Created
January 28, 2021 16:52
-
-
Save CodingAnarchy/273f6ab5bd897fffd44e3948fbe35530 to your computer and use it in GitHub Desktop.
Email that breaks nokogiri parsing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Return-Path: <SentinelAlerts@foobar.com> | |
Received-SPF: pass (spfCheck: domain of foobar.com designates 192.168.0.1 as permitted sender) client-ip=192.168.0.1; envelope-from=SentinelAlerts@foobar.com; helo=mail-dm6nam10on2114.outbound.protection.outlook.com; | |
Authentication-Results: amazonses.com; | |
spf=pass (spfCheck: domain of foobar.com designates 192.168.0.1 as permitted sender) client-ip=192.168.0.1; envelope-from=SentinelAlerts@foobar.com; helo=mail-dm6nam10on2114.outbound.protection.outlook.com; | |
dkim=pass header.i=@foobar.com; | |
dmarc=pass header.from=foobar.com; | |
X-SES-RECEIPT: AEFBQUFBQUFBQUFFOG93TThhdmZYL0dpV1l4dXpSblIyODRaMGdtVGU3QVF5UW9SKzc3aE9jbU5LL3dxdmJXYUNnaHZBMGtOdGNxK1kxZ2NKTHJXWGdNVGZKS1kwUGJyNlRHNjRqdjN4ZVJSUHlQRjlvb1lSN1NObzBEcEN3OHNJejdmQThZQStYbHBBK2xtWEZSSUQ5V0dwdUk2RzBJeFpjLzNjdS9hTjVJSjlpN1AraUxicnBxQUFJZ0VTTEtWZ1RzSkpiRGtNb2cyQkVnY25xOGZkZEorTzhkbXVZMFlKTnFWSGpTQTI2VnY5QW1ER2srY3I2N3NTc3F6dG5McFVPSTJ6ZU90c2NzT1BJUlA5YkR1MmVDQkV2VUdkUDRlcEZ2Mm1qUU0reFJjeWhzQ1BPS0sweVN4NFgzRndWOG96QVFRek1la2k0L2c9 | |
X-SES-DKIM-SIGNATURE: a=rsa-sha256; q=dns/txt; b=VDpanH/8lL7WIGp7KGQhppLBAEGzqW8B2mV4ufBHMS7hvekaIb7KUb8xxDMJj7veATaf+0JR9mDDG+Lqa2zsnMcseFmqacLhq/7JK3XKM1Za+5NLwqDB1v+AYbm93lvubjU33RrzOVCpO49DwDghxn++LIzFps8DNNIOmEXiXmc=; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1597316434; v=1; bh=jE9nfSfqyI0hT/PezYPjnxYHMIhO83PA6mH+6clU4XA=; h=From:To:Cc:Bcc:Subject:Date:Message-ID:MIME-Version:Content-Type:X-SES-RECEIPT; | |
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; | |
b=oMiniuen1BCC+srwcXAVFvsdH4DFVZZOfmcqWxR1Q3FwLDgb9/8EscsTrgZzBUhCy6utLd4srW50sfjAOlbnGDcYkgm8+e+FCZ5s6C8ZYf6wex2+il8Rwga0tQ6xJruGxD7ggM6z3geLoemsznnWe166Q/6CP7vBI0MzJgolktOHAYEoXHLEx/zSape/eHwO5QcWAKNnfrjZk7AOccR6BtvSt2KXz+XcAGQhWCXBvQ5XQ2llwBU/3/zKAmuvZlHGATrm8XLXlFOnR90OfLkevt7+B60wT0YXFQpv/X0OxouwPW+UEBOjrz91gkjkK6zzBoNBeAplf6/elUyrxtmkFA== | |
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; | |
s=arcselector9901; | |
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; | |
bh=I5YdXn+3yNsMg3xhqljwwzX6zv6F63Xu6ie8STp8QK8=; | |
b=a4wpd2ZN2mc9PS6sIE+mV+aDY6cLSsGJnn19DnomaT2pvAO+5LPxi07zglKFhnDwT/Ft+BDhNWKvgWxgVveEHvgUcVvKPLqBlFuQAhzqm4bkcr5qH6svUsK+1DaqMH/GocYnSt1NViVEDMImiCBg0T/wveisk9KZs0wHkhsZxYLdmqwi1vTGfspixzFGCNuLRd0+SIKt4GBkOjhJXRlBbzLs0Mf7A2z8YiXJ5JZ8iIWYaosKlo5ILAx4JSNSxfRgXk7zYlaxTQyBLgulsFNLTNjQ5rX90vvtHFg3XaaAdi7ldbM8ta5F387X/F9jGGOJJUWkHQYtS6NbuyYikbyQzA== | |
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass | |
smtp.mailfrom=foobar.com; dmarc=pass action=none header.from=foobar.com; | |
dkim=pass header.d=foobar.com; arc=none | |
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foobar.com; | |
s=selector1; | |
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; | |
bh=I5YdXn+3yNsMg3xhqljwwzX6zv6F63Xu6ie8STp8QK8=; | |
b=FabDg1ajpHNwCEVF1YijBQzz2xV5DXP7Y3ob/Vukr1Pd/5hQtmN4St4/0+XEdpn8HSe5xr42ECY+i2Rvc4NdZTYqvCZdbG7jwsncDTtZF5Yd0OtVDfX/is2lD7OK59p627fdRtWsr4aHYSxD9Kd4Z/FwVwym+Wjdsp9+JvFyvCY= | |
Received: from BLAPR19MB4324.namprd19.prod.outlook.com (2603:10b6:208:27c::10) | |
by BLAPR19MB4498.namprd19.prod.outlook.com (2603:10b6:208:29a::15) with | |
Microsoft SMTP Server (version=TLS1_2, | |
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 192.168.0.2; Thu, 13 Aug | |
2020 11:00:26 +0000 | |
Received: from BLAPR19MB4324.namprd19.prod.outlook.com | |
([fe80::a0be:bf27:e570:98a]) by BLAPR19MB4324.namprd19.prod.outlook.com | |
([fe80::a0be:bf27:e570:98a%9]) with mapi id 192.168.0.3; Thu, 13 Aug 2020 | |
