Looking for a plugin/addon to Exchange Server (on prem only for now) that will parse every inbound message (internal or via SMTP) for URL/website addresses.. For each address/URL found, the system will send a request to an online service that I have and depending on response code, either remove the URL/website (replace with a string specified) or allow the text string to exist.
so, basically, quick lookup based on parsed message results (email message text and maybe attachment processing as a second phase).
You should be an exchange expert obviously, and be able to produce this solution end to end.
looking forward to your proposals. Assume http POST for the URL/website test and simple 1 character response code (1:0)
Full Description of product:
Project Steps for Exchange URL Parser: Version 1.0
windows-based installer that an AD Admin can run
Installer finds and attaches to Exchange instances as required
Deploys software on server as required
you decide whether it should be an agent in the tray of the exchange server, or a small IIS-hosted panel to manage configuration settings
Analyze all mail flow (SMTP to inside, inside to inside, inside to outside) and parse all mail for URLs. For each URL, you will ping an online service with the URL, the online service will respond with a 1 or 0. 1, means URL is clean, no changes required. 0 means the URL is bad, replace the URL with a specific string the AD administrator enters on the control panel
Admin control functions:
- on a 'bad' URL, what is the text string to replace it with
1) Demo simple search and replace functionality in exchange (to prove capabilities)
2) add in control panel & domain lookup functions
3) wrap in installer
v1.1: - on a 'bad' URL, do we raise an alert (email to a mailbox, or feed to SIEM)
- introduce a local cache - on all domain lookups, lookup against local MSSQL table for it, if exist, use it. If it doesn't exist, ping external service, put results in MSSQL table
- Config item: how long to use local cache, when to refresh
v1.3: - offer as a o365 service directly on the app store
v1.2: - Introduce other threat feeds (Stix, Google Badware Sites, etc.)