Today, I noticed attempts by bad actors to send in docx word files that are encrypted using the "protect document" feature of Microsoft Word. As I have with word documents containing macros, I created a content filter to block a string that appears in every encrypted Word Docx. Specifically blocking "encryptedHmacKey=" (without quotes), since it appears in the raw text of an encrypted docx file, *should* stop this threat quickly and easily.
It didn't work. My test docx documents got through. I sent a simple text document with the banned content. Blocked. Word doc, sails though. Changed the extension on the test word doc to .txt and it was blocked. Something is not working as advertised.
After a conversation with support, they allowed as how their content filter attempts to open a word document as a word document and scan the content, instead of just scanning the raw text. since the file contents are encrypted, the scanner fails and the attachment sails right through.
This is a HUGE hole. This needs to be fixed.