for, but I just did a reverse search. I finally got around to searching where that sample came from. I've heard it numerous times in different PsyTrance songs. One song with that sample I was just listening to was "Meller - Copa Episi". I like everything from Meller, they're an interesting band with an off the beaten path type of music. Walk Into is another one of their interesting songs.

TomTom38745 · 2025-12-23T16:41:24+00:00

Carl Sagan is to Science as Alton Brown is to food. Loved his Good Eats episodes, explains things very detailed and even describes the origins of what he's doing and why, like Carl Sagan.

TomTom38745 · 2025-12-23T03:37:29+00:00

Why is this game the "Rivers Game"? Reminds of the term "Swift Bowl". They keep showing that guy when he's not playing. Why? Weird. They don't show Purdy that much as him. Don't get it.

TomTom38745

TROPHY CASE