11:00:26 +0000 | |
From: Sentinel Alerts <SentinelAlerts@foobar.com> | |
To: Security Team <SecurityTeam@foobar.com>, | |
"alertsa52870847feac8ba1e026fb100000000@foo.bar" | |
<alertsa52870847feac8ba1e026fb100000000@foo.bar> | |
Subject: Azure Sentinel Alert: foobar - MS-A211: Microsoft Defender ATP | |
Alert | |
Thread-Topic: Azure Sentinel Alert: foobar - MS-A211: Microsoft Defender ATP | |
Alert | |
Thread-Index: AQHWcWDzFpkyC1/3EU+xdVOov+Qe5A== | |
Importance: low | |
X-Priority: 5 | |
Date: Thu, 13 Aug 2020 11:00:26 +0000 | |
Message-ID: | |
<BLAPR19MB4324FD0638D806E189DEC494BD430@BLAPR19MB4324.namprd19.prod.outlook.com> | |
Accept-Language: en-US | |
Content-Language: en-US | |
X-MS-Has-Attach: | |
X-MS-TNEF-Correlator: | |
x-ms-mail-application: Azure Logic Apps; User-Agent: azure-logic-apps/1.0 | |
(workflow 307d77cef59e4369994b6e3b87f573d2; version 08586081441835642616) | |
x-ms-mail-operation-type: Send | |
authentication-results: managedsentinel.com; dkim=none (message not signed) | |
header.d=none;managedsentinel.com; dmarc=none action=none | |
header.from=foobar.com; | |
x-originating-ip: [192.168.0.4] | |
x-ms-publictraffictype: Email | |
x-ms-office365-filtering-correlation-id: eb41c45e-cfc0-4fe2-2a39-08d83f7815c9 | |
x-ms-traffictypediagnostic: BLAPR19MB4498: | |
x-ld-processed: 1f645c37-ab53-4475-8183-733a4df64da3,ExtAddr | |
x-microsoft-antispam-prvs: | |
<BLAPR19MB44989C03655D4E41F012D3CDBD430@BLAPR19MB4498.namprd19.prod.outlook.com> | |
x-ipw-groupmember: False | |
x-ms-oob-tlc-oobclassifiers: OLM:534; | |
x-ms-exchange-senderadcheck: 1 | |
x-microsoft-antispam: BCL:0; | |
x-ms-exchange-transport-forked: True | |
Content-Type: multipart/alternative; | |
boundary="_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_" | |
MIME-Version: 1.0 | |
X-OriginatorOrg: foobar.com | |
X-MS-Exchange-CrossTenant-AuthAs: Internal | |
X-MS-Exchange-CrossTenant-AuthSource: BLAPR19MB4324.namprd19.prod.outlook.com | |
X-MS-Exchange-CrossTenant-Network-Message-Id: eb41c45e-cfc0-4fe2-2a39-08d83f7815c9 | |
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2020 11:00:26.5243 | |
(UTC) | |
X-MS-Exchange-CrossTenant-fromentityheader: Hosted | |
X-MS-Exchange-CrossTenant-id: 1f645c37-ab53-4475-8183-733a4df64da3 | |
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED | |
X-MS-Exchange-CrossTenant-userprincipalname: RRj8paSSspQe0tmL/jpKObKvwcKqSwsqn+zuA+JYnnWlvQK4UQ9bO+kffXu543bsZN5xcKlwqsuiaRXBf22Lqozsq8W7h7Lq6htYpdqLqgg= | |
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR19MB4498 | |
--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_ | |
Content-Type: text/plain; charset="Windows-1252" | |
Content-Transfer-Encoding: quoted-printable | |
An Azure Sentinel alert has been triggered: | |
Alert: MS-A211: Microsoft Defender ATP Alert | |
Severity: Medium | |
Description: This alert notifies on Microsoft Defender ATP notifications se= | |
nt to Azure Sentinel. | |
Azure Sentinel Incident number: 5883 | |
Query results that triggered the alert: | |
TimeGenerated DisplayName AlertSeverity Description Details Rem= | |
ediationSteps AlertLink User Host AccountCustomEntity = | |
HostCustomEntity | |
8/13/2020 10:48:21 AM USB and File Write Detected Medium Alert looks= | |
for usb drives and subsequent file writes. ["DnsDomain: capam.foocot= | |
ic.comHost: foo633 Type: host"," Name: foo633$ Type: account"] [ | |
"1. Make sure the machine is completely updated and all your software has t= | |
he latest patch.", | |
"2. Contact your incident response team. NOTE: If you don=92t have an incid= | |
ent response team, contact Microsoft Support for architectural remediation = | |
and forensic.", | |
