From 0b2ab68f8db4c075a92c0d8e40a6d3d320b8109a Mon Sep 17 00:00:00 2001
From: Glenn Wilkinson <glenn.wilkinson@gmail.com>
Date: Thu, 24 Sep 2020 03:40:21 +0200
Subject: [PATCH] Modified regex to detect Microsoft ATP URLs (#1976)

---
 imap/monitor.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/imap/monitor.go b/imap/monitor.go
index 74357dbf..779c2b16 100644
--- a/imap/monitor.go
+++ b/imap/monitor.go
@@ -21,8 +21,10 @@ import (
 	"github.com/gophish/gophish/models"
 )
 
-// Pattern for GoPhish emails e.g ?rid=AbC123
-var goPhishRegex = regexp.MustCompile("(\\?rid=(3D)?([A-Za-z0-9]{7}))") // We include the optional quoted-printable 3D at the front, just in case decoding fails
+// Pattern for GoPhish emails e.g ?rid=AbC1234
+// We include the optional quoted-printable 3D at the front, just in case decoding fails. e.g ?rid=3DAbC1234
+// We also include alternative URL encoded representations of '=' and '?' to handle Microsoft ATP URLs e.g %3Frid%3DAbC1234
+var goPhishRegex = regexp.MustCompile("((\\?|%3F)rid(=|%3D)(3D)?([A-Za-z0-9]{7}))")
 
 // Monitor is a worker that monitors IMAP servers for reported campaign emails
 type Monitor struct {