Es ist ja kein Exploit Code in dem Sinn notwendig:
The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory
The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
Wie soll man das denn sinnvoll analysieren um es zu blocken (ohne viele legitime Mails ebenfalls zu erwischen)?
IMHO sind das einfach viel zu viele Möglichkeiten…