"3. Install and run Microsoft=92s Malicious Software Removal Tool (see http= | |
s://www.microsoft.com/en-us/download/malicious-software-removal-tool-detail= | |
s.aspx).", | |
"4. Run Microsoft=92s Autoruns utility and try to identify unknown applicat= | |
ions that are configured to run at login (see https://technet.microsoft.com= | |
/en-us/sysinternals/bb963902.aspx).", | |
"5. Run Process Explorer and try to identify unknown running processes (see= | |
https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)." | |
] foo633$ foo633$ | |
Go to Azure Portal: https://portal.azure.com | |
Managed Sentinel Advice: https://www.managedsentinel.com/MS-A211 | |
--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_ | |
Content-Type: text/html; charset="Windows-1252" | |
Content-Transfer-Encoding: quoted-printable | |
<html> | |
<head> | |
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= | |
252"> | |
</head> | |
<body> | |
<p>An Azure Sentinel alert has been triggered:<br> | |
<br> | |
Alert: MS-A211: Microsoft Defender ATP Alert<br> | |
Severity: Medium<br> | |
Description: This alert notifies on Microsoft Defender ATP notifications se= | |
nt to Azure Sentinel.<br> | |
Azure Sentinel Incident number: 5883<br> | |
<br> | |
Query results that triggered the alert:<br> | |
<table border=3D"1" cellpadding=3D"5" cellspacing=3D"1" bordercolor=3D"Blac= | |
k" style=3D"font-family:"Segoe UI";font-size:12px;border-collapse= | |
:collapse;"> | |
<tbody> | |
<tr bgcolor=3D"DarkGray"> | |
<td nowrap=3D"nowrap">TimeGenerated</td> | |
<td nowrap=3D"nowrap">DisplayName</td> | |
<td nowrap=3D"nowrap">AlertSeverity</td> | |
<td nowrap=3D"nowrap">Description</td> | |
<td nowrap=3D"nowrap">Details</td> | |
<td nowrap=3D"nowrap">RemediationSteps</td> | |
<td nowrap=3D"nowrap">AlertLink</td> | |
<td nowrap=3D"nowrap">User</td> | |
<td nowrap=3D"nowrap">Host</td> | |
<td nowrap=3D"nowrap">AccountCustomEntity</td> | |
<td nowrap=3D"nowrap">HostCustomEntity</td> | |
</tr> | |
<tr> | |
<td nowrap=3D"nowrap">8/13/2020 10:48:21 AM</td> | |
<td nowrap=3D"nowrap">USB and File Write Detected</td> | |
<td nowrap=3D"nowrap">Medium</td> | |
<td nowrap=3D"nowrap">Alert looks for usb drives and subsequent file writes= | |
.</td> | |
<td nowrap=3D"nowrap">["DnsDomain: capam.foobar.comHost: foo633= | |
Type: host"," Name: foo633$ Type: account"]</td> | |
<td nowrap=3D"nowrap" class=3D"foo">[<br> | |
"1. Make sure the machine is completely updated and all your software = | |
has the latest patch.",<br> | |
"2. Contact your incident response team. NOTE: If you don=92t have an = | |
incident response team, contact Microsoft Support for architectural remedia= | |
tion and forensic.",<br> | |
"3. Install and run Microsoft=92s Malicious Software Removal Tool (see= | |
https://www.microsoft.com/en-us/download/malicious-software-removal-tool-d= | |
etails.aspx).",<br> | |
"4. Run Microsoft=92s Autoruns utility and try to identify unknown app= | |
lications that are configured to run at login (see https://technet.microsof= | |
t.com/en-us/sysinternals/bb963902.aspx).",<br> | |
"5. Run Process Explorer and try to identify unknown running processes= | |
(see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)."= | |
;<br> | |
]</td> | |
<td nowrap=3D"nowrap"></td> | |
<td nowrap=3D"nowrap">foo633$</td> | |
<td nowrap=3D"nowrap"></td> | |
<td nowrap=3D"nowrap">foo633$</td> | |
<td nowrap=3D"nowrap"></td> | |
</tr> | |
</tbody> | |
</table> | |
<br> | |
<br> | |
Go to Azure Portal: https://portal.azure.com<br> | |
<br> | |
Managed Sentinel Advice: https://www.managedsentinel.com/MS-A211</p> | |
</body> | |
</html> | |
--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_-- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment