Regular Expressions for Email Security

Aldrin Avendaño Tadeo | Threat Customer Service Engineering

Head’s up!
- We will just tackle the basics as much as possible wo we won’t get overloaded with
information. 
- We might touch some “advanced” regex but don’t get intimidated.
- Forget that 1, 2, 3… are numbers and ! Is exclamation mark. Threat them all as characters like
a, b, c, d…
Regular Expressions (a.k.a. RegEx)

- In a nutshell, RegEx is a pattern describing a certain amount/pattern of string to match.

Common usage
- Heavily used in programming
- Email address validation
- URL validation
- Password strength validation
- Mobile/Phone number validation
- String validation
- Yara for threat hunting
- Data statistics
- DLP in TM Products
Literal Character
- Is a type of literal in programming for the representation of single character’s value within the
source code of a computer program. In a nutshell, literal character is a character that
represent itself AS IS.
Special Character
- Unlike literal character, special character (a.k.a. metacharacters) is a reserved character for
special use. Special characters can do more than simply search for literal pieces of text.
Special Character (cont…)

- 12 commonly used special characters with their basic function:

Square brackets [] - Specifies character classes or character set matching

Backslash \ - Used to quote a metacharacter so that regex engine will treat it as literal character
Caret ^ - Anchor regex matching at the start of the line
Dollar sign $ - Anchor regex matching at the end of the line
Dot . - Any single character matching
Pipe | - Alternate matching
Question mark ? - Makes preceding token/char to be optional in matching
Asterisk * - Matches preceding characters zero or multiple times.
Plus sign + - Matches preceding characters with the minimum of 1 repetition
Round brackets () - Denotes capturing group of matching conditions.

NOTE: Special character’s meaning varies depending on how you use it.
Shorthand Character Classes
- Is a shortcut indication of a predefined character classes that are commonly used.

\s - Matches any whitespace character

\S - Matches any non-whitespace character
\d - Matches any digit character. Equivalent to [0-9]
\D - Matches any non-digit character
\w - Matches any word character (letter, number, underscore). Equivalent to [a-zA-Z]
\W - Matches any non-word character (special characters)
\b - Indicates a word boundary
Matching Modes
- Is an extension that provides additional option and functionality in RegEx when matching the
desired text. 3 Common matching modes are:

/i - Makes regex matching case insensitive.

/m - Makes dot (.) match newlines as well.
/x - Ignores whitespace in regex matching.
 Let’s get some exercise.

2/27/2019 10
What does these trying to match?
1. /\b\d{4} \d{4} \d{4} \d{4}\b/

2. /\b\d{3}\.\d{3}\.\d{3}\.\d{3}\b/

3. /\w{1,10}[A-Z]\_\w{1,10}[A-Z]\.\w{1,10}[A-Z]/

4. / \d{2}\.\d{3}\.\d{2}/

1. Credit card number in XXXX XXXX XXXX XXXX format

2. IPv4 Address XXX.XXX.XXX.XXX format

3. TM Detection name in [Type]_[Family].[Variant] format

4. TM VSAPI pattern format in 00.000.00 format

What does these trying to match?
1. /^\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$/

2. /^([\w-\.]+@(?!gmail.com)(?!yahoo.com)(?!hotmail.com)([\w- ]+\.)+[\w-]{2,4})?$/

3. /(http(s)?://)?([\w-]+\.)+[\w-]+[.com]+(/[/?%&=]*)?/

4. /((www\.|(http|https|ftp|news|file)+\:\/\/)[_.a-z0-9-]+\.[a-z0-9\/_:@=.+?,##%&~-]*[^.|\'|\# |!|\(|?|,| |>|<|;|\)])/

5. /\b\d{4}\-\d{4}\-\d{4}\-\d{4}\b/

1. Email address validation.

2. Free domain – email address validation / domain specific email address validation.

3. URL validation (with or without http/https)

4. Other URL validation such as www/http/https/ftp/news/file

5. Credit card number in XXXX-XXXX-XXXX-XXXX format

What does these trying to match?
1. / ^[a-z0-9\.@#\$%&]+$/

2. / ^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/

3. /\b\d{4} \- \d{4} \- \d{4} \- \d{4}\b/

4. / ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[$@$!%*?&])[A-Za-z\d$@$!%*?&]{8,10}/

1. Password strength validation (only contains letter [a-z] digits[0-9], special characters(@#$%&))

2. Password strength validation (Minimum 8 characters at least 1 Alphabet and 1 Number)

3. Credit card number in XXXX - XXXX - XXXX - XXXX format

4. Password strength validation (Minimum 8 and Maximum 10 characters at least 1 Uppercase Alphabet, 1 Lowercase Alphabet, 1
Number and 1 Special Character)
 QUESTIONS ?

2/27/2019 14
 Thank You!

2/27/2019 15